Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Internal audit
We have been recommended for ISO 27001:2013 certification. However, I feel that our internal audits are weak. For example, for Clause 9.1 "Monitoring, Measurement, Analysis, and Evaluation", I would like to see if there are templates or suggestions that for conduction that audit, rather than "re-invent the wheel". Can you point me in the right direction?
Answer:
Sure, we can help you. We have a specific toolkit to perform the internal audit. You can see a free version clicking on Free demo tab here ISO 27001 / ISO 22301 Internal Audit Toolkit : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
And to perform the internal audit can be interesting to develop a checklist, so this article can be interesting for you How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
ISO 27001:2013 and PDCA
Would like to quickly check whether ISO 27001:2013 is still based on PDCA cycle
Answer:
It is a good question, and a quick response is: yes, ISO 27001:2013 is still based on PDCA cycle, although it is not explicit as in the previous version (ISO 27001:2005).
For more information about this, you can read this article Has the PDCA Cycle been removed from the new ISO standards? : https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/ -
Locking a computer
Is there a ISO or industry recommended time for locking a computer. E.g 10-15mins
Answer:
No, there is not established a concrete time by ISO 27001, ISO 27002 (and I think neither industry recommendation). The important here is to protect the information in an unattended user equipment (it is related with the control A.11.2.8 of the Annex A of the ISO 27001:2013) but you can do it in the way that you want, or in the way that your business needs. 15 minutes can be good for a company where employees are the most of time in front of the computer, but can be long time in a company where employees are constantly moving from a computer to another, and there are people of different companies.
Finally, if you want more information about physical security in ISO 27001, you can read this article Physical security in ISO 27001: How to protect the secure areas : https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/ -
Implement ISO 27001
If i get certification ISO 27002, i can to implement ISO 27001 and if i can, how much should i charge?
Answer:
I am sorry but you cannot get the certification of ISO 27002, it is only a code of best practices that you can use to implement and certify ISO 27001 in your organization. For more information about differences of both, please read this article ISO 27001 vs. ISO 27002 : https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Regarding the charge, depend on the organization where you want to implement the standard (scope, number of employees, etc), although typically the cost of the implementation for a company with 50 employees could be between $5.000 - $20.000. Anyway, this article can be interesting for you How much does ISO 27001 implementation cost? : https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
Finally, this free tool can help you to calculate the duration of an ISO 27001 implementation Free Calculator Duration of ISO 27001 / ISO 22301 Implementa tion : https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/ -
DR site
I suppose that your question is related to the selection of an external provider that give you a DR site. If so, from my point of view is more important that you take into consideration other parameters like support that they can give you (hours, phone, email, etc), the availability and capacity that they provide (should be established in the SLA), certifications (ISO 20000, ISO 27001, ISO 22301, etc), distance from the main data center, guarantees of services, and of course references of another clients (maybe you can find interesting information with your favorite search engine).
Anyway, keep in mind that the Disaster Recovery is focussed in the information technology, and it is not the same that business continuity. For more information about this, please read this article Disaster recovery vs. Business continuity : https://advisera.com/27001academy/blog/ 2010/11/04/disaster-recovery-vs-business-continuity/
And also this article about the distance of the disaster recovery can be interesting for you Disaster recovery site What is the ideal distance from primary site? : https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/ -
Organization structure
Thanks so much for making me part of your group, the 27001 ACADEMY. For options b and c in your article below, how does the organization structure look like for the project?
Answer:
You organization structure for options b" and c" can be the same that for the option a, because the organization structure should include roles (CEO, CISO, responsible of HR, etc) and generally it is always the same; the difference (options b and c") is that some of these roles can be assumed by external people. For example, there are many companies that have an external experienced professional to assume the role of CISO.
This article about CISO can be interesting for you Chief Information Security Officer (CISO) - where does he belong in an org chart? : https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
And also this article about how to choose a consultant 5 criteria for choosing an ISO 22301 / ISO 27001 consultant : https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/ -
Risk assessment - Assets or process?
Do you suggest to do risk assessment based on asset or business process? for your information, at this time we use asset based approach and it is too complex for our scope (about 1100 employee) have certification from IQNET, The certification is just for our network infrastructure. Now we are planning to extend the scope.
Answer:
If you have many assets (thousands of different assets of all type) involved in the scope of the ISMS, can be a good idea the risk assessment based on process, but keep in mind that in the risk assessment based on assets, you can have group of assets like employees of a department, TVs, Desktops, and any other group of assets that can be affected by the same threats/vulnerabilities, and this approach can reduce the risk assessment considerably.
But also keep in mind that if you change assets/process in your risk assessment, you will need to start from 0, applying a new methodology in a complex scope.
So, if you reduce your risk assessment but the number of assets is high, and you can assume the eff ort to change the risk assessment and start from 0, my recommendation is the risk assessment based on process (it is not a problem in the ISO 27001:2013, I mean, you can use a risk assessment based on process without problem, although with the old ISO 27001:2005 you could not). If not, I think that you should maintain your current risk assessment, reducing it.
Finally, this article about the risk assessment, can be interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
And also this article about problems with defining the scope can be interesting for you Problems with defining the scope in ISO 27001 : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
Does ISO 27001 have any requirements that the documentation cannot leave the com
One of our vendors already has their ISO 27002 certification [for a while now] and when I asked about obtaining a copy of the documentation and verification of their certification, they provided us with the first three pages of their ISO 27002 Risk Assessment report that included the title page, table of content and introduction (stating who performed certification and list of control area. Further, they said that because the ISO certification documents contains such detailed, confidential information, they do not allow any of the rest of their documentation to leave their office. They will allow others with vested interest (such as our company) to schedule certified ISO auditors to visit their offices to review their documentation.
Our question: Does ISO 27001 / 27002 have any terms / requirements / documentation that specify that the documentation cannot leave the companys office?
If so, could you point me in a direction that provides us with that info or at least a summary?
We look forward to hearing from you at your earliest convenience.
Answer:
ISO 27001 nor ISO 27002 do not have strict requirements that would prevent the documentation to be disclosed out of the company office.
However, ISO 27001 does allow a company to set its own rules for distribution and access to their documentation - this is regulated with sections A.8.2 Information classification, and A.9 Access control. See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
By the way, a company cannot get certified against ISO 27002, only against ISO 27001 - see this article: ISO 27001 vs. ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Evidence to verify leadership and commitment in ISMS
what evidence would be acceptable to verify the existence and effectiveness of "leadership and commitment in ISMS
Answer:
You can use records as evidence. For example, if you need to demonstrate the leadership and commitment of the Top Management with respect to the ISMS ensuring that the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization (point a, paragraph 5.1 Leadership and commitment of the ISO 27001:2013), you need records about the definition and approval of both (policy and objectives) by Top Management, and you can do it for example with minutes.
So, the way is: to see the requirements established by ISO 27001:2013 5.1 Leadership and commitment, and generate records for each one. Anyway, keep in mind that is not mandatory to have records for this paragraph, here you can see a complete list of mandatory documents/records (and non mandatory) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera .com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Finally, this article about records can be interesting for you Records management in ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
And also this article "Why is management review important for ISO 27001 and ISO 22301?" : https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/ -
ISO and FISMA mandates
Is there/will there be a push to recognize and incorporate ISO controls in the FISMA mandates?
Answer:
I am sorry but we do not have official information about this, anyway NIST (National Institute of Standards and Technology) is chartered with developing standards, guidelines and other publications which federal agencies in USA must follow to implement FISMA and protect their information and information systems. So, the official recommendation is to use NIST standards, guidelines, etc. to comply with FISMA, although from my point of view, you can also complement it with ISO 27001, which will give you international recommendations and an international prestige (FISMA and NIST is generally used only in USA).
An example of a publication of NIST is the Framework for Improving Critical Infrastructure Cybersecurity, you can find more information here "Which one to go with Cybersecurity Framework or ISO 27001? : https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
Finally, ma ybe can be interesting for you to know more about the benefits of ISO 27001, so I recommend you to read this article Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/