Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Changes in ISO 27001
I will admit, I am fairly new to the non-technical side of IT (Infosec/compliance) and so there is/has certainly been a learning curve. Right now I am just trying to compare the 2005 and 2013 versions of 27001/27002 to see which clauses and controls have been changed (that are incorporated into our own standards) - more specifically how they have changed and how that affects my environment. I am trying to put together a findings and recommendations report and struggling. I work in a University on a very small team. Of course I've gone through your site and Googled, which has helped some, though do you know of any other resources that compare the two versions and break down the changes a little more in-depth and maybe how they affect the rest of the surrounding content? (if that makes sense?!)
Answer:
Welcome to the non-technical side of IT, your technical knowledge is very important for ISO 27001. I am sorry, but we do not have a specific resource that compare in detail both standards, but one of the more important changes in ISO 2 7001:2013 is related with the risk management: In ISO 27001:2005 you need an asset based methodology, but in ISO 27001:2013 it is not necessary (the methodology for the risk management can be based on assets, or process, or other), so the new version is more flexible in the key point of the standard (risk management). To know more in detail the changes in the risk assessment, please read this article What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Another important change is related with the security controls of the ISO 27002 (and Annex A of ISO 27001), so this article can be also interesting for you Main changes in the new ISO 27002 : https://advisera.com/27001academy/blog/2013/02/11/main-changes-in-the-new-iso-27002-2013-draft-version/
Regarding your question how they affect the rest of the surrounding content?, I am not sure what you mean but some changes can affect to an ISO 27001:2005 implementation, because there are some things that now are not mandatory (for example, ISO 27001:2013 has not preventive actions, so it is not necessary and you can remove them if you have implemented ISO 27001:2005)
Finally, this free webinar can help you to know in detail the main changes, and also can help you to do the transition How to make the transition from ISO 27001 2005 to 2013 revision : https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/ And also this article How to make a transition from ISO 27001 2005 revision to 2013 revision : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ (At the end of this article, you can find a link to the free white paper Twelve-step transition process from ISO 27001 2005 revision to 2013, which you can find in our free downloads section : https://advisera.com/27001academy/free-downloads/).
And also see this article "Infographic: New ISO 27001 revision - What has changed?" : https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/ -
ITIL and ISO 27001
May I request you to please advise on a case where client wants to maintain the IT Polices and Procedures Manual which follows best practices like ITIL V3 for IT Service Management as well as ISMS based on ISO 270001.
Please advise if we can combine these best practices and have one common IT Manual as its a small organization? Any thoughts?
Answer:
From my point of view there is no problem to maintain IT Policies and Procedures Manual which follow best practices like ITIL V3. You can integrate these best practices in the ISMS, but keep in mind that if you want to implement ISO 27001, you need to comply their requirements. There are some common points (change management, capacity management, etc) but because ISO 27001 is specifically related to information security there are also some points that you cannot find them in ISO 20000 (access control, cryptography, physical and environmental security, etc). So yes, you can maintain and use all documents and procedures related to ITIL for the implementation of ISO 27001, but you need to implement their specific requirements. Regarding the common IT Manual, really is not necessary to have a manual in ISO 27001:2013, but the small organization can maintain his IT Manual (although could be interesting to include important points about ISO 27001). This article can be interesting for you Is the ISO 27001 Manual really necessary? : https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
We do not have a comparison about ISO 27001 and ITIL, but ITIL is very similar to ISO 20000, so this article can be interesting for you How to implement ISO 27001 and ISO 20000 together : https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
By the way, you can also use ISO 27013, which is a guideline for the integrated implementation of ISO 27001 and ISO 20000-1, you can see it in the official page of ISO : https://www.iso.org/standard/43753.html -
Requirements of interested parties
Clause 4.2 has a note says : The requirements of interested parties may include legal and regulatory requirements and contractual obligations.
Can you explain more about this note and if possible give some example. Is it means the interested parties should have agreement to fulfil their expectations ?
Answer:
The note means that in the requirements of interested parties you need to include the identification of legal and regulatory requirements and also the contractual obligations, but you do not need to have an agreement with all interested parties (families of employees can be an interested party for ISO 27001). Anyway, you can find an example in our template (you can see a free version clicking on Free Demo tab) Procedure for Identification of Requirements : https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/
Also is important to identify laws and regulations about information security, you will find here a complete list classified by country Laws and regulations on information sec urity and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
Finally, this article can be interesting for you How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
ROSI
I'm interested in ROSI, I mean malicious activity and unintentional human error and natural disaster and force majeure
Answer:
ROSI (Return on Security Investment) is a parameter that relates the investment on information security with the economic benefits that this will bring to the business. The calculation of the ROSI can be based on:
- Costs of an incident by taking into account all the relevant costs if an incident occurs and the probability of incident. There are some type of incidents: Malicious activity (virus, trojan horses, etc.), unintentional human error (delete critical information by error, etc.), system errors/malfunctions (hardware failure, etc.), natural disaster & force majeure (earthquake, flood, etc.)
- Costs of security measures/controls and the level to which the risk of this incident would decrease because of such mitigation
Do you need to calculate the ROSI? This free tool can be very useful for you Free Return on Security Investment Calculator : https://advisera.com/27001academy/free-tools/free-return-security-investment-calculator/
And this article can be also interesting for you Is it possible to calculate the Return on Security Investment (ROSI)? : https://advisera.com/27001academy/blog/2011/06/13/is-it-possible-to-calculate-the-return-on-security-investment-rosi/ -
Group assets
A couple of questions that the Attendees asked which was relevant in my situation because each company's scope is different and these were the following:
1Grouping hardware together such as Router or Switches instead of individually to make the impact and likelihood easier( Please correct if I'm wrong). On the contrary it might change because a Edge Router will have a different responsibility than a Access switch or an Distribution switch. Am I correct to say that it depends how I perceive these Assets and what impact it will have?
2The type of methodology to use etc. low, medium and high OR 1-5.1-10............Regarding to this question, I find it easier to use the numbering because the Risk can be calculated easier and Management attendance can be attracted more easily( Once again please correct me on this point).
The Treatment itself, is it advisable to implement a audit process for example quarterly to check on the progress of these devices that needs to be treated. What is your advice?
Answer:
A1: You are right. It is a b est practice to group assets, because for example you can have an asset Routers instead of a number of independent routers (all equals and with the same configuration). This approach will help you to reduce the number of assets in your inventory. You can group assets depending if they share threats/vulnerabilities and the risks are the same (based on impact and likelihood). So, from this point of view, if you have an Access switch that is different that a Distribution switch, you need 2 different assets in your inventory. This article about the asset inventory can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
A2: From my point of view, both approaches are ok for the standard, for some people is more easy to use numbers, and for other people is more easy to use names, but keep in mind that the important here is the methodology that you use to calculate the risk, which must be the same for the calculation of all risks, and you need to develop it in the easier way for your business. Do you know our Risk Assessment and Risk Treatment Methodology? It is also very easy, and you can see a free version clicking on Free Demo tab here Risk Assessment and Risk Treatment Methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
Regarding your last question, you can perform tasks of reviewing periodically, depending of the deadline for the execution of the actions. For example, if the deadline for the implementation of a backup policy is 3 months, you can perform tasks of review each month. An audit process is more complex (if we talk about the internal audit), so you do not need to perform it to review the risk treatment, reviewing the actions planned and performed (Risk Treatment Plan) can be enough.
Finally, this article about the Risk Treatment Plan can be interesting for you Risk Treatment Plan and Risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
ISO 27001 - ¿Por dónde empezar?
La xxx de la xxx esta interesada en prepararse para obtener la certific ISO 27001, pero no sabes cuales son las acciones que debemos tomar para conseguirlo. ¨Por donde debemos comenzar?
Respuesta:
Antes de obtener la certificación tienes que implementar la ISO 27001:2013 in tu organización, y una de las acciones más importantes que necesitas llevar a cabo al principio es establecer un plan de proyecto. Por tanto, este artículo puede resultarte interesante Proyecto ISO 27001 - Cómo hacer que funcione : https://advisera.com/27001academy/es/blog/2015/05/03/proyecto-iso-27001-como-hacer-que-funcione/
Para empezar la implementación, también es importante obtener el apoyo de la Dirección, y ellos necesitan conocer cuales son los beneficios de la ISO 27001, por tanto este artículo también te puede resultar interesante Cuatro beneficios clave de la implementación de la norma ISO 27001 : https://advisera.com/27001academy/es/blog/2010/07/21/cuatro-beneficios-clave-de-la-implementacion-de-la-norma-iso-27001/
Por último, este artículo te muestra una sencilla lista de chequeo para la implementación de la ISO 27001, espero que pueda servirte de ayuda Lista de apoyo para implementación de ISO 27001 : https://advisera.com/27001academy/es/blog/2010/09/28/lista-de-apoyo-para-implementacion-de-iso-27001/iso-27001/ -
Security controls to mitigate cybersecurity threats
We have received this question: Which control clause(s) in ISO27001:2013 correspond to each of the following areas to mitigate cyber security threats: 1. Home, mobile working : Info. security regardless of how/where employees access company's info. assets 2. User Education and Awareness: All interested parties should be aware of key risk and how to report incidents. 3. Incident Management: Ability of the company to contain incidents and return to business as usual quickly. 4. Info. risk Management Regime: Tone from the top 5. Managing User Privileges: Role based security on a need to know/need to have basis 6. Removable Media Controls: Safe use and disposal of media 7. Monitoring: Preventive, reactive and corrective measures to curb unexpected activity 8. Secure configuration: Configuration and change management to maintain integrity and availability 9. Malware Protection: Effective Patch management to reduce exploitation of known vulnerabilities 10. Network Security: Knowing and controlling who accesses to the network Answer: First let me say you that I SO 27001 is not for a specific sector, for example cybersecurity, so ISO 27001 is a global standard that you can use to establish an Information Security Management System to protect information in any type of environment (including cybersecurity, but it is not only for this). Anyway, I will show you the clauses of ISO 27001:2013 that are more related to each point: 1.- A.6.2.1 Mobile device policy and A.6.2.2 Teleworking 2.- Clause 7.3 Awareness and A.7.2.2 Information security awareness, education and training 3.- Entire domain A.16 Information security incident management 4.- I suppose that you mean Risk management, if so, the clauses related to this in ISO 27001: 2013 are 6.1.2 Information security risk assessment, 6.1.3 Information security risk treatment, 8.2 Information security risk assessment and 8.3 Information security risk treatment 5.- A.9.2.3 Management of privileged access rights 6.- A.8.3.2 Disposal of media 7.- Clauses 9.1 Monitoring, measurement, analysis and evaluation and 10.1 Nonconformity and corrective action 8.- A.12.1.2 Change management (there is no control on this standard to manage specifically the configuration of CIs Configuration Items) 9.- A.12.2.1 Controls against malware, and regarding to vulnerabilities you also have the A.12.6.1 Management of technical vulnerabilities and A.12.6.2 Restrictions on software installation 10.- A.13.1.1 Network controls, A.13.1.2 Security of networks services, A.13.1.3 Segregation in networks, and A.9.1.2 Access to networks and network services Finally, these articles related to cybersecurity can be interesting for you: Which one to go with Cybersecurity Framework or ISO 27001? : https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/ What is cybersecurity and how can ISO 27001 help? : https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/ ISO 27001 vs. ISO 27032 cybersecurity standard : https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/ And this free eBook can be also interesting for you 9 Steps to Cybersecurity : https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/ -
ISO 27001 and cybersecurity
How can ISO 27001 map up with challenges of Cyber Security and what strategies should an ISO organization deploy to prevent Malware/cyber security attacks ?
Answer:
There is no universal rule to map specifically the requirements of ISO 27001 with the cybersecurity, keep in mind that ISO 27001 is mainly focused on the protection of the information (establishes requirements for an Information Security Management System), and this standard can be applied to any environment where the information needs to be protected, including the cybersecurity, but it is not the unique. Anyway, if you want to work with ISO 27001 and the cybersecurity, can be very interesting ISO 27032, which is also an international standard, but related to the cybersecurity, and you can integrate both.
Furthermore, if your company wants to protect from attacks related to the cybersecurity, can be an interesting option to implement ISO 27032, that how you know can be integrated with ISO 27001.
Finally, these articles can be interesting for you:
Which one to go with Cybersecurity Framework or ISO 27001? : https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
What is cybersecurity and how can ISO 27001 help? : https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/
ISO 27001 vs. ISO 27032 cybersecurity standard : https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/
And of course, can be very interesting for you our free eBook 9 Steps to Cybersecurity : https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/ -
Confidentiality levels
Could you please inform of the recommended confidentiality levels along with the best practice for setting these for the documents within ISO 9001, 22301 & 27001.
Answer:
Yes, sure. Commonly there are 3 confidential levels (and 1 Public level which means that everyone can see the information): Confidential (top level), Restricted (medium), and Internal use (lowest level). And from my point of view, the best practice for setting these for documents is to develop an Information Classification Policy. You can find more information here Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Supplier Security Policy
"Supplier assurance framework" I am not sure what would be the key points in that doc. what should i need to include in that doc.
Answer:
I am sorry but we do not have the document Supplier assurance framework, it is not mandatory by the standard and I am not sure what do you mean with this. To see a complete list of mandatory documents (and non mandatory), please read this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
If your question is related to the supplier security, this article can be interesting for you 6-step process for handling supplier security according to ISO 27001 : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Finally keep in mind that the unique mandatory document related to the supplier security is the Supplier Security Policy (clause A.15.1.1 of the Annex A of the ISO 27001:2013).