Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Example of A.6.1.5 Information security in project management
Answer:
This article will help you: How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
In the toolkit we didn't develop separate documents for managing security in project management because you should use your regular policies and procedures for that purpose. For example, you shouldn't develop a separate Access Control Policy for project management - you should use your regular Access Control Policy for that purpose. -
Identification of requirements
We are currently working with a Global investment firm on an ISO 27001 implementation / certification project but they are struggling to identify a single list for the purpose of compliance with A15.1.1
As they are in many territories, it is difficult for them to identify a single list.
Have you a good idea how to solve this particular issue?
Answer:
First of all, if you have implemented the ISO 27001:2005 in your business and you have certified it, you need to adapt to the new version ISO 27001:2013 as soon as possible, because theoretically 2015 is the last year for the adaptation, after this the ISO 27001:2005 will not run (although you can always have implemented the old version, but you can not re-certify it). And keep in mind that our documents are developed for the new version.
Anyway, the control A.15.1.1, is the control A.18.1.1 in the new standard. This article, which is about international laws and regulations, can help you Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
And remember that you can also use our template Procedure_for_identification_of_Requirements and Appendix_List_of_Legal_Regulatory_Contractual_and_Other_Requirements (you can find them in the folder 02 Procedure for Identification of Requirements) -
Escenarios en Continuidad de Negocio
¿Para el cumplimiento con el tema de continuidad del negocio hay situaciones específicas que deben ser revisadas o puedo, de acuerdo a las actividades del negocio, plantear mis escenarios y basado en estos generar mi plan de continuidad para ISO 27001?. Como ejemplo planteo que mis escenarios propuestos son la pérdida de confianza por el filtrado o publicación de información de un cliente, que pudiera resultar en una demanda civil, y también planteo la indisponibilidad de personal clave de la organización. Espero mi pregunta sea clara, pretendo llevar estos dos escenarios y su respectivo plan a mi documentación para ISO 27001. Gracias
Respuesta:
ISO 27001 no es muy específica en lo relativo a escenarios, por tanto para cumplir con el estándar podrías escribir un Plan de Continuidad de Negocio (Business Continuity Plan - BCP), o sólo un Plan de Recuperación ante Desastres (Disaster Recovery Plan - DRP). Ten en cuenta que son cosas diferentes, aquí puedes encontrar más información al respecto (en inglés) Disaster recovery vs Business continuity : https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
No obstante, puedes implementar tu plan basándote en tu negocio (y también en tu experiencia), aunque hay muchos escenarios que pueden ser comunes en cualquier situación (un ejemplo, el relacionado con la indisponibilidad de las personas/trabajadores).
Ten en cuenta también que la Continuidad de Negocio es tratada en profundidad en la ISO 22301, mientras que ISO 27001 está más relacionada con el Plan de Recuperación ante Desastres, lo cual está más relacionado con la infraestructura TI.
Por tanto, mi recomendación en tu caso es que uses el Plan de Recuperación ante Desastres porque es más "tecnológico", e igualmente puedes considerar el escenario relacionado con la indisponibilidad de tus empleados, pero creo que no es necesario que consideres el escenario relacionado con la publicación de información, porque no está directamente relacionado con la infraestructura TI. Pero importante, piensa que tus escenarios tienen que estar basados en los resultados del análisis de riesgos. También puedes ver nuestra plantilla (puedes ver una versión gratuita clickeando en "Demo gratis") "Ejemplos de escenarios de incidentes disruptivos" https://advisera.com/27001academy/es/documentation/ejemplos-de-escenarios-por-eventos-de-interrupcion-del-negocio/
Finalmente, también puedes ver nuestro tookit de documentos de ISO 22301 aquí: https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-22301/ o nuestro paquete Premium, el cual incluye documentos sobre ISO 27001 e ISO 22301 (recuerda que siempre puedes ver una versión gratuita clickeando en "Demo gratis"): https://advisera.com/27001academy/es/paquete-premium-de-documentos-sobre-iso-27001-iso-22301/ -
BIA and BCP
https://hub.docker.com/r/buyessay/good_essay -
Lead Auditor
Hi I am looking to become licensed for an auditor in order to issue certificates, is it possible for you provide me with some documentation regarding the licensure ?
Answer:
If you want to perform audits and issue certificates working with a certification body, you need to become Lead Auditor, and to do this, first you need a course for Lead Auditor. For more information about this, please read this article How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Also this webinar can be interesting for you ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/ -
Applicability of ISO 27001
We have received very good information on Applicability of ISO 27001 . Please help us to know where ISO 20000 and ISO 22301 certification is applicable.
Answer:
ISO 20000 is for companies that offer IT services and want to give warranties to their customer that the service is given with quality and security (is based on ITIL, and also have process related to quality and to the information security). An example: Companies that offer a Data Center, or Development/maintenance of software service, etc. For more information about ISO 20000, you can visit our site and see this page What is ISO 20000? Learn why ISO 20000 can benefit your organization": https://advisera.com/20000academy/what-is-iso-20000/
ISO 22301 is for companies that offer a critical service to their customers and want to give warranties that the availability of the service is guaranteed. An example can be any critical service: communications, electrical, financial s ervices, etc. And for more information about ISO 22301, you can also visit our site and see this page ISO 22301 Basics": https://advisera.com/27001academy/what-is-iso-22301/ -
ISO 27001 in the field of media production
I was wondering if there is a possibility to consider ISO 27001 in the field of media production. I've been thinking about the matter since i'm involved in working with such an industry for the time being. I was trying to look for an approach to present the idea with no success until now. Appreciate your valuable assistance.
Answer:
Sure, ISO 27001 is interesting for media production companies because the main objective of the standard is the protection of information, and I am sure that you have sensitive data in your business. Furthermore, ISO 27001 is for any type of business, so you can implement and certify it in your company. I think that the important in your situation is to obtain the management support, so I think that this webinar can be interesting for you ISO 27001 benefits: How to obtain management support : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
Also this article can be interesting Four key benefits of ISO 27001 implementation : https://advisera.c om/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And finally this article can be also interesting for you Applicability of ISO 27001 across industries : https://advisera.com/27001academy/blog/2015/06/29/applicability-of-iso-27001-across-industries/ -
MBCO, RTO, MPTD/MAO
Sorry, but we do not have a specific diagram about this, although we have an interesting article where we talk about MBCO, RTO and MAO with a brief example How to implement business impact analysis (BIA) according to ISO 22301: https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
I hope that this information can help you, if not please let us know any doubt. -
IRCA, RABQSA, PECB
1.- I wonder if you can help answer my query. I want to know if there are any disadvantages in doing ISO 27001 with one board rather than other? I am looking at a course which is run over 2 consecutive weekends and certified by PECB. All other courses I have looked at are certified by IRCA.
2.- Do you have any suggestions on opinions on this? Also are the exams the same format/difficulty for both boards?
Answer:
Point 1: There are many companies and all are good, our recommendation is that you search a course accredited by IRCA or RABQSA (although PECB is also a good entity), because this means that, once you pass the exam, this certificate will be accepted by any certification body if you want to work as lead auditor with them. Maybe this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Point 2: Regarding the exam, I think that the important is to know in detail the basic points of the standard (risks assessment & tr eatment and security controls), and depending on the entity there will be more or less questions about one or other, but if you have good knowledge about them, surely you do not have problems. So, if you want to prepare the exam, this webinar can be interesting for you ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/ -
Políticas de desarrollo
Estuve revisando el sitio de ustedes y al parecer es justo lo que necesito, tengo una auditoria ISO27001:2013 el próximo mes y necesito tener listas las siguientes políticas del Anexo 14.2, y serias estas:
A14.2.1 Política de Desarrollo
A14.2.5 Los procedimientos del sistema de desarrollo
A14.2.6 Entorno de Desarrollo Seguro
A14.2.8 Pruebas de la Seguridad del Sistema
Necesito saber si lo que ustedes venden contiene toda la descripción de las políticas anteriores solo para que yo les pueda hacer los ajustes a lo que autorice mi empresa, de ser afirmativo necesito que me indiquen cuanto cuesto y como lo pago.
Respuesta:
En relación a los documentos que has listado, sólo es obligatorio tener el que aplica para el control "A.14.2.5 Los procedimientos del sistema de desarrollo", de todas formas, con nuestra plantilla "Política de desarrollo seguro" : https://advisera.com/27001academy/es/documentation/politica-de-desarrollo-seguro/ puedes implementar todos los controles que necesitas y más: A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.7, A .14.3.1, etc.
Puedes ver una versión gratuita del documento clickeando en "Demo gratis", y si estás interesado en adquirirla, en la página anterior puedes ver el precio.
Finalmente, recuerda que puedes preguntarnos cualquier duda que tengas.