Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Mandatory documents
Can you expound on the 4 mandatory procedures that iso 27001 requires and how to build them?
Answer:
In the ISO 27001:2005 there were 4 mandatory documents, but there is a new version of the standard, the ISO 27001:2013, and there are more than 4 mandatory procedures for the implementation and certification of this. Here you can see a list of them List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
For the development of these documents, you can see our toolkit here (you can see a free version of each document clicking on Free Demo tab): https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Perhaps you need information about the transition from ISO 27001:2005 to ISO 27001:2013, so this article can be interesting for you How to make a transition from ISO 27001 2005 revision to 2013 revision : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revisi on-to-2013-revision/ . And also this free webinar How to make the transition from ISO 27001 2005 to 2013 revision : https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/ -
ISMS objectives
I had a few questions regarding ISMS Objectives. so our company recently completed Stage I audit for ISO 27000. and the auditor pointed out that in our objectives, we need to include Solution Development and BCP
and I'm really not getting how we would be able to include those..could you help me out a bit ?and also he pointed out that e need to provide appropriate objectives for CIA
Answer:
Usually, the objectives are set at two levels: 1) General ISMS level, and 2) Security controls. For the point 1) you can use an Information Security Policy. And for the point 2), because it is related to the security controls, you can use the Statement of Applicability. You can see a free version of this document clicking on Free Demo tab here Statement of Applicability : https://advisera.com/27001academy/documentation/statement-of-applicability/
And from my point of view, objectives need to be established by the organization, the auditor can only make you a recommendation.
Regarding the Solution Development, I am not sure what it means, but objectives need to be related to the information security, and if the development is in the scope of the ISMS (if not, it makes no sense), you can define as an objective, for example, the implementation of a code of best practices to improve the secure coding (point 2, because it is related to controls). You can see our Secure Development Policy here (remember that you can see a free version clicking on Free Demo tab) Secure Development Policy : https://advisera.com/27001academy/documentation/secure-development-policy/
Regarding the BCP (Business Continuity Plan), you can include as an objective (point 2) Improve and reduce times to recover the IT infrastructure (I assume that you have a BCP or a DRP in your business)
Regarding to the CIA, you can define as an objective (point 1, because it is related to the general ISMS level) improve the confidentiality of the interchange of information, increase the availability of the information and ensure the integrity of the information"
Finally, this article can be interesting for you ISO 27001 control objectives Why are they important? : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
Residual risks
1.- Curious to know if the aim is to generally to reduce residual risk or to absorb the costs of impacts that could not be mitigated. Are this the same things in your view?
2.- I was just appreciating this live chat feature. Very interesting approach. Is this supported by ISO as a regular function?
3.- Also useful to know if you are familiar with the Sendai Framework for Disaster Risk Reduction that was just adopted by all UN member States with full engagement of the private sector.
Answer:
Point 1:
The important here is to reduce the risk to an acceptable level, not the residual risk (residual risk is the risk reduced after you apply controls, reducing impact and/or probability). So, from my point of view there are different things, because you need to keep in mind the acceptable level of risk . If you need more information about the residual risk, please read this article Why is residual risk so important? : https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Point 2:
Thank you! We are really glad you like our chat feature. Could you please explain what do you mean by is the chat a regular function supported by ISO?
Point 3:
No I am sorry, we do not have information about this framework, keep in mind that we have our own toolkit. If you are interested in risks, you can see a free version of our methodology here clicking on Free Demo tab Risk Assessment and Risk Treatment Methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/ . Also you can see our Disaster Recovery Plan Disaster Recovery Plan : https://advisera.com/27001academy/documentation/disaster-recovery-plan/ -
Audit to the area of operations
Can you provide information on the steps for it security audit to the area of operations?
Answer:
Yes, sure, this article can be interesting for you How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
When you perform an internal audit, you need to review all areas that are in the scope of the ISMS, including if necessary operations (from my point of view, is very important to visit the data center). But keep in mind that the Internal Auditor does not need to perform a pentest or an analysis of vulnerabilities, this job is for an ethical hacker. -
Secure System Engg Principles
If in your Software Development Life Cycle you have defined that the security is in place in the phases of development (requirements, design, coding, testing, operation), it can be enough for the ISO 27001 (questions about security in the requirements phase, risk assessment during the design phase, secure code during coding phase, etc.)
This webinar about ISO 9001 and ISO 27001 can be interesting for you "ISO 27001 implementation: How to make it easier using ISO 9001" : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ . And also this article "Using ISO 9001 for implementing ISO 27001" : https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
Finally, we have a template for this control "14.2.5 Secure system engineering principles" that can help you (you can see a free version clicking on "Free Demo" tab "Secure Development Policy": https://advisera.com/27001academy/documentation/secure-development-policy/ -
PDCA and security controls
I just thought I should reach out with some questions on the ISO 27001 Annex A controls for which I am having a hard time making a clear cut difference on what will suffice as the Plan, Do, Check and Act.
It is clear enough for some while some just get me pulling my hair. Some of the control I am finding challenges with for which I am seeking your expertise are:
A.8.1.2 (Ownership of assets)
A.12.1.4 (Separation of development, testing and operational environments)
A.14.1.2 (Securing application services on public networks)
A.14.1.3 (Protecting application services transactions)
Just a point of note Dejan, we have an understanding of what is technically required done and is being done.
What is tricky again is the fact that some of the Do look more like the Plan and some are just tricky to proof how they are checked.
Answer:
First of all, remember that the implementation of controls is performed after the risk assessment. So, the difference between Plan, Do, Check, Act is:
Plan: You establish a plan for the implementation o f controls, that is, you need a treatment plan (you will need to identify necessary tasks, resources, deadline, etc).
Do: Yo implement the controls, according the plan
Check: You check if the controls are implemented correctly (for example through the internal audit)
Act: If after check the controls you identify something wrong, you need to perform actions to correct and improve it.
So, 1. You need to perform the risk assessment, and 2. You need to perform the risk treatment. If you want more information about it, please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
About the controls, I will give you an example:
A.8.1.2 (Ownership of assets) : Example of asset: A server. Who can be the ownership? An administrator of the server
A.12.1.4 (Separation of development, testing and operational environments) : You have an independent virtual machine for the development, another for the testing an another for the production.
A.14.1.2 (Securing application services on public networks): You have in your web an access for employees which can connect from their home. This connection need to be done through secure channel (IPSEC, SSL, etc)
A.14.1.3 (Protecting application services transactions): Transactions between applications (Databases, ERPs, etc) need to be through a secure channel (IPSEC, SSL, etc)
So, in this case, after the risk assessment, if you need to implement one of these controls, you need: a. A plan to implement them, b. Implement actions according the plan, c. Check the implementation of the controls, d. Take actions if needed
Finally, maybe this article can be interesting for you Has the PDCA Cycle been removed from the new ISO standards? : https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/ -
Que es la ISO 27001
¿Cuales son las normas de la ISO 27001?
Respuesta:
Aquí podrás ver información acerca de los elementos de los que se compone la ISO 27001. Tienes que hacer click en la sección "¿Cómo es?", en la siguiente página "¿Qué es norma ISO 27001?" : https://advisera.com/27001academy/es/que-es-iso-27001/
Y si estás interesado en la implementación del estándar en tu organización, este artículo puede ser interesante para ti (en inglés) ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Security certifications
I am keen on taking some Security Audit Certifications. One that I have come to know of is ISO27001 / CISA. I am sure there would be other courses too which can help me boost my career profile.
1. May I request your expert Advisors to guide me on the same so that I can make a decision and start.
2. What are the differences between ISO 27001 Lead Auditor,ISO 27001/IT auditors & ISO 27001/information security consultants ?
Answer:
Point 1: Yes, you can arrange 30-minute free consultation with our expert: https://advisera.com/27001academy/consultation/ Anyway, one important thing is that it is not the same "computer security" (more related to the technology), that "information security" (more related to management). So, ISO 27001 and CISA are certifications related to information security, but if you are interested in computer security, maybe can be interesting for you CEH (Certified Ethical Hacker or CPTE (Certified Penetration Testing Engineer). Anyway, regarding ISO 27001 and CISA this article can be interesting for you CISA vs. ISO 27001 Lead Auditor certification : https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
Generally ISO 27001 Lead Auditor is more easy and can help you to know basic concepts about information security, so my recommendation is that you can start with this. In this case, please read this article How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Point 2: IT auditors is more related to technology, remember for example CEH and CPTE. Regarding ISO 27001 Lead Auditor or consultants, please read this article Lead Auditor Course vs. Lead Implementer Course Which one to go for? : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
More information about ISO 27001
Where can i find new or latest blog for mandatory procedures for ISMS according to the new version
which is ISO 27001:2013. Its better to remove the old version, because i was about to follow that, and i just looked at the date which was 2010. I am just trying to implement this standard along with 9001 in a company and this website is really help full.
Answer:
Regarding the question about mandatory procedures in the ISO 27001:2013, you can read this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
All the information that you can find in our blog is in accordance with the ISO 27001, although there are articles more recent. You can see the last here: https://advisera.com/27001academy/blog/
Regarding to the question about ISO 9001 and ISO 27001, this article can be interesting for you Using ISO 9001 for implementation ISO 27001 : https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
Finally keep in mind that ISO 9001 is being updated, and the final version is expected by the end of 2015. The structure of the new ISO 9001:2015 is more similar to the ISO 27001:2013, so probably it will be more easy implement both. I think that in this webinar you can know information about this ISO 27001 implementation: How to make it easier using ISO 9001 : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
Information Security in Project Management
I would like to know that 'Information Security in Project Management (A.6.1.5)' should be part of which policy/procedure document? I read the blog but didn't get any information related to that.
Answer:
It should be part of the project plan, or also of the security policy, although it is not established in the standard, and only is a recommendation. Anyway it is not mandatory to have a document for this control, you can see the list of mandatory documents here List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Anyway, for more information about the security in project management, please read this article How to manage security in project management according to ISO 27001 A.6.1.5 : https://advisera.com/27001academy/what-is-iso-27001/