Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Clause 8.1 ISO 27001:2013
Clause 8.1. There is a requirement to establish criteria for the process, The question is how can we establish it?
Answer:
Regarding clause 8.1 Operational planning and control of ISO 27001:2013, I am not sure what you mean because this clause is not related with a "criteria for the process", here basically you need records about the approval of information security objectives, project plan, processes outsourced and also you need records about possible changes about all of the above.
Anyway keep in mind that it is not mandatory to have a document for this clause, you can see the list of mandatory documents (and non mandatory) here List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Recovery Point Objective
Can you explain me recovery point objective?? With some other example? Other than the one mentioned in ur site
Answer:
The RPO (Recovery Point Objective) is the maximum targeted period in which data might be lost from a IT service due to a major incident. I will give you an easy example: You have a policy which establishes that backups are performed each day at 15:00pm. So, your backups are every 24 hours. You perform the first day of the week (Monday) a backup. The next backup is Tuesday at 15:00pm, but you have a problem Monday at 18:00pm, and all information generated after the first backup until 18:00pm is lost (3 hours). The question is, Can you lose 3 hours of information? And 24 hours? If you can lose only 3 hours, your RPO will be 3 hours.
Finally, I am not sure what page have you seen in our site, but these are interesting articles related to RPO:
What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO) : https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
How to implement business impact analysis (BIA) according to ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
And also this free webinar can be interesting for you ISO 22301 Foundations Part 1: Business Impact Analysis : https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Sample risks related to staff resignation and pension
Sample risks related to staff resignation and pension
Answer:
No, I am sorry, we do not have a specific sample about this. Anyway, we can give you general information about the risk assessment and treatment according to ISO 27001, that I think can help you. Please see this free webinar and let us know if you have more doubts The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Contacto con autoridades y organización de la seguridad
Para el punto 1.- se describe que las organizaciones deberían tener procedimientos vigentes que especifiquen cuándo y qué
autoridades (por ejemplo, cumplimiento de leyes, organismos reguladores y autoridades de
supervisión), esto es imprecindible ante el requerimiento de contar con un Procedimeinto de hestion de Incidentes, ahi se puede especificar el contacto con autoridades ante un incidente de seguridad, los incidentes no necesariamente son internos, podriamos establecer contacto " escalamiento " de autoridades externas como bomberos, politicia, buro juridico, entidades regulatorias o normativas etc, 6.1.2 y 6.1.4 de SOA.Para el punto 2.- Los roles y responsabilidades son obligatorios, ya que lo solicita la norma en los puntos 6.1.1 y 6.1.2 donde se pueden definir en su manual de politicas de seguridad o si, en cada procedimiento, aunque esto seria muy dificil decribir cada segregación en los documentos. Hay funciones que estan cruzadas, por ejemplo quien realiza el respaldo, quien es dueño del activo respaldado y la unidad de respaldo, quien es responsable del mantenimiento del activo, quien administra el sistema de información etc.
-
Costes de certificación
Hola, estoy en México, queremos certificarnos en 27001, ya tenemos la certificación 9001:2008.
Es urgente urgente!.
Somos una Unidad de Verificación con tres grandes procesos.
Necesito ayuda, costos de certificación, si esta herramienta me ayuda a elaborar los documentos, organismo certificador en México, etc
Respuesta:
Los costes de la certificación dependen de la entidad certificadora, por tanto mi recomendación es que solicites una propuesta a varias entidades: AENOR, BSI, Bureau Veritas, etc. Para seleccionar la mejor, este artículo puede ser interesante para ti (en inglés) How to choose a certification body : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
Con respecto a la herramienta, nuestro toolkit puede ayudarte en la implementación del estándar en tu organización, porque tiene todos los documentos necesarios, además podemos darte apoyo en la implementación. Puedes ver una versión gratuita de cada documento cliqueando en la pestaña "Demo gratis" aquí : https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-27001/
Con respecto a la entidad acreditadora en México es EMA : https://www.ema.org.mx/portal_v3/
Finalmente, este artículo sobre la implementación de la ISO 27001 y la ISO 9001 puede ser interesante para ti Usar la ISO 9001 para implementar la ISO 27001 : https://advisera.com/27001academy/es/blog/2010/04/02/usar-la-iso-9001-para-implementar-la-iso-27001/ Y también este webinar gratuito (en inglés) ISO 27001 implementation: How to make it easier using ISO 9001 : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
Requisitos mínimos y proceso certificación
Punto 1: El estándar no establece requerimientos mínimos, todos los requerimientos establecidos en el estándar (desde el apartado 4 al 10) son necesarios para la implementación de la ISO 27001 en tu organización, y tienes que tener en cuenta que hay una serie de documentos y registros obligatorios que necesitarás para implementar la ISO 27001. Aquí puedes ver esa lista (también puedes ver documentos y registros no obligatorios) Lista de documentos obligatorios exigidos por la norma ISO 27001 (revisión 2013) : https://advisera.com/27001academy/es/blog/2015/05/04/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/ Y recuerda que con nuestro toolkit tendrás todos los documentos necesarios para la implementación del estándar, y también tendrás n uestra ayuda. Puedes ver una versión gratuita de cada documento clickeando en "Demo gratis" aquí : https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-27001/ Punto 2: Para obtener el certificado, o la certificación, después de implementar el estándar, necesitarás comenzar el proceso de certificación, por tanto este webinar gratuito puede ser interesante para ti ISO 27001/ISO 22301: El proceso de certificación : https://advisera.com/27001academy/es/webinar/iso-27001iso-22301-the-certification-process-free-webinar/ Y este artículo también puede que te resulte interesante "Becoming ISO 27001 certified - How to prepare for certification audit" : https://advisera.com/27001academy/iso-27001-certification/ -
Explain procedure of Incident Management and Business Continuity Management
Can you please explain me the whole procedure of incident management and business continuity management
Answer:
Regarding the procedure of incident management, with these main points I will try to explain you the procedure:
a.- Recept and classification of the incident: You detect an incident in your organization, and you classify it in accordance with a criteria (you can consider minor incident, major incident, etc)
b.- Treatment of the incident: Depending of the type of incident, you need perform actions to resolve it (when the incident is resolved, you can close it)
c.- Learning from incidents: After the incident is resolved, you can learn how was resolved, and register all information for a possible future similar incident.
d.- Collection of evidence: Finally, all information registered about the incident, can be useful as evidence in legal and other possible proceedings.
Regarding the Business Continuity Management, there is a standard which can help you to implement a BCMS (Business Continuity Management System) in your orga nization. This standard is ISO 22301, and you can find here more information about it What is ISO 22301? : https://advisera.com/27001academy/what-is-iso-22301/
And with this free webinar you can see an overview of the BCM implementation process ISO 22301: An overview of the BCM implementation process : https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/ -
After getting the management involved
How are you ? I am a young ciso awared of the benefits of iso 27001 and would like to implement it in my bank. We have never used an isms yet, i need your advises to know which step are important right after getting the management involved. We count 200 people working here and as a bank, which process would you advise me to start from ? Thank you very much
Answer:
After getting the management involved, you need to develop a project plan, because you need to think in the implementation of ISO 27001 like a project. So, this article can be interesting for you ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
And regarding the management support, maybe this free webinar can be also interesting for you ISO 27001 benefits: How to obtain management support : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
Documentation to redesign a support model
I'm trying to find the best documentation to help me redesign a support model for a company. The end users are external customers and the current L1 and L2 teams are more product specialists in their area mind you L1 does make coffee and put out lunch for customers! Do you have anything that could help?
Answer:
We only have documents for the implementation of ISO 27001 (and ISO 22301), and these standards are not specifically designed for a support model, although you can see this template Incident Management Procedure : https://advisera.com/27001academy/documentation/incident-management-procedure/, and this Operating Procedures for information and Communication Technology : https://advisera.com/27001academy/documentation/security-procedures-for-it-department/, which are related to the IT support (but remember that ISO 27001 is focused in the protection of the information). You can see a free version of each document clicking on Free Demo tab.
Anyway, in your case, the standard that I think that can help you, because it is related to the management of IT services (and their support), is ISO 20000. Here you can find information about this standard What is ISO 20000? Learn why ISO 20000 can benefit your organization : https://advisera.com/20000academy/what-is-iso-20000/ -
Is the SoA considered public?
"Is the SoA considered public? It specifies which controls have been implemented and verified in the certificate. It seems to me that the 27001 certificate is useless if you don't have access to the SoA that was used."
Answer:
Generally the SoA is not considered as a public document, because can have internal information about the organization (for example can contain references to internal documents), so my recommendation is that you consider this document as Internal use or Restricted. There are various types of information, here you can see them Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
And from my point of view, for external people, it is not necessary to have access to the SoA (with some exceptions, for example auditors), keep in mind that the certificate is issued by a certification body, which has reviewed the SoA in a certification audit process.
Finally, this article about the importance of the Statement of Applicability can be interesting for you The importance of Statement of Applicability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/