Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Contacto con autoridades y organización de la seguridad
Para el punto 1.- se describe que las organizaciones deberían tener procedimientos vigentes que especifiquen cuándo y qué
autoridades (por ejemplo, cumplimiento de leyes, organismos reguladores y autoridades de
supervisión), esto es imprecindible ante el requerimiento de contar con un Procedimeinto de hestion de Incidentes, ahi se puede especificar el contacto con autoridades ante un incidente de seguridad, los incidentes no necesariamente son internos, podriamos establecer contacto " escalamiento " de autoridades externas como bomberos, politicia, buro juridico, entidades regulatorias o normativas etc, 6.1.2 y 6.1.4 de SOA.Para el punto 2.- Los roles y responsabilidades son obligatorios, ya que lo solicita la norma en los puntos 6.1.1 y 6.1.2 donde se pueden definir en su manual de politicas de seguridad o si, en cada procedimiento, aunque esto seria muy dificil decribir cada segregación en los documentos. Hay funciones que estan cruzadas, por ejemplo quien realiza el respaldo, quien es dueño del activo respaldado y la unidad de respaldo, quien es responsable del mantenimiento del activo, quien administra el sistema de información etc.
-
Costes de certificación
Hola, estoy en México, queremos certificarnos en 27001, ya tenemos la certificación 9001:2008.
Es urgente urgente!.
Somos una Unidad de Verificación con tres grandes procesos.
Necesito ayuda, costos de certificación, si esta herramienta me ayuda a elaborar los documentos, organismo certificador en México, etc
Respuesta:
Los costes de la certificación dependen de la entidad certificadora, por tanto mi recomendación es que solicites una propuesta a varias entidades: AENOR, BSI, Bureau Veritas, etc. Para seleccionar la mejor, este artículo puede ser interesante para ti (en inglés) How to choose a certification body : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
Con respecto a la herramienta, nuestro toolkit puede ayudarte en la implementación del estándar en tu organización, porque tiene todos los documentos necesarios, además podemos darte apoyo en la implementación. Puedes ver una versión gratuita de cada documento cliqueando en la pestaña "Demo gratis" aquí : https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-27001/
Con respecto a la entidad acreditadora en México es EMA : https://www.ema.org.mx/portal_v3/
Finalmente, este artículo sobre la implementación de la ISO 27001 y la ISO 9001 puede ser interesante para ti Usar la ISO 9001 para implementar la ISO 27001 : https://advisera.com/27001academy/es/blog/2010/04/02/usar-la-iso-9001-para-implementar-la-iso-27001/ Y también este webinar gratuito (en inglés) ISO 27001 implementation: How to make it easier using ISO 9001 : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
Requisitos mínimos y proceso certificación
Punto 1: El estándar no establece requerimientos mínimos, todos los requerimientos establecidos en el estándar (desde el apartado 4 al 10) son necesarios para la implementación de la ISO 27001 en tu organización, y tienes que tener en cuenta que hay una serie de documentos y registros obligatorios que necesitarás para implementar la ISO 27001. Aquí puedes ver esa lista (también puedes ver documentos y registros no obligatorios) Lista de documentos obligatorios exigidos por la norma ISO 27001 (revisión 2013) : https://advisera.com/27001academy/es/blog/2015/05/04/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/ Y recuerda que con nuestro toolkit tendrás todos los documentos necesarios para la implementación del estándar, y también tendrás n uestra ayuda. Puedes ver una versión gratuita de cada documento clickeando en "Demo gratis" aquí : https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-27001/ Punto 2: Para obtener el certificado, o la certificación, después de implementar el estándar, necesitarás comenzar el proceso de certificación, por tanto este webinar gratuito puede ser interesante para ti ISO 27001/ISO 22301: El proceso de certificación : https://advisera.com/27001academy/es/webinar/iso-27001iso-22301-the-certification-process-free-webinar/ Y este artículo también puede que te resulte interesante "Becoming ISO 27001 certified - How to prepare for certification audit" : https://advisera.com/27001academy/iso-27001-certification/ -
Explain procedure of Incident Management and Business Continuity Management
Can you please explain me the whole procedure of incident management and business continuity management
Answer:
Regarding the procedure of incident management, with these main points I will try to explain you the procedure:
a.- Recept and classification of the incident: You detect an incident in your organization, and you classify it in accordance with a criteria (you can consider minor incident, major incident, etc)
b.- Treatment of the incident: Depending of the type of incident, you need perform actions to resolve it (when the incident is resolved, you can close it)
c.- Learning from incidents: After the incident is resolved, you can learn how was resolved, and register all information for a possible future similar incident.
d.- Collection of evidence: Finally, all information registered about the incident, can be useful as evidence in legal and other possible proceedings.
Regarding the Business Continuity Management, there is a standard which can help you to implement a BCMS (Business Continuity Management System) in your orga nization. This standard is ISO 22301, and you can find here more information about it What is ISO 22301? : https://advisera.com/27001academy/what-is-iso-22301/
And with this free webinar you can see an overview of the BCM implementation process ISO 22301: An overview of the BCM implementation process : https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/ -
After getting the management involved
How are you ? I am a young ciso awared of the benefits of iso 27001 and would like to implement it in my bank. We have never used an isms yet, i need your advises to know which step are important right after getting the management involved. We count 200 people working here and as a bank, which process would you advise me to start from ? Thank you very much
Answer:
After getting the management involved, you need to develop a project plan, because you need to think in the implementation of ISO 27001 like a project. So, this article can be interesting for you ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
And regarding the management support, maybe this free webinar can be also interesting for you ISO 27001 benefits: How to obtain management support : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
Documentation to redesign a support model
I'm trying to find the best documentation to help me redesign a support model for a company. The end users are external customers and the current L1 and L2 teams are more product specialists in their area mind you L1 does make coffee and put out lunch for customers! Do you have anything that could help?
Answer:
We only have documents for the implementation of ISO 27001 (and ISO 22301), and these standards are not specifically designed for a support model, although you can see this template Incident Management Procedure : https://advisera.com/27001academy/documentation/incident-management-procedure/, and this Operating Procedures for information and Communication Technology : https://advisera.com/27001academy/documentation/security-procedures-for-it-department/, which are related to the IT support (but remember that ISO 27001 is focused in the protection of the information). You can see a free version of each document clicking on Free Demo tab.
Anyway, in your case, the standard that I think that can help you, because it is related to the management of IT services (and their support), is ISO 20000. Here you can find information about this standard What is ISO 20000? Learn why ISO 20000 can benefit your organization : https://advisera.com/20000academy/what-is-iso-20000/ -
Is the SoA considered public?
"Is the SoA considered public? It specifies which controls have been implemented and verified in the certificate. It seems to me that the 27001 certificate is useless if you don't have access to the SoA that was used."
Answer:
Generally the SoA is not considered as a public document, because can have internal information about the organization (for example can contain references to internal documents), so my recommendation is that you consider this document as Internal use or Restricted. There are various types of information, here you can see them Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
And from my point of view, for external people, it is not necessary to have access to the SoA (with some exceptions, for example auditors), keep in mind that the certificate is issued by a certification body, which has reviewed the SoA in a certification audit process.
Finally, this article about the importance of the Statement of Applicability can be interesting for you The importance of Statement of Applicability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Semi quantitative
An easy example about semi quantitative method:
Likelihood
0-40% - Low
40-60% - Medium
60-100% - High
Note that I use a scale of numerical values (0-100%), but for each range I use a qualitative value. -
Assets, risks and legal requirements
Couple of questions for you, as Im trying to gather as much information as possible before we have the templates.
1. What level of assets do we need to go down to on the Inventory of assets. E.g computers, servers, phones etc.
2. What is the breakdown required on the List of risks?
3. Do you have any recommendations on where to find the list of legal, regulatory, contractual and other requirements.
Answers:
Point 1: The standard does not establish the level of assets that you need to go down (and in the new ISO 27001:2013 is not necessary the identification of assets in your methodology, but we recommend you to keep this approach). You can identify them by categories (Hardware, Software, etc), and I think that this article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Point 2: The same that the previous point: The standard does not establish t he level of detail for the list of risks. Here you will find 6 easy steps to perform the risk assessment & treatment ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Point 3: Yes, sure. You can start with the identification of interested parties, and to do this, you can read this article How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// After of this, you need to identify all laws that apply in your country, especially those related to IT. To do this, you can use this list about laws and regulations on information security and business continuity Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
Book for ISO 27001:2013
Regarding training webinar: https://advisera.com/training/iso-27001-lead-auditor-course/
I am looking for a good book for iso 27001 v2013 to do the exam for lead auditor do you have that?
Answer:
No, I am sorry, we do not have this. Generally the certification bodies have books about the standards that certify (BSI, Bureau Veritas, etc), so maybe you can find anything in their website related to ISO 27001:2013. But keep in mind that our free webinar can be enough for the preparation of the exam.
Anyway, we have a free ebook related to the cybersecurity that maybe can be also interesting for you, you can download it from here 9 steps to cybersecurity : https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/