Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS Manual
I am sending this email to ask you about the changes in ISMS Manual based on ISO 27001:2013 version. We've a developed ISMS manual based on 2005 version but now migrating to 2013.
Q1: Is it required to modify the whole ISMS manual as the requirements in ISO 27001:2013 version are quite different than ISO 27001:2005 (e.g. 2005 version is developed using the PDCA approach but 2013 doesn't talk anything about it, though we're using the same approach).
Q2: Do we need to update the manual using the same chapter names as in 2013.
Answer:
Point Q1: The ISO 27001 Manual really is not necessary, I mean, it is not a mandatory document. You can see all mandatory document at this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article can be also interesting for you Is the ISO 27001 Manual really necessary? : https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
About your question related to the PDCA, it is not expressly displayed in the standard, but it is on it. Please read this article Has the PDCA Cycle been removed from the new ISO standards? : https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/
Point Q2: Although the Manual is not mandatory, you can maintain it if you want. In this case, I think that the right way is to adapt it to the structure of the new standard (see the clauses in the article above) -
Plan for the implementation of procedures and controls
My Customer is requesting a documented plan for the implementation of procedures and controls. What kind of document should that be?
Answer:
You can use this brief step by step guide for the implementation of procedures of controls ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
You can also use our free resource Project checklist for ISO 27001 implementation (MS Word). You can find it in our free downloads section : https://advisera.com/27001academy/free-downloads/ -
Application service transactions
14.1.3 ISO 27001 Application Service transactions and their controls . Based on the 2013 version and the new control definition I think Its no longer about e commerce, but a more wider application service banner.
Please let me know what is "Application Service transactions" means. I tried doing some googling didnt get much.
Answer:
Application Service transactions means generally any transaction that involves the interchange of information through a network between 2 applications, for example, as you know e-commerce, but also financial transactions between banks, or between a entity with a bank; transactions of database (for example, 2 database that are synchronizing information through Internet); or a ERP that is connected with an externa site where send or receives information.
Anyway, remember that here is not necessary to have a specific document for this control, if you want to know the list of mandatory documents required by ISO 27001:2013, please read this article List of mandatory documents required by ISO 27001 (2 013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Cumplimiento puntos 7.1 y 8.1 de la norma
Un favor adicional, para el cumplimiento del punto 7.1 y 8.1 de la norma, con qué tipo de evidencias generalmente se cumple este requerimiento?
Respuesta:
En relación al punto 7.1: Necesitas evidencias sobre recursos que la compañía tiene para el establecimiento, implementación, mantenimiento y mejora continua del SGSI. Por tanto, necesitas registros sobre personas: competencias (por ejemplo perfil de puestos), concienciación (por ejemplo registros de asistencia a cursos); recursos financieros (presupuestos); recursos de TI (planes de capacidad), etc.
En relación al punto 8.1: Necesitas registros sobre la aprobación de los objetivos de seguridad de la información, plan de proyecto, procesos externalizados y también necesitas registros sobre la aprobación de posibles cambios sobre estos.
Por último, este artículo sobre los documentos y registros que son obligatorios (y no obligatorios) puede ser interesante para ti "L ista de documentos obligatorios exigidos por la norma ISO 27001 (revisión 2013)" : https://advisera.com/27001academy/es/blog/2015/05/04/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/ -
BCM tools
https://hub.docker.com/r/buyessay/good_essay -
Download controls
iso 27001-2013, how to download the 14 control, i want control with description
Answer:
There are 114 controls structured in 14 domains, here you can see an overview of them Overview of ISO 27001:2013 Annex A : https://advisera.com/27001academy/iso-27001-controls/
And sorry but we have not a description of each control because you can see this information in the ISO 27001 standard. Furthermore we cannot give the full text of controls because this would break the intellectual property rights. So, you can buy the standard here : https://www.iso.org/standard/54534.html
Anyway, the Statement of Applicability has the applicability of each control, so this document can be also interesting for you. You can see it here (see a free version of the document clicking on Free Demo tab) Statement of Applicability https://advisera.com/27001academy/documentation/statement-of-applicability/ -
Estándares para Data Center
Requiero información sobre la norma ANSI/TIA-942, usted me puede colaborar con esto.
Respuesta:
No tenemos mucha información sobre ANSI/TIA-942, sólo se que está relacionada con Data Centers, pero no conozco muchas empresas en el mundo con esta certificación.
El estándar ISO más relacionado con Data Centers, porque está enfocado en gestión de Servicios de TI, es la ISO 20000. Por tanto, si estás interesado en esta ISO, puedes visitar nuestro blog: https://advisera.com/20000academy/
Y aquí puedes aprender más sobre ISO 20000 "¿Qué es ISO 20000?" : https://advisera.com/20000academy/es/que-es-iso-20000/ -
Information Security Policy or ISMS Policy?
Answer:
ISO 27001:2013 defines that the top-level policy should be called "Information Security Policy", however the old 2005 revision of ISO 27001 called this document "ISMS Policy".
See also this article: One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/ -
How RTO is calculated
I would like to know how RTO is calculated with the BIA toolkit.
Answer:
As you know, RTO is determined during the business impact analysis (BIA), so this article can be interesting for you How to implement business impact analysis (BIA) according to ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
And also the tutorial How to Implement Business Impact Analysis According to ISO 22301 and BS 25999-2 : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
Advise clients to implement ISO 22301
How should I advise clients to begin adopting / implementing 22301?
Answer:
It is a good question. First of all, your clients need to see the benefits of the implementation/certification of the standard, so you will need a brief presentation (talking about compliance, marketing edge, lowering expenses, optimizing business processes, etc). And remember that it is very important that you need to talk with the top management, because they are the people who will approve the project.
Maybe this article can be interesting for you: ISO 22301 benefits: How to get your managements approval for a business continuity project : https://advisera.com/27001academy/knowledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/
Finally, this article can be also interesting for you "17 steps for implementing ISO 22301" : https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso- 22301/
And also this free ebook "Becoming Resilient: The Definitive Guide to ISO 22301 Implementation" : https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/