Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 and cybersecurity
How can ISO 27001 map up with challenges of Cyber Security and what strategies should an ISO organization deploy to prevent Malware/cyber security attacks ?
Answer:
There is no universal rule to map specifically the requirements of ISO 27001 with the cybersecurity, keep in mind that ISO 27001 is mainly focused on the protection of the information (establishes requirements for an Information Security Management System), and this standard can be applied to any environment where the information needs to be protected, including the cybersecurity, but it is not the unique. Anyway, if you want to work with ISO 27001 and the cybersecurity, can be very interesting ISO 27032, which is also an international standard, but related to the cybersecurity, and you can integrate both.
Furthermore, if your company wants to protect from attacks related to the cybersecurity, can be an interesting option to implement ISO 27032, that how you know can be integrated with ISO 27001.
Finally, these articles can be interesting for you:
Which one to go with Cybersecurity Framework or ISO 27001? : https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
What is cybersecurity and how can ISO 27001 help? : https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/
ISO 27001 vs. ISO 27032 cybersecurity standard : https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/
And of course, can be very interesting for you our free eBook 9 Steps to Cybersecurity : https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/ -
Confidentiality levels
Could you please inform of the recommended confidentiality levels along with the best practice for setting these for the documents within ISO 9001, 22301 & 27001.
Answer:
Yes, sure. Commonly there are 3 confidential levels (and 1 Public level which means that everyone can see the information): Confidential (top level), Restricted (medium), and Internal use (lowest level). And from my point of view, the best practice for setting these for documents is to develop an Information Classification Policy. You can find more information here Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Supplier Security Policy
"Supplier assurance framework" I am not sure what would be the key points in that doc. what should i need to include in that doc.
Answer:
I am sorry but we do not have the document Supplier assurance framework, it is not mandatory by the standard and I am not sure what do you mean with this. To see a complete list of mandatory documents (and non mandatory), please read this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
If your question is related to the supplier security, this article can be interesting for you 6-step process for handling supplier security according to ISO 27001 : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Finally keep in mind that the unique mandatory document related to the supplier security is the Supplier Security Policy (clause A.15.1.1 of the Annex A of the ISO 27001:2013). -
Gap AnalysisISO 27001, version 2015?
I would like to know how to tackle a GAP analiss 27001, whether it should be similar to an internal audit on the planning and documentation, or as external audit stage 2, wherein in step 1 focuses on documentaries and in step 2 in the-spot checks
I solicitadno the company to acquire the full premium kid, I'm waiting for answers Manager.
Answer:
The Gap Analysis is more similar to the internal audit, with the difference that the gap is performed at the beginning of the project (when there is nothing implemented). Anyway the Gap analysis is not mandatory, but can be useful and if you want to do it you can use our free tool Free ISO 27001 Gap Analysis Tool : https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
Regarding your manager, my recommendation is that you need to show him the benefits of the implementation of the standard, so this article can be interesting for you Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/-implement ation/
Finally, if you want you can write us in Spanish.We have received these questions:
Q1:Need the basic difference in the latest version of 2015
Received links:
- Infographic: New ISO 27001 2013 revision What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/
- How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
Q2: Do we find any difference in the risk management area?
Answer:
A1: I am sorry, but the latest version of the ISO 27001 is ISO 27001:2013. There is no ISO 27001:2015, although if your country has been translated the standard this year, you can see ISO/IEC 27001:2015, but with the code of your country at the beginning. For example, in Australia the ISO 27001 has been translated in 2015, so you can see the AS ISO/IEC 27001:2015, however it is the same that ISO/IEC 27001:2013 (all requirements are the same), but using Australian terminology.
A2: There are some changes, but from my point of view one of the more important is that in ISO 27001:2013 you do not need to use the assets-threats-vulnerabilities methodology to identify risks. If you need more information about this, please read this article What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/ -
Capacity Management Procedure
To cite an example for capacity management procedure. Objective: To establish and implement controls to ensure capacity monitoring. Scope: This applies to all information and information processing facilities of [ -
Gap Analysis
The gap analysis is not mandatory before the begin of the ISMS implementation according to ISO 27001:2013, although it can be very useful. The Gap analysis is about the requirements of ISO 27001, including the security controls of Annex A (that as you know are the same as the security controls of ISO 27002).
To perform this activity, of course you can use CMMI levels to assess the compliance of each requirement, and you can also use our free tool "Free ISO 27001 Gap Analysis Tool" :https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/ -
Assets value
From my point of view both approaches can be good for the standard, however taking the average does not make sense - it is much better to take the highest value from the C-I-A impact, and it is not necessary to consider the evaluation of each asset value: you can consider the assessment of consequences for the materialization of a risk , and the assessment of likelihood of occurrence of such risk.
Have you seen our free webinar about "The basics of risk assessment and treatment according to ISO 27001" ? : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
This article can be also interesting for you ISO 2701 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
ISO 27001/ISO 27002 vs COBIT
I use the ISO27001 and ISO27001 the controls to build a robust framework on this subject, but there are many people who say i should use COBIT 5 instead of ISO. What are the main differences between them? What are the advantages of using one or another. In a company with xxx stores and xxx employees is important to define the way before starting to work on this issue. I was grateful if I could give your opinion, obviously non-binding.
Answer:
ISO 27001/ISO 27002 and COBIT are similar, although COBIT is focused on IT governance while ISO 27001/ISO 27002 are focused on information security, furthermore COBIT is only a framework that you cannot certify, while you can obtain a certificate of ISO 27001 after the implementation. By the way, in the implementation you can use the guideline of best practices of the ISO 27002 (it is only a best practices about information security, you cannot certify ISO 27002).
For more information about the differences between ISO 27001 and ISO 27002, you can read this article ISO 27001 vs. ISO 27002 : https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
So, if you need an IT governance framework, COBIT will be more useful for you (but keep in mind that you cannot certify it). And if you need a standard focused on information security and certify it, ISO 27001 will be more useful for you (remember that you can use ISO 27002 as guideline of best practices).
Finally, from my point of view, if your organization has stores, an international certificate like ISO can give you prestige and marketing edge, so with ISO 27001 you will obtain more benefits that with COBIT, anyway please read this article about 4 benefits of ISO 27001 Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/ -
Understanding the organization and its context
Can you help me about organization and its context? How can i Understanding the organization and its context?
Answer:
Yes, sure we can help you. The main point of the paragraph "4.1 Understanding the organization and its context of the ISO 27001:2013, is basically to identify internal and external issues (for the internal context you could consider organizational structure, roles and responsibilities, business strategy and objectives, etc, and for the external issues the most important are the interested parties and their requirements).
For more information about this, please read this article Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/ -
Customer environment
working in a development company , our company have compliance products , out tech support some time need to download the customer data to our internal network to do some troubleshooting upgrades....ect
the tech support creates customer environment ( OS and related applications) and join it to the domain so that all GP applies to these environment ..
the tech support is asking is it possible to have these environments on a work group rather than joining them to the domain ?
this request is based on a project we are working on to reduce the IT support part . so that the developers can create the VMs by them selves without the need for IT to join them to the domain ?
is this ok ? i mean from a security point of view ?
Answer:
From my point of view, there is no problem to separate the customer environment in a workgroup. But on this way, you will need to establish a local policy on each machine to implement access control and give access only to authorized people (it is obviously more easy with domains and GPOs). And if you have a hypervisor for the VMs, I would also be careful with the access to it.
By the way, if you have a documented Access control policy (it is mandatory by the ISO 27001:2013 Annex A.9.1.1) you will need to include all of these issues related to the control access to the independent environment.
Finally, this article can be interesting for you "How to handle access control according to ISO 27001" : https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/