Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Does ISO 27001 have any requirements that the documentation cannot leave the com
One of our vendors already has their ISO 27002 certification [for a while now] and when I asked about obtaining a copy of the documentation and verification of their certification, they provided us with the first three pages of their ISO 27002 Risk Assessment report that included the title page, table of content and introduction (stating who performed certification and list of control area. Further, they said that because the ISO certification documents contains such detailed, confidential information, they do not allow any of the rest of their documentation to leave their office. They will allow others with vested interest (such as our company) to schedule certified ISO auditors to visit their offices to review their documentation.
Our question: Does ISO 27001 / 27002 have any terms / requirements / documentation that specify that the documentation cannot leave the companys office?
If so, could you point me in a direction that provides us with that info or at least a summary?
We look forward to hearing from you at your earliest convenience.
Answer:
ISO 27001 nor ISO 27002 do not have strict requirements that would prevent the documentation to be disclosed out of the company office.
However, ISO 27001 does allow a company to set its own rules for distribution and access to their documentation - this is regulated with sections A.8.2 Information classification, and A.9 Access control. See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
By the way, a company cannot get certified against ISO 27002, only against ISO 27001 - see this article: ISO 27001 vs. ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Evidence to verify leadership and commitment in ISMS
what evidence would be acceptable to verify the existence and effectiveness of "leadership and commitment in ISMS
Answer:
You can use records as evidence. For example, if you need to demonstrate the leadership and commitment of the Top Management with respect to the ISMS ensuring that the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization (point a, paragraph 5.1 Leadership and commitment of the ISO 27001:2013), you need records about the definition and approval of both (policy and objectives) by Top Management, and you can do it for example with minutes.
So, the way is: to see the requirements established by ISO 27001:2013 5.1 Leadership and commitment, and generate records for each one. Anyway, keep in mind that is not mandatory to have records for this paragraph, here you can see a complete list of mandatory documents/records (and non mandatory) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera .com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Finally, this article about records can be interesting for you Records management in ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
And also this article "Why is management review important for ISO 27001 and ISO 22301?" : https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/ -
ISO and FISMA mandates
Is there/will there be a push to recognize and incorporate ISO controls in the FISMA mandates?
Answer:
I am sorry but we do not have official information about this, anyway NIST (National Institute of Standards and Technology) is chartered with developing standards, guidelines and other publications which federal agencies in USA must follow to implement FISMA and protect their information and information systems. So, the official recommendation is to use NIST standards, guidelines, etc. to comply with FISMA, although from my point of view, you can also complement it with ISO 27001, which will give you international recommendations and an international prestige (FISMA and NIST is generally used only in USA).
An example of a publication of NIST is the Framework for Improving Critical Infrastructure Cybersecurity, you can find more information here "Which one to go with Cybersecurity Framework or ISO 27001? : https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
Finally, ma ybe can be interesting for you to know more about the benefits of ISO 27001, so I recommend you to read this article Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/ -
Foundation course
May I know where can I get more information on Foundation Course...?
Answer:
Generally the certification bodies have courses to acquire the basic knowledge about these standards, so you can get more information about the courses in the website of each certification body (BSI, Bureau Veritas, etc).
Anyway, these articles can be interesting for you because will give you an easy overview of how these standards work:
What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/
ISO 22301 Basics : https://advisera.com/27001academy/what-is-iso-22301/ -
How ISO 27001 / ISO 27002 applies to a cloud computing environment
Please advise how the ISO27001/27002 applies to a cloud computing environment.
Answer:
ISO 27001 applies directly to cloud computing environment, because it can give you an useful tool to identify risks about information security in any type of business, including cloud computing. So, with ISO 27001 you can identify risks related to a cloud based business and you can also reduce them with the security controls of the ISO 27002 (remember that these controls are included in the Annex A of the ISO 27001).
Anyway, there are other standard that can be interesting for you: "ISO/IEC 27017 Information technology Security techniques code of practice for information security controls based on ISO/IEC 27002 for cloud services: https://www.iso.org/standard/43757.html
Finally, this article can be interesting for you Cloud computing and ISO 27001 / BS 25999 : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/
And also this article about ISO 27001/ISO 27002 ISO 27001 vs. ISO 27002 : https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Overall ISO implementation plan
Answer:
Planning the ISO 27001 implementation is a two-step process: first you plan your project in general terms (as you did with the Project Plan document), and once you finish your risk assessment and treatment you will be able to plan all the security-specific documents through the Risk treatment plan (you'll find it in folder 07 of the toolkit).
However, our toolkit structure will help you also with the steps in the project - you should follow the sequence of the folders, because this is the optimal way to implement all the documentation. -
¿Qué es la ISO 27001?
¿Que es la iso 27001? ¿Y el concepto de la seguridad lógica de la iso 27001?
Respuesta:
ISO 27001 es un estándar internacional que establece requisitos para la implementación de un Sistema de Gestión de Seguridad de la Información. Para más información sobre esto, por favor lee el siguiente artículo ¿Qué es la norma ISO 27001? : https://advisera.com/27001academy/es/que-es-iso-27001/
En relación a la seguridad lógica, este término está relacionado con las medidas de seguridad que puedes implementar con software, quiero decir, sin medidas físicas. Por cierto, el Anexo A de la ISO 27001:2013 tiene el dominio de control "A.11 Seguridad física y ambiental". Un ejemplo de seguridad lógica es el uso de firewalls, por tanto quizás este artículo puede resultarte interesante (en inglés) How to use firewalls in ISO 27001 and ISO 27002 implementation : https://advisera.com/27001academy/blog/2015/05/25/how-to-use-firewalls-in-iso-27001-and-iso-27002-implementation/ -
Form for the Risk acceptance
I wonder if you have more information about Risk Acceptance by way of Forms.
Ex. Once a risk is accepted, what kind of form examples do you have so the acceptance can be signed off.
Answer:
You will find a form for accepting the residual risks in the section 4 of the Statement of Applicability (folder: 06 Statement of Applicability). Anyway, I will give you another option: Perform a meeting with top management and talk about the risk acceptance. Include the results of the meeting in a minute, which must be signed by all attendees. You can use this minute, instead of a form, as evidence of the accepted risk of the organization.
Finally, I think that this article can be interesting for you Risk appetite and its influence over ISO 27001 implementation : https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/ -
No conformidad e Incidente de seguridad de la información
Me podrían ayudar con las definiciones de:
· Que es una No conformidad en un Sistema de Gestión de Seguridad de la información
· Que es un incidente de seguridad de la información
Así mismo necesito que me den ejemplo de los indicadores que puedo llevar en un SGSI
Respuesta:
Claro, bienvenido a nuestro portal, a continuación te daré información sobre tus cuestiones, teniendo en cuenta las definiciones establecidas en la ISO 27000:2012 - Overview and vocabulary:
1.- No conformidad: "Es un incumplimiento de la norma". Por tanto, por ejemplo, un requisito de la ISO 27001 es tener un documento para la Declaración de Aplicabilidad (SoA), y el no tener este documento, puede dar lugar a una no conformidad. Por cierto, aquí puedes ver una lista de los documentos que son obligatorios (y no obligatorios) "Lista de documentos obligatorios exigidos por la norma ISO 27001 (revision 2013)" : https://advisera.com/27001academy/es/blog/2015/05/04/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/
2.- Incidente de seguridad de la información: "Evento o conjunto de eventos, inesperados o no deseados, de seguridad de la información y que tienen una probabilidad significativa de comprometer las operaciones del negocio y de amenazar la seguridad de la información". Por tanto, un incidente de seguridad de la información básicamente puede ser un evento negativo que puede afectar a la seguridad de la información de tu negocio.
En relación a los indicadores, este webinar gratuito puede ser de tu interés (en inglés) ISO 27001 and ISO 27004: How to measure the effectiveness of information security? : https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/ -
BIA for communication department
I have questions related to business continuity , I'm in process of updating BC for all department and I found that the critical department at the time of the disaster only HR , Finance, communication and IT and only few process with each department not all department processes.
So I did BIA for the critical process for those departments only.
But I don't know how to do BIA for communication department , they already have crisis communication plan and the criticality of their process depend on the level of the emergency event.
What is your advice?
Answer:
The main input for the BIA is the BIA Methodology, and you need one to perform the BIA in the same way for all your processes, I mean, if you have your BIA methodology and your BIA questionnaire, you only need to apply them for all your processes, regardless of the documents or activities that contains. So my recommendation is to have an unique methodology for all processes, and perform the BIA according your methodology. To know the criticality of your processes, my recommendati on is that you use these parameters: Impact assessment, Maximum Data Loss/RPO, MAO, MBCO, Dependencies, etc.
This article about how to implement the BIA can be interesting for you How to implement business impact analysis (BIA) according to ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
And maybe can be interesting for you to see our BIA methodology (you can see a free version clicking on Free Demo tab) Business Impact Analysis Methodology : https://advisera.com/27001academy/documentation/business-impact-analysis-methodology/