Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 Lead Implementer / Lead Auditor
Need your advice on selection of ISO training. Which one should i opt for from the undermenitoned:
1-ISO/IEC 27001 Lead Implementer
2-ISO/IEC 27001 Lead Auditor
My current role is CISO and my team is responsible for Information Security Policy creation, implementation besides the SOC and other technical stuff.
Answer:
From my point of view both options can be interesting for you, because they can give you more experience and more knowledge about information security, although I think that in your case the first step should be Lead Implementer and after that Lead Auditor.
Regarding the Lead Implementer, this article can be interesting for you How to become an ISO 27001 / ISO 22301 consultant : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
And regarding the Lead Auditor, this article can be also interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Finally, this article about the job of CI SO can be also interesting for you What is the job of Chief Information Security Officer (CISO) in ISO 27001? : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/ -
Technological vulnerabilities
if some bank is implementing 27001 & 22301 VAPT needs to be done mandatorily?
Answer:
In accordance with the control of the Annex A of the ISO 27001:2013, A.12.6.1 Management of technical vulnerabilities, you need to manage technical vulnerabilities, but the standard does not establish that you need to perform a complete VAPT (Vulnerability, Assessment, Penetration and Testing), so a scan of technological vulnerabilities and a plan to treat them can be enough, but from my point of view can be a best practice perform a complete VAPT.
Anyway, keep in mind that the controls of Annex A must be implemented only if after the risk assessment you identify that you need controls to decrease the risks identified (although there are some exceptions because there are a list of mandatory documents).
By the way, this control is not present in ISO 22301, so you do not need to implement this control in ISO 22301, but from my point of view can be also a best practice.
If you are interested in mandatory documents (and non mandatory) of ISO 27001:20 13, you can see this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Related to ISO 22301, you can also see this article Mandatory documents required by ISO 22301 : https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
Finally, this free webinar can be also interesting for you ISO 27001: An overview of ISMS implementation process : https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/ -
Software developmnet within the company
You can exclude the development in your ISMS scope. From my point of view, you have focused the scope in the production environment, and it is not mandatory to include also the development (although can be recommendable to include it in the future, integrating existing policies, procedures, etc. with the documentation of the ISMS). Anyway, if you need more information about the definition of the scope, you can read this article "How to define the ISMS scope" : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope -
Documents and procedures separately
-
Confidentiality level for the Business Continuity Policy
What is the confidentiality level for the Business Continuity Policy Document? I have watched the video but am unable to find the answer.
Answer:
I suppose that your question is related to ISO 22301. This standard does not establish a confidentiality level for documents, anyway, you can consider, for example, 3 confidential levels: Confidential (information only for Directors and Top Management), Restricted (information only for Managers, some areas, or some employees) and Internal (information only for internal employees). So, if the Business Continuity Policy must be a document for internal use, and must be seen by all employees, in accordance with my previous example, you can consider it as Internal.
Finally, this article about the classification of information can be interesting for you Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/, and also this article "The purpose of Business continuity policy according to ISO 22301 " : https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/ -
Justification in SoA
What the justification in SoA should be like? is it to rephrase the "Controls" in the standard Annex A?" and "What else should include in the SoA
Answer:
The justification depends on the source of each control. During the risk treatment you need to identify controls that are necessary to decrease risks, but you also identify controls that are required because of other reasons: Law, contractual requirements, or because of other processes. So, the justification could be: Implemented by contractual requirements, or Implemented for decrease risks related to or also This control is not implemented because the organization does not have teleworking if the control is not implemented.
Generally the original definition of each control of Annex A is enough (all controls were developed by experts of all world), so from my point of view you can maintain the original control, and if you want, include some actions or controls more (you can also use controls of others sources, for example PCI-DSS).
The most important is the applicability a nd the justification of each control, but as a best practice you can include also a field for the implementation method (how you have implemented each control).
For more information about the SoA, you can read this article The importance of Statement of Applicability : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
And also you can see a free version of our template about the SoA clicking on Free Demo tab here : https://advisera.com/27001academy/documentation/statement-of-applicability/ -
Procedure to become Lead Auditor
WHAT IS THE PROCEDURE FOR GETTING A DEGREE OF ISO AUDITOR AND ITS CAREER OPPORTUNITIES ?? COURSE DETAILS LIKE ELLIGIBILITY COST STRUCTURE EXAMS AND ALL ??/
Answer:
First step can be to acquire a good knowledge base about information security and ISO 27001, and for this our blog will be useful for you because we have articles, webinars, ebooks, templates, etc. You can start here What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/
After this knowledge base, you can try to become Lead Auditor (you can find many jobs as Lead Auditor). So, this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
With a good knowledge base about information security, you can also find jobs as consultant (can be interesting for you search jobs not only as Lead Auditor), so this article can be interesting for you How to become an ISO 27001 / BS 25999-2 consultant : https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
Regarding costs, it depends on the entity, but my recommendation is that you search courses in various certification bodies, for example BSI, Bureau Veritas, etc. Or local training companies in your country with good prestige.
Finally, regarding to the exam, I think that this free webinar will be interesting for you ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/ -
Clause 8.1 ISO 27001:2013
Clause 8.1. There is a requirement to establish criteria for the process, The question is how can we establish it?
Answer:
Regarding clause 8.1 Operational planning and control of ISO 27001:2013, I am not sure what you mean because this clause is not related with a "criteria for the process", here basically you need records about the approval of information security objectives, project plan, processes outsourced and also you need records about possible changes about all of the above.
Anyway keep in mind that it is not mandatory to have a document for this clause, you can see the list of mandatory documents (and non mandatory) here List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Recovery Point Objective
Can you explain me recovery point objective?? With some other example? Other than the one mentioned in ur site
Answer:
The RPO (Recovery Point Objective) is the maximum targeted period in which data might be lost from a IT service due to a major incident. I will give you an easy example: You have a policy which establishes that backups are performed each day at 15:00pm. So, your backups are every 24 hours. You perform the first day of the week (Monday) a backup. The next backup is Tuesday at 15:00pm, but you have a problem Monday at 18:00pm, and all information generated after the first backup until 18:00pm is lost (3 hours). The question is, Can you lose 3 hours of information? And 24 hours? If you can lose only 3 hours, your RPO will be 3 hours.
Finally, I am not sure what page have you seen in our site, but these are interesting articles related to RPO:
What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO) : https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
How to implement business impact analysis (BIA) according to ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
And also this free webinar can be interesting for you ISO 22301 Foundations Part 1: Business Impact Analysis : https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Sample risks related to staff resignation and pension
Sample risks related to staff resignation and pension
Answer:
No, I am sorry, we do not have a specific sample about this. Anyway, we can give you general information about the risk assessment and treatment according to ISO 27001, that I think can help you. Please see this free webinar and let us know if you have more doubts The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/