Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implementación de ISO 27001 con ISO 9001
Nuestra empresa es un pequeño call center, estamos interesados en la acreditación de las Normas ISO, en este caso ISO 27001, ya que nuestros clientes al momento de solicitar nuestros servicios solicitan planes, políticas y procedimientos para el cuidado de su información. Por ello queremos estar acreditados y con ello poder ofrecer el mejor servicio posible.
Cabe señalar que aun no contamos con la acreditación en el ISO 9001, de hecho estamos también en vista de iniciar el proceso para dicha acreditación.
Mi duda es que si es mejor esperar a estar acreditados en el Sistema de Gestión de Calidad antes de iniciar el proceso del ISO 27001.
Respuesta:
Si quieres certificar ISO 27001, puedes hacerlo sin ISO 9001, quiero decir, ISO 9001 no es necesaria para implementar ISO 27001, aunque puede ser un camino, porque ambas normas tienen muchos puntos en común. En cualquier caso, creo que si tienes claro que tu negocio necesita ISO 27001, la mejor opción para ti es implementar ISO 27001 directamente, sin ISO 9001.
Para la implement ación de la ISO 27001, este artículo puede ser interesante para ti "Lista de apoyo para implementación de ISO 27001" : https://advisera.com/27001academy/es/blog/2010/09/28/lista-de-apoyo-para-implementacion-de-iso-27001/iso-27001/#
Y si decides implementar primero ISO 9001 y después ISO 27001, este artículo puede ser también interesante para ti "Usar la ISO 9001 para implementar la ISO 27001" : https://advisera.com/27001academy/es/blog/2010/04/02/usar-la-iso-9001-para-implementar-la-iso-27001/ Y también este webinar gratuito (en inglés) ISO 27001 implementation: How to make it easier using ISO 9001 : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
Is the requirement/business related to information security need to be identify?
Is the requirement/business related to information security need to be identify? Or only customer name?
If let say I have 100++ customer contract or more so I need to identify all of them to find which requirement related to information security? Look many.
Answer:
If you have standardized contracts with your customers, and therefore the same security clauses in each contract, you can list all the customers as one item only, specifying security clauses. If not, you need to identify the name of your customers (only those that are relevant), and requirements for each one (but only requirements relevant to information security). This is so, because the standard establishes in the clause 4.2 a) The organization shall determine interested parties that are relevant to ISMS and in the clause 4.2 b) The organization shall determine the requirements of these interested parties
I think that if you consider only relevant clients that are relevant to the ISMS (think only in those which can influence the security of the information within your ISMS scope), you can reduce your list.
Remember that we have a procedure for the identification of requirements that can help you. You can see a free version clicking on Free Demo tab here Procedure for Identification of Requirements : https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/ -
Risk Assessment and Risk and Control Self-Assessment
What do you mean by Risk Assessment (RA)? Is it same to Risk and Control Self-Assessment (RCSA).
Answer:
In accordance with the definition of "ISO 27000:2012 Overview and vocabulary, Risk Assessment is: overall process of risk identification, risk analysis and risk evaluation. However, RCSA basically provides a complete method for the identification, analysis, evaluation and treatment of risks.
So, when we talk about risk assessment (it includes identification, analysis and evaluation), we also need to talk about risk treatment, because both things are necessary in a methodology for the management of risks, but they are different things. For more information please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
So, risk assessment it is not the same that RCSA. A methodology which defines the ris k assessment & risk treatment, provides the same things which RCSA provides for the management of risks (identification, analysis, evaluation, treatment). -
Use of logo
I would like to ask you about 'Use of Logo' in ISO 27001:2013. Actually, we're scheduled for our Final Surveillance/Transition audit in a week's time and I received the audit plan from the Auditor. This is what he has mentioned in the Audit plan.
ISMS Transition
ISMS Elements (Management Review, Internal Audit, Risk Management, Use of Logo, Corrective Action) and Discussion of all outstanding issues from previous visits.
I would like to know what is this 'Use of Logo' as I didn't find such thing in ISO 27001:2013 (May be I missed it). What controls are related to this and how can we ensure compliant to this ISMS element.
Answer:
Use of logo is something the auditors must check during the surveillance visit - they need to check if the certification logo for ISO 27001 certificate was used in appropriate places. For example, if only IT department was ISO 27001 certified, your company cannot use the certification logo in the context of e.g. the manufacturing facility.
Maybe this article about the questions that an auditor can ask you in the audit can be interesting for you Which questions will the ISO 27001 certification auditor ask? : https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
You can also review this checklist of implementation to check your implementation ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Mandatory documents
Can you expound on the 4 mandatory procedures that iso 27001 requires and how to build them?
Answer:
In the ISO 27001:2005 there were 4 mandatory documents, but there is a new version of the standard, the ISO 27001:2013, and there are more than 4 mandatory procedures for the implementation and certification of this. Here you can see a list of them List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
For the development of these documents, you can see our toolkit here (you can see a free version of each document clicking on Free Demo tab): https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Perhaps you need information about the transition from ISO 27001:2005 to ISO 27001:2013, so this article can be interesting for you How to make a transition from ISO 27001 2005 revision to 2013 revision : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revisi on-to-2013-revision/ . And also this free webinar How to make the transition from ISO 27001 2005 to 2013 revision : https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/ -
ISMS objectives
I had a few questions regarding ISMS Objectives. so our company recently completed Stage I audit for ISO 27000. and the auditor pointed out that in our objectives, we need to include Solution Development and BCP
and I'm really not getting how we would be able to include those..could you help me out a bit ?and also he pointed out that e need to provide appropriate objectives for CIA
Answer:
Usually, the objectives are set at two levels: 1) General ISMS level, and 2) Security controls. For the point 1) you can use an Information Security Policy. And for the point 2), because it is related to the security controls, you can use the Statement of Applicability. You can see a free version of this document clicking on Free Demo tab here Statement of Applicability : https://advisera.com/27001academy/documentation/statement-of-applicability/
And from my point of view, objectives need to be established by the organization, the auditor can only make you a recommendation.
Regarding the Solution Development, I am not sure what it means, but objectives need to be related to the information security, and if the development is in the scope of the ISMS (if not, it makes no sense), you can define as an objective, for example, the implementation of a code of best practices to improve the secure coding (point 2, because it is related to controls). You can see our Secure Development Policy here (remember that you can see a free version clicking on Free Demo tab) Secure Development Policy : https://advisera.com/27001academy/documentation/secure-development-policy/
Regarding the BCP (Business Continuity Plan), you can include as an objective (point 2) Improve and reduce times to recover the IT infrastructure (I assume that you have a BCP or a DRP in your business)
Regarding to the CIA, you can define as an objective (point 1, because it is related to the general ISMS level) improve the confidentiality of the interchange of information, increase the availability of the information and ensure the integrity of the information"
Finally, this article can be interesting for you ISO 27001 control objectives Why are they important? : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
Residual risks
1.- Curious to know if the aim is to generally to reduce residual risk or to absorb the costs of impacts that could not be mitigated. Are this the same things in your view?
2.- I was just appreciating this live chat feature. Very interesting approach. Is this supported by ISO as a regular function?
3.- Also useful to know if you are familiar with the Sendai Framework for Disaster Risk Reduction that was just adopted by all UN member States with full engagement of the private sector.
Answer:
Point 1:
The important here is to reduce the risk to an acceptable level, not the residual risk (residual risk is the risk reduced after you apply controls, reducing impact and/or probability). So, from my point of view there are different things, because you need to keep in mind the acceptable level of risk . If you need more information about the residual risk, please read this article Why is residual risk so important? : https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Point 2:
Thank you! We are really glad you like our chat feature. Could you please explain what do you mean by is the chat a regular function supported by ISO?
Point 3:
No I am sorry, we do not have information about this framework, keep in mind that we have our own toolkit. If you are interested in risks, you can see a free version of our methodology here clicking on Free Demo tab Risk Assessment and Risk Treatment Methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/ . Also you can see our Disaster Recovery Plan Disaster Recovery Plan : https://advisera.com/27001academy/documentation/disaster-recovery-plan/ -
Audit to the area of operations
Can you provide information on the steps for it security audit to the area of operations?
Answer:
Yes, sure, this article can be interesting for you How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
When you perform an internal audit, you need to review all areas that are in the scope of the ISMS, including if necessary operations (from my point of view, is very important to visit the data center). But keep in mind that the Internal Auditor does not need to perform a pentest or an analysis of vulnerabilities, this job is for an ethical hacker. -
Secure System Engg Principles
If in your Software Development Life Cycle you have defined that the security is in place in the phases of development (requirements, design, coding, testing, operation), it can be enough for the ISO 27001 (questions about security in the requirements phase, risk assessment during the design phase, secure code during coding phase, etc.)
This webinar about ISO 9001 and ISO 27001 can be interesting for you "ISO 27001 implementation: How to make it easier using ISO 9001" : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ . And also this article "Using ISO 9001 for implementing ISO 27001" : https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
Finally, we have a template for this control "14.2.5 Secure system engineering principles" that can help you (you can see a free version clicking on "Free Demo" tab "Secure Development Policy": https://advisera.com/27001academy/documentation/secure-development-policy/ -
PDCA and security controls
I just thought I should reach out with some questions on the ISO 27001 Annex A controls for which I am having a hard time making a clear cut difference on what will suffice as the Plan, Do, Check and Act.
It is clear enough for some while some just get me pulling my hair. Some of the control I am finding challenges with for which I am seeking your expertise are:
A.8.1.2 (Ownership of assets)
A.12.1.4 (Separation of development, testing and operational environments)
A.14.1.2 (Securing application services on public networks)
A.14.1.3 (Protecting application services transactions)
Just a point of note Dejan, we have an understanding of what is technically required done and is being done.
What is tricky again is the fact that some of the Do look more like the Plan and some are just tricky to proof how they are checked.
Answer:
First of all, remember that the implementation of controls is performed after the risk assessment. So, the difference between Plan, Do, Check, Act is:
Plan: You establish a plan for the implementation o f controls, that is, you need a treatment plan (you will need to identify necessary tasks, resources, deadline, etc).
Do: Yo implement the controls, according the plan
Check: You check if the controls are implemented correctly (for example through the internal audit)
Act: If after check the controls you identify something wrong, you need to perform actions to correct and improve it.
So, 1. You need to perform the risk assessment, and 2. You need to perform the risk treatment. If you want more information about it, please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
About the controls, I will give you an example:
A.8.1.2 (Ownership of assets) : Example of asset: A server. Who can be the ownership? An administrator of the server
A.12.1.4 (Separation of development, testing and operational environments) : You have an independent virtual machine for the development, another for the testing an another for the production.
A.14.1.2 (Securing application services on public networks): You have in your web an access for employees which can connect from their home. This connection need to be done through secure channel (IPSEC, SSL, etc)
A.14.1.3 (Protecting application services transactions): Transactions between applications (Databases, ERPs, etc) need to be through a secure channel (IPSEC, SSL, etc)
So, in this case, after the risk assessment, if you need to implement one of these controls, you need: a. A plan to implement them, b. Implement actions according the plan, c. Check the implementation of the controls, d. Take actions if needed
Finally, maybe this article can be interesting for you Has the PDCA Cycle been removed from the new ISO standards? : https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/