Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Audit to the area of operations
Can you provide information on the steps for it security audit to the area of operations?
Answer:
Yes, sure, this article can be interesting for you How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
When you perform an internal audit, you need to review all areas that are in the scope of the ISMS, including if necessary operations (from my point of view, is very important to visit the data center). But keep in mind that the Internal Auditor does not need to perform a pentest or an analysis of vulnerabilities, this job is for an ethical hacker. -
Secure System Engg Principles
If in your Software Development Life Cycle you have defined that the security is in place in the phases of development (requirements, design, coding, testing, operation), it can be enough for the ISO 27001 (questions about security in the requirements phase, risk assessment during the design phase, secure code during coding phase, etc.)
This webinar about ISO 9001 and ISO 27001 can be interesting for you "ISO 27001 implementation: How to make it easier using ISO 9001" : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ . And also this article "Using ISO 9001 for implementing ISO 27001" : https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
Finally, we have a template for this control "14.2.5 Secure system engineering principles" that can help you (you can see a free version clicking on "Free Demo" tab "Secure Development Policy": https://advisera.com/27001academy/documentation/secure-development-policy/ -
PDCA and security controls
I just thought I should reach out with some questions on the ISO 27001 Annex A controls for which I am having a hard time making a clear cut difference on what will suffice as the Plan, Do, Check and Act.
It is clear enough for some while some just get me pulling my hair. Some of the control I am finding challenges with for which I am seeking your expertise are:
A.8.1.2 (Ownership of assets)
A.12.1.4 (Separation of development, testing and operational environments)
A.14.1.2 (Securing application services on public networks)
A.14.1.3 (Protecting application services transactions)
Just a point of note Dejan, we have an understanding of what is technically required done and is being done.
What is tricky again is the fact that some of the Do look more like the Plan and some are just tricky to proof how they are checked.
Answer:
First of all, remember that the implementation of controls is performed after the risk assessment. So, the difference between Plan, Do, Check, Act is:
Plan: You establish a plan for the implementation o f controls, that is, you need a treatment plan (you will need to identify necessary tasks, resources, deadline, etc).
Do: Yo implement the controls, according the plan
Check: You check if the controls are implemented correctly (for example through the internal audit)
Act: If after check the controls you identify something wrong, you need to perform actions to correct and improve it.
So, 1. You need to perform the risk assessment, and 2. You need to perform the risk treatment. If you want more information about it, please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
About the controls, I will give you an example:
A.8.1.2 (Ownership of assets) : Example of asset: A server. Who can be the ownership? An administrator of the server
A.12.1.4 (Separation of development, testing and operational environments) : You have an independent virtual machine for the development, another for the testing an another for the production.
A.14.1.2 (Securing application services on public networks): You have in your web an access for employees which can connect from their home. This connection need to be done through secure channel (IPSEC, SSL, etc)
A.14.1.3 (Protecting application services transactions): Transactions between applications (Databases, ERPs, etc) need to be through a secure channel (IPSEC, SSL, etc)
So, in this case, after the risk assessment, if you need to implement one of these controls, you need: a. A plan to implement them, b. Implement actions according the plan, c. Check the implementation of the controls, d. Take actions if needed
Finally, maybe this article can be interesting for you Has the PDCA Cycle been removed from the new ISO standards? : https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/ -
Que es la ISO 27001
¿Cuales son las normas de la ISO 27001?
Respuesta:
Aquí podrás ver información acerca de los elementos de los que se compone la ISO 27001. Tienes que hacer click en la sección "¿Cómo es?", en la siguiente página "¿Qué es norma ISO 27001?" : https://advisera.com/27001academy/es/que-es-iso-27001/
Y si estás interesado en la implementación del estándar en tu organización, este artículo puede ser interesante para ti (en inglés) ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Security certifications
I am keen on taking some Security Audit Certifications. One that I have come to know of is ISO27001 / CISA. I am sure there would be other courses too which can help me boost my career profile.
1. May I request your expert Advisors to guide me on the same so that I can make a decision and start.
2. What are the differences between ISO 27001 Lead Auditor,ISO 27001/IT auditors & ISO 27001/information security consultants ?
Answer:
Point 1: Yes, you can arrange 30-minute free consultation with our expert: https://advisera.com/27001academy/consultation/ Anyway, one important thing is that it is not the same "computer security" (more related to the technology), that "information security" (more related to management). So, ISO 27001 and CISA are certifications related to information security, but if you are interested in computer security, maybe can be interesting for you CEH (Certified Ethical Hacker or CPTE (Certified Penetration Testing Engineer). Anyway, regarding ISO 27001 and CISA this article can be interesting for you CISA vs. ISO 27001 Lead Auditor certification : https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
Generally ISO 27001 Lead Auditor is more easy and can help you to know basic concepts about information security, so my recommendation is that you can start with this. In this case, please read this article How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Point 2: IT auditors is more related to technology, remember for example CEH and CPTE. Regarding ISO 27001 Lead Auditor or consultants, please read this article Lead Auditor Course vs. Lead Implementer Course Which one to go for? : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
More information about ISO 27001
Where can i find new or latest blog for mandatory procedures for ISMS according to the new version
which is ISO 27001:2013. Its better to remove the old version, because i was about to follow that, and i just looked at the date which was 2010. I am just trying to implement this standard along with 9001 in a company and this website is really help full.
Answer:
Regarding the question about mandatory procedures in the ISO 27001:2013, you can read this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
All the information that you can find in our blog is in accordance with the ISO 27001, although there are articles more recent. You can see the last here: https://advisera.com/27001academy/blog/
Regarding to the question about ISO 9001 and ISO 27001, this article can be interesting for you Using ISO 9001 for implementation ISO 27001 : https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
Finally keep in mind that ISO 9001 is being updated, and the final version is expected by the end of 2015. The structure of the new ISO 9001:2015 is more similar to the ISO 27001:2013, so probably it will be more easy implement both. I think that in this webinar you can know information about this ISO 27001 implementation: How to make it easier using ISO 9001 : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
Information Security in Project Management
I would like to know that 'Information Security in Project Management (A.6.1.5)' should be part of which policy/procedure document? I read the blog but didn't get any information related to that.
Answer:
It should be part of the project plan, or also of the security policy, although it is not established in the standard, and only is a recommendation. Anyway it is not mandatory to have a document for this control, you can see the list of mandatory documents here List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Anyway, for more information about the security in project management, please read this article How to manage security in project management according to ISO 27001 A.6.1.5 : https://advisera.com/27001academy/what-is-iso-27001/ -
ISMS Manual
I am sending this email to ask you about the changes in ISMS Manual based on ISO 27001:2013 version. We've a developed ISMS manual based on 2005 version but now migrating to 2013.
Q1: Is it required to modify the whole ISMS manual as the requirements in ISO 27001:2013 version are quite different than ISO 27001:2005 (e.g. 2005 version is developed using the PDCA approach but 2013 doesn't talk anything about it, though we're using the same approach).
Q2: Do we need to update the manual using the same chapter names as in 2013.
Answer:
Point Q1: The ISO 27001 Manual really is not necessary, I mean, it is not a mandatory document. You can see all mandatory document at this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article can be also interesting for you Is the ISO 27001 Manual really necessary? : https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
About your question related to the PDCA, it is not expressly displayed in the standard, but it is on it. Please read this article Has the PDCA Cycle been removed from the new ISO standards? : https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/
Point Q2: Although the Manual is not mandatory, you can maintain it if you want. In this case, I think that the right way is to adapt it to the structure of the new standard (see the clauses in the article above) -
Plan for the implementation of procedures and controls
My Customer is requesting a documented plan for the implementation of procedures and controls. What kind of document should that be?
Answer:
You can use this brief step by step guide for the implementation of procedures of controls ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
You can also use our free resource Project checklist for ISO 27001 implementation (MS Word). You can find it in our free downloads section : https://advisera.com/27001academy/free-downloads/ -
Application service transactions
14.1.3 ISO 27001 Application Service transactions and their controls . Based on the 2013 version and the new control definition I think Its no longer about e commerce, but a more wider application service banner.
Please let me know what is "Application Service transactions" means. I tried doing some googling didnt get much.
Answer:
Application Service transactions means generally any transaction that involves the interchange of information through a network between 2 applications, for example, as you know e-commerce, but also financial transactions between banks, or between a entity with a bank; transactions of database (for example, 2 database that are synchronizing information through Internet); or a ERP that is connected with an externa site where send or receives information.
Anyway, remember that here is not necessary to have a specific document for this control, if you want to know the list of mandatory documents required by ISO 27001:2013, please read this article List of mandatory documents required by ISO 27001 (2 013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/