Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documents and procedures separately
-
Confidentiality level for the Business Continuity Policy
What is the confidentiality level for the Business Continuity Policy Document? I have watched the video but am unable to find the answer.
Answer:
I suppose that your question is related to ISO 22301. This standard does not establish a confidentiality level for documents, anyway, you can consider, for example, 3 confidential levels: Confidential (information only for Directors and Top Management), Restricted (information only for Managers, some areas, or some employees) and Internal (information only for internal employees). So, if the Business Continuity Policy must be a document for internal use, and must be seen by all employees, in accordance with my previous example, you can consider it as Internal.
Finally, this article about the classification of information can be interesting for you Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/, and also this article "The purpose of Business continuity policy according to ISO 22301 " : https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/ -
Justification in SoA
What the justification in SoA should be like? is it to rephrase the "Controls" in the standard Annex A?" and "What else should include in the SoA
Answer:
The justification depends on the source of each control. During the risk treatment you need to identify controls that are necessary to decrease risks, but you also identify controls that are required because of other reasons: Law, contractual requirements, or because of other processes. So, the justification could be: Implemented by contractual requirements, or Implemented for decrease risks related to or also This control is not implemented because the organization does not have teleworking if the control is not implemented.
Generally the original definition of each control of Annex A is enough (all controls were developed by experts of all world), so from my point of view you can maintain the original control, and if you want, include some actions or controls more (you can also use controls of others sources, for example PCI-DSS).
The most important is the applicability a nd the justification of each control, but as a best practice you can include also a field for the implementation method (how you have implemented each control).
For more information about the SoA, you can read this article The importance of Statement of Applicability : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
And also you can see a free version of our template about the SoA clicking on Free Demo tab here : https://advisera.com/27001academy/documentation/statement-of-applicability/ -
Procedure to become Lead Auditor
WHAT IS THE PROCEDURE FOR GETTING A DEGREE OF ISO AUDITOR AND ITS CAREER OPPORTUNITIES ?? COURSE DETAILS LIKE ELLIGIBILITY COST STRUCTURE EXAMS AND ALL ??/
Answer:
First step can be to acquire a good knowledge base about information security and ISO 27001, and for this our blog will be useful for you because we have articles, webinars, ebooks, templates, etc. You can start here What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/
After this knowledge base, you can try to become Lead Auditor (you can find many jobs as Lead Auditor). So, this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
With a good knowledge base about information security, you can also find jobs as consultant (can be interesting for you search jobs not only as Lead Auditor), so this article can be interesting for you How to become an ISO 27001 / BS 25999-2 consultant : https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
Regarding costs, it depends on the entity, but my recommendation is that you search courses in various certification bodies, for example BSI, Bureau Veritas, etc. Or local training companies in your country with good prestige.
Finally, regarding to the exam, I think that this free webinar will be interesting for you ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/ -
Clause 8.1 ISO 27001:2013
Clause 8.1. There is a requirement to establish criteria for the process, The question is how can we establish it?
Answer:
Regarding clause 8.1 Operational planning and control of ISO 27001:2013, I am not sure what you mean because this clause is not related with a "criteria for the process", here basically you need records about the approval of information security objectives, project plan, processes outsourced and also you need records about possible changes about all of the above.
Anyway keep in mind that it is not mandatory to have a document for this clause, you can see the list of mandatory documents (and non mandatory) here List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Recovery Point Objective
Can you explain me recovery point objective?? With some other example? Other than the one mentioned in ur site
Answer:
The RPO (Recovery Point Objective) is the maximum targeted period in which data might be lost from a IT service due to a major incident. I will give you an easy example: You have a policy which establishes that backups are performed each day at 15:00pm. So, your backups are every 24 hours. You perform the first day of the week (Monday) a backup. The next backup is Tuesday at 15:00pm, but you have a problem Monday at 18:00pm, and all information generated after the first backup until 18:00pm is lost (3 hours). The question is, Can you lose 3 hours of information? And 24 hours? If you can lose only 3 hours, your RPO will be 3 hours.
Finally, I am not sure what page have you seen in our site, but these are interesting articles related to RPO:
What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO) : https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
How to implement business impact analysis (BIA) according to ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
And also this free webinar can be interesting for you ISO 22301 Foundations Part 1: Business Impact Analysis : https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Sample risks related to staff resignation and pension
Sample risks related to staff resignation and pension
Answer:
No, I am sorry, we do not have a specific sample about this. Anyway, we can give you general information about the risk assessment and treatment according to ISO 27001, that I think can help you. Please see this free webinar and let us know if you have more doubts The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Contacto con autoridades y organización de la seguridad
Para el punto 1.- se describe que las organizaciones deberían tener procedimientos vigentes que especifiquen cuándo y qué
autoridades (por ejemplo, cumplimiento de leyes, organismos reguladores y autoridades de
supervisión), esto es imprecindible ante el requerimiento de contar con un Procedimeinto de hestion de Incidentes, ahi se puede especificar el contacto con autoridades ante un incidente de seguridad, los incidentes no necesariamente son internos, podriamos establecer contacto " escalamiento " de autoridades externas como bomberos, politicia, buro juridico, entidades regulatorias o normativas etc, 6.1.2 y 6.1.4 de SOA.Para el punto 2.- Los roles y responsabilidades son obligatorios, ya que lo solicita la norma en los puntos 6.1.1 y 6.1.2 donde se pueden definir en su manual de politicas de seguridad o si, en cada procedimiento, aunque esto seria muy dificil decribir cada segregación en los documentos. Hay funciones que estan cruzadas, por ejemplo quien realiza el respaldo, quien es dueño del activo respaldado y la unidad de respaldo, quien es responsable del mantenimiento del activo, quien administra el sistema de información etc.
-
Costes de certificación
Hola, estoy en México, queremos certificarnos en 27001, ya tenemos la certificación 9001:2008.
Es urgente urgente!.
Somos una Unidad de Verificación con tres grandes procesos.
Necesito ayuda, costos de certificación, si esta herramienta me ayuda a elaborar los documentos, organismo certificador en México, etc
Respuesta:
Los costes de la certificación dependen de la entidad certificadora, por tanto mi recomendación es que solicites una propuesta a varias entidades: AENOR, BSI, Bureau Veritas, etc. Para seleccionar la mejor, este artículo puede ser interesante para ti (en inglés) How to choose a certification body : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
Con respecto a la herramienta, nuestro toolkit puede ayudarte en la implementación del estándar en tu organización, porque tiene todos los documentos necesarios, además podemos darte apoyo en la implementación. Puedes ver una versión gratuita de cada documento cliqueando en la pestaña "Demo gratis" aquí : https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-27001/
Con respecto a la entidad acreditadora en México es EMA : https://www.ema.org.mx/portal_v3/
Finalmente, este artículo sobre la implementación de la ISO 27001 y la ISO 9001 puede ser interesante para ti Usar la ISO 9001 para implementar la ISO 27001 : https://advisera.com/27001academy/es/blog/2010/04/02/usar-la-iso-9001-para-implementar-la-iso-27001/ Y también este webinar gratuito (en inglés) ISO 27001 implementation: How to make it easier using ISO 9001 : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
Requisitos mínimos y proceso certificación
Punto 1: El estándar no establece requerimientos mínimos, todos los requerimientos establecidos en el estándar (desde el apartado 4 al 10) son necesarios para la implementación de la ISO 27001 en tu organización, y tienes que tener en cuenta que hay una serie de documentos y registros obligatorios que necesitarás para implementar la ISO 27001. Aquí puedes ver esa lista (también puedes ver documentos y registros no obligatorios) Lista de documentos obligatorios exigidos por la norma ISO 27001 (revisión 2013) : https://advisera.com/27001academy/es/blog/2015/05/04/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/ Y recuerda que con nuestro toolkit tendrás todos los documentos necesarios para la implementación del estándar, y también tendrás n uestra ayuda. Puedes ver una versión gratuita de cada documento clickeando en "Demo gratis" aquí : https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-27001/ Punto 2: Para obtener el certificado, o la certificación, después de implementar el estándar, necesitarás comenzar el proceso de certificación, por tanto este webinar gratuito puede ser interesante para ti ISO 27001/ISO 22301: El proceso de certificación : https://advisera.com/27001academy/es/webinar/iso-27001iso-22301-the-certification-process-free-webinar/ Y este artículo también puede que te resulte interesante "Becoming ISO 27001 certified - How to prepare for certification audit" : https://advisera.com/27001academy/iso-27001-certification/