Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Legislation that you organization is subject to
Do you by chance know how I can tell which legislations or Acts my organization is subject to? Example (Intellectual Property Rights ,Protection of Organizational Records ,Data Protection and Privacy of Personal Information , Prevention of Misuse of Information Processing Facilities, Regulation of Cryptographic Controls)?
Answer:
The legislations that your organization is subject to, depends of the country where your organization is based. Anyway, there are common laws in all countries related to information security (at least in Europe), for example laws related with the protection of personal data, intellectual property, electronic signature, etc. To know more information about the laws regulation in each country, please see this Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
Mandatory documentsLead Auditor Courses
I need to develop an Operational Security & Intelligence Plan for a company in my country. Do you have a template? Can you help me? Thanks.
Answer:
I am sorry, but we do not have this specific template, keep in mind that we work with all mandatory documents for the implementation of the ISO 27001 (and some not mandatory documents), and this plan is not necessary. You can see a list of the mandatory documents (and not mandatory) here List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ We have received this question:
Would like to know about lead auditor courses and how to get training. ISO 27001
Answer:
Sure, there are courses to become Lead Auditor. For example, all certification bodies (BSI, Bureau Veritas, etc) have one for this. If you are interested in to become a Lead Auditor, this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/kno wledgebase/how-to-become-iso-27001-lead-auditor/
Remember that after the course, you will need to pass an exam, so this free webinar can be also interesting for you ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/ -
Risk Approach in ISO 27001:2013
You are right, as I said in my previous message, ISO 27005 and ISO 31000 have the same structure, even the ISO 27005 refers to the structure of the risk management process of ISO 31000, because it is more global and generic, but if you work only with risks related to information security is much better ISO 27005, because you can find on it things that ISO 31000 does not have, for example, a catalogue of threats and vulnerabilities for information security.
For the identification of issues, basically you need to identify internal and external issues. For internal issues, you must make sure that your information security objectives are aligned with the business strategy, perform the risk assessment, determine resources, information security roles and responsibilities and capabilities. For external issues you simply need to identify interested parties. Anyway, for more information about this, you can read this article "Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)" : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
And also this article can be interesting for you "How to identify interested parties according to ISO 27001 and ISO 22301" : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Regarding to your second question, I agree with you in that ISO 31000 can be much helpful if you need a generic methodology (not only based on information security), and ISO 27005 talks about assets because it was developed for ISO 27001:2005. I suppose that the next version of ISO 27005, will be aligned with ISO 27001:2013. -
Differences between ISO 27001:2013 and PCI DSS
Can you explain me difference between ISO 27001:2013 and PCI DSS. Exact difference.
Answer:
There are many differences between both, but there are also many similarities. You can see them in this article PCI-DSS vs. ISO 27001 Part 1 Similarities and Differences : https://advisera.com/27001academy/knowledgebase/pci-dss/ -
Standard that requires a surveillance audit
Is there a standard that requires a surveillance audit to be conducted once a year or its the decision of the certification body.
Answer:
ISO 17021 is a standard that establishes requirements for bodies providing audit and certification of management systems. This standard establishes that the surveillance audit shall be conducted at least once a year. Or in some cases it is performed twice a year (depending of the certification body and the company). Anyway, basically there are 3 types of audit for all ISO standards:
A - First initial certification audit: It is performed only the first year
B - The surveillance audit: It is performed only after the first initial certification audit, and generally it is performed once a year, or in some cases it is performed twice a year.
C - The recertification audit: It is performed only after the first initial certification audit and the surveillance audit, when the certificate expires after 3 years.
This is a cycle (A, B, C) that is repeated after the third year, but removing the first init ial certification audit.
For more information about this, please read this article Surveillance visits vs. certification audits : https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
Communication procedure
I just need your assistance on developing a communication procedure at my company so i wanted to know if you can assist or refer me to online material that can help me.
Answer:
Yes sure, you can arrange 30-minute free consultation with our expert: https://advisera.com/27001academy/consultation/ Anyway, this article can be very interesting for you, because it is related with how to create a communication plan How to create a Communication Plan according to ISO 27001 : https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/ -
Business Continuity vs Disaster Recovery
Do we need to make business continuity procedure or documents if we just want to have ISO 27001 cert? Because every time i study ISO 27001, Business continuity is there in the discussion.
Answer:
ISO 27001 talks about Business Continuity, and it is an important point in the Annex A of the standard (domain "A.17 Information security aspects of business continuity management"). But you can implement only a Disaster Recovery Plan (DRP) as a minimum to be compliant with A.17.1.2 and A.17.2.1 of the ISO 27001:2013, which is more related to the recovery of the IT infrastructure. Finally, keep in mind that your DRP should be based on the results of the risk assessment.
To see more in detail the differences between Business Continuity Plan and the Disaster Recovery Plan, you can see this article Disaster recovery vs Business continuity : https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
An d also can be interesting for you our template Disaster Recovery Plan : https://advisera.com/27001academy/documentation/disaster-recovery-plan/ -
Check controls
How often should the security controls be check-listed?
Answer:
You can check your list of controls as many times as you like in 1 year, but as a minimal you can check this list once a year in the Internal Audit. To perform this check, you can use the Statement of Applicability, because it contains the applicability of all controls.
By the way, if you need information about how to make an Internal Audit, this article can be interesting for you How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Inventory of assets
I have been tasked by my couny government employer to formulate and draft an asset management policy from scrach and i have no idea of where to start.
Kindly send me samples for cities in Africa,Europe and North America etc for comparison and then advice on were to start and the road map, key milestones and any other information you think i might need.
Answer:
I am sorry but we work only with documents that are mandatory for the implementation of the ISO 27001 (and ISO 22301), and it is not mandatory to have an asset management policy. A mandatory document is the inventory of assets, and I think that this article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Also if you want to see the list of mandatory documents, you can see this List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Anyway, I think that you can use the first article to write your own asset management policy, identifying requisites and establishing them in your policy. For example: Assets can be Hardware, software, information, etc. -
Transition course
May I ask if there is a transition course for Auditors/Lead Auditors ISO27001:2005 to ISO 27001:2013?
Answer:
There are courses for the transition, generally certification bodies have one (BSI, Bureau Veritas, etc). So, I think that you should contact the certification bodies that are active in your country.
To know more about the changes of the ISO 27001:2013, you can see this article Infographic: New ISO 27001 2013 revision What has changed? : https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/ . And also this free webinar How to make the transition from ISO 27001 2005 to 2013 revision : https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/