Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Semi quantitative
An easy example about semi quantitative method:
Likelihood
0-40% - Low
40-60% - Medium
60-100% - High
Note that I use a scale of numerical values (0-100%), but for each range I use a qualitative value. -
Assets, risks and legal requirements
Couple of questions for you, as Im trying to gather as much information as possible before we have the templates.
1. What level of assets do we need to go down to on the Inventory of assets. E.g computers, servers, phones etc.
2. What is the breakdown required on the List of risks?
3. Do you have any recommendations on where to find the list of legal, regulatory, contractual and other requirements.
Answers:
Point 1: The standard does not establish the level of assets that you need to go down (and in the new ISO 27001:2013 is not necessary the identification of assets in your methodology, but we recommend you to keep this approach). You can identify them by categories (Hardware, Software, etc), and I think that this article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Point 2: The same that the previous point: The standard does not establish t he level of detail for the list of risks. Here you will find 6 easy steps to perform the risk assessment & treatment ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Point 3: Yes, sure. You can start with the identification of interested parties, and to do this, you can read this article How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// After of this, you need to identify all laws that apply in your country, especially those related to IT. To do this, you can use this list about laws and regulations on information security and business continuity Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
Book for ISO 27001:2013
Regarding training webinar: https://advisera.com/training/iso-27001-lead-auditor-course/
I am looking for a good book for iso 27001 v2013 to do the exam for lead auditor do you have that?
Answer:
No, I am sorry, we do not have this. Generally the certification bodies have books about the standards that certify (BSI, Bureau Veritas, etc), so maybe you can find anything in their website related to ISO 27001:2013. But keep in mind that our free webinar can be enough for the preparation of the exam.
Anyway, we have a free ebook related to the cybersecurity that maybe can be also interesting for you, you can download it from here 9 steps to cybersecurity : https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/ -
Policies and procedures
I need some clarity over what must be policy according to ISO27001 2013. I used a document called "List of Documents IS27001 Premium Documentation Toolkit" (Attached) which states all document names and whether they are "Mandatory according to ISO27001". Why would something non-mandatory be a policy?
Would an ISO27001 assessor criticise an organisation for having a procedure (rather than a policy) in these non-mandatory areas?
Answer:
Right, a non-mandatory document can be a policy, for example the Information Classification Policy, this is so because the standard ISO 27001:2013 does not establish for the control "A.8.2.1 Classification of information that you need to have a document. Read the description: Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. However, in the description of the control A.9.1.1 Access control policy you can read An access control policy shall be established, documented and reviewed based on business an d information security requirements. So, when you see in the standard shall be documented you need a document (mandatory). If not, can be a best practice to have a document but it is non mandatory.
Yes, generally an ISO 27001 assessor could criticize you, because the most logical is to have a policy for those controls that are related to policies: A.6.2.1 Mobile device policy (non mandatory to have a document), A.10.1.1 Policy on the use of cryptographic controls (non mandatory to have a document), etc.
You can have a procedure, for example Use of Mobile Devices where you can detail how to use Mobile devices in the organization, but you can include the basic rules in a policy. So, my recommendation is that if you want to have a document for a non-mandatory area and it is related to a policy, you can have a procedure and also you can have a policy, because they are different things.
Finally, maybe this article can be interesting for you: 8 criteria to decide which ISO 27001 policies and procedures to write : https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ -
Determine external and internal issues
"How to do determine external and internal issues that are relevant to organisation purpose and that affect its ability to achieve the intended outcome(s) of information security management system"
Answer:
There are various points. For internal issues, you must make sure that your information security objectives are aligned with the business strategy, perform the risk assessment, determine resources, information security roles and responsibilities and capabilities. For external issues you simply need to identify interested parties. For more information about this, you can read this article Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
And also this article can be interesting for you How to identify interested parties according to ISO 2701 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Issues
According to the article "Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)" : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/, the issues are determined during the RA process and hence there is no need to perform any additional steps to identify the internal / external issues. However, my doubt here is that at this stage (4.1) we are still in the process of determining the scope and the RA (6.1) is at a later stage. So ideally, these 'issues' that we determine at 4.1 should come from a brainstorming session or discussion with relevant stake holders. Please correct me if I have misunderstood something here.
2.- My second and main doubt is while determining these 'issues', do we also need to consider issues that could affect the ISMS in a positive way? As per my understanding, an 'issue' is something that could prevent my ISMS from achieving its intended outcome (its objectives). However, it was pointed out by an auditor that while determining th e issues while considering clause 4.1, we should also consider factors that could influence the ISMS in a positive way. For example, an issue identified was lack of management commitment (this could lead to difficulty in achieving the ISMS objectives). The auditor mentioned that should also consider something Strong management commitment as this could influence the outcome of the ISMS in a positive way (i.e. help the ISMS achieve its objective). I wanted to know if this is necessary or if defining issues the way I have determined it so far (as something that could prevent the ISMS from achieving its outcome) is sufficient to meet the requirement of 4.1
Answers:
Point 1: Yes, you are right, internal and external issues will be mostly discovered during the risk assessment process, but remember that also identifying interested parties. On the other hand, it is not necessary to identify issues related to the RA at the beginning of the implementation (can wait), but you can consider, as a best practice, a brainstorming session or discussion with relevant stake-holders, and after redefine issues during the RA if necessary.
Point 2: From my point of view, it is not necessary to identify issues that could affect the ISMS in a positive way, with issues identified during the RA process, and by identifying interested parties, can be enough. Anyway, can be a best practice to consider issues that could affect the ISMS in a positive way (for example related to Strong management commitment), and also can be a best practice to perform the SWOT analysis (Strengths-Weaknesses-Opportunities-Threats), and PEST analysis (Political-Economical-Social-Technological impacts).
Finally, maybe this article related to security objectives can be interesting for you ISO 27001 control objectives Why are they important? : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
Legislation that you organization is subject to
Do you by chance know how I can tell which legislations or Acts my organization is subject to? Example (Intellectual Property Rights ,Protection of Organizational Records ,Data Protection and Privacy of Personal Information , Prevention of Misuse of Information Processing Facilities, Regulation of Cryptographic Controls)?
Answer:
The legislations that your organization is subject to, depends of the country where your organization is based. Anyway, there are common laws in all countries related to information security (at least in Europe), for example laws related with the protection of personal data, intellectual property, electronic signature, etc. To know more information about the laws regulation in each country, please see this Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
Mandatory documentsLead Auditor Courses
I need to develop an Operational Security & Intelligence Plan for a company in my country. Do you have a template? Can you help me? Thanks.
Answer:
I am sorry, but we do not have this specific template, keep in mind that we work with all mandatory documents for the implementation of the ISO 27001 (and some not mandatory documents), and this plan is not necessary. You can see a list of the mandatory documents (and not mandatory) here List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ We have received this question:
Would like to know about lead auditor courses and how to get training. ISO 27001
Answer:
Sure, there are courses to become Lead Auditor. For example, all certification bodies (BSI, Bureau Veritas, etc) have one for this. If you are interested in to become a Lead Auditor, this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/kno wledgebase/how-to-become-iso-27001-lead-auditor/
Remember that after the course, you will need to pass an exam, so this free webinar can be also interesting for you ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/ -
Risk Approach in ISO 27001:2013
You are right, as I said in my previous message, ISO 27005 and ISO 31000 have the same structure, even the ISO 27005 refers to the structure of the risk management process of ISO 31000, because it is more global and generic, but if you work only with risks related to information security is much better ISO 27005, because you can find on it things that ISO 31000 does not have, for example, a catalogue of threats and vulnerabilities for information security.
For the identification of issues, basically you need to identify internal and external issues. For internal issues, you must make sure that your information security objectives are aligned with the business strategy, perform the risk assessment, determine resources, information security roles and responsibilities and capabilities. For external issues you simply need to identify interested parties. Anyway, for more information about this, you can read this article "Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)" : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
And also this article can be interesting for you "How to identify interested parties according to ISO 27001 and ISO 22301" : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Regarding to your second question, I agree with you in that ISO 31000 can be much helpful if you need a generic methodology (not only based on information security), and ISO 27005 talks about assets because it was developed for ISO 27001:2005. I suppose that the next version of ISO 27005, will be aligned with ISO 27001:2013. -
Differences between ISO 27001:2013 and PCI DSS
Can you explain me difference between ISO 27001:2013 and PCI DSS. Exact difference.
Answer:
There are many differences between both, but there are also many similarities. You can see them in this article PCI-DSS vs. ISO 27001 Part 1 Similarities and Differences : https://advisera.com/27001academy/knowledgebase/pci-dss/