Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment - Assets or process?
Do you suggest to do risk assessment based on asset or business process? for your information, at this time we use asset based approach and it is too complex for our scope (about 1100 employee) have certification from IQNET, The certification is just for our network infrastructure. Now we are planning to extend the scope.
Answer:
If you have many assets (thousands of different assets of all type) involved in the scope of the ISMS, can be a good idea the risk assessment based on process, but keep in mind that in the risk assessment based on assets, you can have group of assets like employees of a department, TVs, Desktops, and any other group of assets that can be affected by the same threats/vulnerabilities, and this approach can reduce the risk assessment considerably.
But also keep in mind that if you change assets/process in your risk assessment, you will need to start from 0, applying a new methodology in a complex scope.
So, if you reduce your risk assessment but the number of assets is high, and you can assume the eff ort to change the risk assessment and start from 0, my recommendation is the risk assessment based on process (it is not a problem in the ISO 27001:2013, I mean, you can use a risk assessment based on process without problem, although with the old ISO 27001:2005 you could not). If not, I think that you should maintain your current risk assessment, reducing it.
Finally, this article about the risk assessment, can be interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
And also this article about problems with defining the scope can be interesting for you Problems with defining the scope in ISO 27001 : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
Does ISO 27001 have any requirements that the documentation cannot leave the com
One of our vendors already has their ISO 27002 certification [for a while now] and when I asked about obtaining a copy of the documentation and verification of their certification, they provided us with the first three pages of their ISO 27002 Risk Assessment report that included the title page, table of content and introduction (stating who performed certification and list of control area. Further, they said that because the ISO certification documents contains such detailed, confidential information, they do not allow any of the rest of their documentation to leave their office. They will allow others with vested interest (such as our company) to schedule certified ISO auditors to visit their offices to review their documentation.
Our question: Does ISO 27001 / 27002 have any terms / requirements / documentation that specify that the documentation cannot leave the companys office?
If so, could you point me in a direction that provides us with that info or at least a summary?
We look forward to hearing from you at your earliest convenience.
Answer:
ISO 27001 nor ISO 27002 do not have strict requirements that would prevent the documentation to be disclosed out of the company office.
However, ISO 27001 does allow a company to set its own rules for distribution and access to their documentation - this is regulated with sections A.8.2 Information classification, and A.9 Access control. See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
By the way, a company cannot get certified against ISO 27002, only against ISO 27001 - see this article: ISO 27001 vs. ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Evidence to verify leadership and commitment in ISMS
what evidence would be acceptable to verify the existence and effectiveness of "leadership and commitment in ISMS
Answer:
You can use records as evidence. For example, if you need to demonstrate the leadership and commitment of the Top Management with respect to the ISMS ensuring that the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization (point a, paragraph 5.1 Leadership and commitment of the ISO 27001:2013), you need records about the definition and approval of both (policy and objectives) by Top Management, and you can do it for example with minutes.
So, the way is: to see the requirements established by ISO 27001:2013 5.1 Leadership and commitment, and generate records for each one. Anyway, keep in mind that is not mandatory to have records for this paragraph, here you can see a complete list of mandatory documents/records (and non mandatory) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera .com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Finally, this article about records can be interesting for you Records management in ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
And also this article "Why is management review important for ISO 27001 and ISO 22301?" : https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/ -
ISO and FISMA mandates
Is there/will there be a push to recognize and incorporate ISO controls in the FISMA mandates?
Answer:
I am sorry but we do not have official information about this, anyway NIST (National Institute of Standards and Technology) is chartered with developing standards, guidelines and other publications which federal agencies in USA must follow to implement FISMA and protect their information and information systems. So, the official recommendation is to use NIST standards, guidelines, etc. to comply with FISMA, although from my point of view, you can also complement it with ISO 27001, which will give you international recommendations and an international prestige (FISMA and NIST is generally used only in USA).
An example of a publication of NIST is the Framework for Improving Critical Infrastructure Cybersecurity, you can find more information here "Which one to go with Cybersecurity Framework or ISO 27001? : https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
Finally, ma ybe can be interesting for you to know more about the benefits of ISO 27001, so I recommend you to read this article Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/ -
Foundation course
May I know where can I get more information on Foundation Course...?
Answer:
Generally the certification bodies have courses to acquire the basic knowledge about these standards, so you can get more information about the courses in the website of each certification body (BSI, Bureau Veritas, etc).
Anyway, these articles can be interesting for you because will give you an easy overview of how these standards work:
What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/
ISO 22301 Basics : https://advisera.com/27001academy/what-is-iso-22301/ -
How ISO 27001 / ISO 27002 applies to a cloud computing environment
Please advise how the ISO27001/27002 applies to a cloud computing environment.
Answer:
ISO 27001 applies directly to cloud computing environment, because it can give you an useful tool to identify risks about information security in any type of business, including cloud computing. So, with ISO 27001 you can identify risks related to a cloud based business and you can also reduce them with the security controls of the ISO 27002 (remember that these controls are included in the Annex A of the ISO 27001).
Anyway, there are other standard that can be interesting for you: "ISO/IEC 27017 Information technology Security techniques code of practice for information security controls based on ISO/IEC 27002 for cloud services: https://www.iso.org/standard/43757.html
Finally, this article can be interesting for you Cloud computing and ISO 27001 / BS 25999 : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/
And also this article about ISO 27001/ISO 27002 ISO 27001 vs. ISO 27002 : https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Overall ISO implementation plan
Answer:
Planning the ISO 27001 implementation is a two-step process: first you plan your project in general terms (as you did with the Project Plan document), and once you finish your risk assessment and treatment you will be able to plan all the security-specific documents through the Risk treatment plan (you'll find it in folder 07 of the toolkit).
However, our toolkit structure will help you also with the steps in the project - you should follow the sequence of the folders, because this is the optimal way to implement all the documentation. -
¿Qué es la ISO 27001?
¿Que es la iso 27001? ¿Y el concepto de la seguridad lógica de la iso 27001?
Respuesta:
ISO 27001 es un estándar internacional que establece requisitos para la implementación de un Sistema de Gestión de Seguridad de la Información. Para más información sobre esto, por favor lee el siguiente artículo ¿Qué es la norma ISO 27001? : https://advisera.com/27001academy/es/que-es-iso-27001/
En relación a la seguridad lógica, este término está relacionado con las medidas de seguridad que puedes implementar con software, quiero decir, sin medidas físicas. Por cierto, el Anexo A de la ISO 27001:2013 tiene el dominio de control "A.11 Seguridad física y ambiental". Un ejemplo de seguridad lógica es el uso de firewalls, por tanto quizás este artículo puede resultarte interesante (en inglés) How to use firewalls in ISO 27001 and ISO 27002 implementation : https://advisera.com/27001academy/blog/2015/05/25/how-to-use-firewalls-in-iso-27001-and-iso-27002-implementation/ -
Form for the Risk acceptance
I wonder if you have more information about Risk Acceptance by way of Forms.
Ex. Once a risk is accepted, what kind of form examples do you have so the acceptance can be signed off.
Answer:
You will find a form for accepting the residual risks in the section 4 of the Statement of Applicability (folder: 06 Statement of Applicability). Anyway, I will give you another option: Perform a meeting with top management and talk about the risk acceptance. Include the results of the meeting in a minute, which must be signed by all attendees. You can use this minute, instead of a form, as evidence of the accepted risk of the organization.
Finally, I think that this article can be interesting for you Risk appetite and its influence over ISO 27001 implementation : https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/ -
No conformidad e Incidente de seguridad de la información
Me podrían ayudar con las definiciones de:
· Que es una No conformidad en un Sistema de Gestión de Seguridad de la información
· Que es un incidente de seguridad de la información
Así mismo necesito que me den ejemplo de los indicadores que puedo llevar en un SGSI
Respuesta:
Claro, bienvenido a nuestro portal, a continuación te daré información sobre tus cuestiones, teniendo en cuenta las definiciones establecidas en la ISO 27000:2012 - Overview and vocabulary:
1.- No conformidad: "Es un incumplimiento de la norma". Por tanto, por ejemplo, un requisito de la ISO 27001 es tener un documento para la Declaración de Aplicabilidad (SoA), y el no tener este documento, puede dar lugar a una no conformidad. Por cierto, aquí puedes ver una lista de los documentos que son obligatorios (y no obligatorios) "Lista de documentos obligatorios exigidos por la norma ISO 27001 (revision 2013)" : https://advisera.com/27001academy/es/blog/2015/05/04/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/
2.- Incidente de seguridad de la información: "Evento o conjunto de eventos, inesperados o no deseados, de seguridad de la información y que tienen una probabilidad significativa de comprometer las operaciones del negocio y de amenazar la seguridad de la información". Por tanto, un incidente de seguridad de la información básicamente puede ser un evento negativo que puede afectar a la seguridad de la información de tu negocio.
En relación a los indicadores, este webinar gratuito puede ser de tu interés (en inglés) ISO 27001 and ISO 27004: How to measure the effectiveness of information security? : https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/