Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
External CISO
We purchased the consultants kit from your team and so far it has been great. We have starting helping one of our clients with their iso initiative, and we ran into a question I was hoping you could answer.
We perform most all IT functions for this company including its security monitoring, what is the greatest role we can fill with their ISO project team. Can we handle all the traditional functions of a CISO as described in your blog and toolkit? In essence we are already performing those capabilities on a greatly reduced scale. Or do they need to have an internal employee fill that role?
Answer:
Yes, your company can perform tasks related to the manage of the ISMS, including functions of a CISO, so it i not necessary that the company has an internal employee for the CISO position. Here is important that the company that wants to implement the ISO 27001 has the necessary knowledge about the standard to implement it, and they can request services of an external company to do it. But in this case, remember that it is very important to take in place agreements between both companies. Your company will be a supplier for your client, so the template Supplier Security Policy" can be interesting for you. You can find it in the folder 08 Annex AA.15 Supplier relationships.
Finally, I think that these articles can be interesting for you:
What is the job of Chief Information Security Officer (CISO) in ISO 27001?: https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Chief Information Security Officer (CISO) - where does he belong in an org chart?: https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/ -
Security Manager Position
There are some tasks that you need to perform in the maintenance of the ISMS, for more information, please read this article "How to maintain the ISMS after the certification" :
https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/ -
Firewall and suppliers
1. How to use ISO 27001 for an assessment around the firewall in a company.
2. How can I look into the governance around 3rd parties that the company work with, including those that they use for penetration testing (Using ISO 27001).
Answers:
Point 1:
The core of the ISO 27001 is the risk assessment & treatment, so you can think in a firewall as an asset (hardware type), so you can perform the risk assessment including the firewall as an asset. After the risk assessment, you will have the risk level related to the firewall (and you will need to perform the risk treatment). I think that this free webinar can be interesting for you The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Also this article about how to use firewalls in ISO 27001 can be interesting for you How to use firewalls in ISO 27001 and ISO 27002 implementation : https://advisera.com/27001academy/blog/2015/05/25/how-to-use-firewalls-in-iso-27001-and-iso-27002-implementation/
Point 2:
Basically you will need a Supplier Security Policy, but for more information this article can be interesting for you 6-step process for handling supplier security according to ISO 27001 : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
ISO 27001 courses for beginners
I would like to know about iso27001 courses for beginners. I have made some awareness presentations during my organizations internal audits so I already have introduction of iso27001.
Could you please send me guidance document on iso27001 courses for beginners rather than webinars because I want to read the details.
Answer:
Basically you can perform 2 type of courses depending if you want to be consultant of auditor:
Regarding to the consultant, this free webinar can be interesting for you How to become an ISO 27001 / BS 25999-2 consultant : https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
And regarding to the lead auditor, this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Also this articles can be interesting for you:
How to learn about ISO 27001 and BS 25999-2 : https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
Lead Audito r Course vs. Lead Implemented Course Which one to go for? : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
Finally, all our resources (articles, webinars, ebooks, templates, etc) will give you a knowledge about information security (and also business continuity) that you can use to acquire knowledge and become a consultant or lead auditor of ISO 27001. So, we recommend you to review all our resources, and please feel free to ask us any doubt. -
Pre-certification audit
The subject heading should give you an indication of what I need. what time frame am I looking at, implementing and conducting the pre-certification audit for an IT company of about 30 individuals. Can you perhaps send me an example of an ISMS? that would be very helpful.
Answer:
Sure, you will have our help. A pre-certification audit is not necessary by the standard (before the certification audit, only is necessary the internal audit), but it can be interesting for your company because can give you feedback about the situation and the level of compliance of your company, which can also help your company to face better the certification audit.
This article can be very interesting for you Becoming ISO 27001 certified How to prepare for certification audit : https://advisera.com/27001academy/iso-27001-certification/
Also this article can be interesting Should your company go for the ISO 27001 / ISO 22301 certification? : https://advisera.com/27001academy/iso-27001-certification/
And finally, this article about deviations of the audit (you need to avoid Major nonconformities), can be interesting for you Major vs. Minor nonconformities in the certification audit : https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
Finally, regarding to the example of ISMS, you can see our templates (you can see a free version clicking on Free Demo tab): https://advisera.com/27001academy/iso-27001-documentation-toolkit/ -
Functionalities of external auditor
Can i know the functionalities of external auditor?
Answer:
Basically review that all requirements established by the standard are in place in the organization. To do this, the lead auditor needs to perform interviews with staff of the organization, perform tests of security controls compliance, review of documentation, etc. Finally at the end of the audit the Lead Auditor also need to develop a report with all deviations detected, and it needs to be presented to the company.
If you are interested in become a lead auditor, this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Finally, maybe this article can be interesting for you "Infographic: The brain of an ISO auditor - What to expect at a certification audit" : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/ -
Plan de Tratamiento de Riesgos y SOA
1.-Quisiera saber como elaborar un plan de tratamiento de riesgo en general. Existe alguna plantilla con los campos que debo considerar o recomendaciones de como hacerlo? Estoy a punto de certificarme como Auditor Interno en ISO 27001 y tengo esta duda .
2.-He revisado que existe varios formatos de SOA , que columnas si o si debería considerar en mi Declaración.
Respuestas:
Punto 1:
Si necesitas una plantilla para el Plan de Tratamiento de Riesgos, puedes usar esta (puedes ver una versión gratuita clickeando en la pestaña "Demo gratis"): https://advisera.com/27001academy/es/documentation/plan-de-tratamiento-de-riesgos/
Este artículo también te puede resultar interesante (en inglés) "Qualifications for an ISO 27001 Internal Auditor": https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
Por otra parte, ten en cuenta que no es lo mismo el Plan de Tratamiento de Riesgos, que el Proceso de Tratamiento de Riesgos, aquí podrás encontrar las diferencias (en inglés) Risk Treatment Plan and Risk Treatment Process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Punto 2:
Sobre el SOA, puedes usar nuestra plantilla (recuerda que puedes ver una versión gratuita clickeando en la pestaña "Demo gratis"): https://advisera.com/27001academy/es/documentation/declaracion-de-aplicabilidad/
Finalmente, quizás pueda resultarte interesante este artículo sobre el SOA (en inglés) The importance of Statement of Applicability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Job in information security
Please I would like to know if the tutorials and seminars you provide on your website is enough to land one a job in the Information Security Management Industry. Please I would also appreciate if you could advice me on the areas where one could focus in order to get a job in the Information Security Industry.
Answer:
All our resources (articles, webinars, ebooks, templates, etc) will give you a knowledge about information security (and also business continuity) that you can use to work in jobs as consultant or lead auditor of ISO 27001 (they are the main areas related to Information Security where you can work). So, we recommend you to review all our resources, and please feel free to ask us any doubt.
Regarding to the consultant, this free webinar can be interesting for you How to become an ISO 27001 / BS 25999-2 consultant : https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
A nd regarding to the lead auditor, this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Knowledge about ISO 27001
I have a trouble relating to the human resource before implement ISO 27001. People in my company have the difference level about understanding security of ISO 27001. So how to implement any tech with the right expectations.
Answer:
It is not necessary that all people in the ISMS have an expert knowledge about the ISO 27001, or have expert knowledge about technology, so here it is important to train all people in basic terms about information security. To do this, I recommend you to see our free resources, for example Why ISO 27001 Awareness presentation here (you can also use the presentation to train your staff): https://advisera.com/27001academy/free-downloads/ .
About the technology, you need people in your company to implement certain security controls which are directly related with technology, but it is enough with basic knowledge (for example, knowledge about backups, control access, firewalls, anti-virus, etc). This article about firewalls can be interesting for you How to use firewalls in ISO 27001 and ISO 27002 imple mentation : https://advisera.com/27001academy/blog/2015/05/25/how-to-use-firewalls-in-iso-27001-and-iso-27002-implementation/
Finally this page about what is ISO 27001 can be also interesting for you: https://advisera.com/27001academy/what-is-iso-27001/
Also this article can be interesting for you "4 reasons why ISO 27001 is useful for techies" : https://advisera.com/27001academy/blog/2012/10/22/4-reasons-why-iso-27001-is-useful-for-techies/ -
Pass the certification examination
Please what are the things I need to know about ISO 27001 in order to pass the certification examination?
Answer:
We have a free webinar in our blog that will give you interesting information ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/
Also this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/