Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Accept the risk
My Organisation would like to go for ISO-27001 Certification for its Data Center.Various Applications (All Application belongs to Single client) are hosted some of them Critical and some of them not.All Applications hosted in Datacenter does not have DR.
Some of hosted Applications in Datacenter is critical and it affects their operations part.Due to lack of finance,DR is not operational.It will be operational but will take more time.
So Can I proceed for ISO-27001 Certification right now even when i dont have DR for all application hosted in Data Center???Is there any mandatory requirement of having DR in place.
What about If my client is ready to accept the risk regarding unavailability of application for few hours or even days??
Answer:
The right way is this: You need to perform the risk assessment & treatment, and the first thing that you need is to calculate the risks related to the applications (or to the all Data Center). If after this, the risk is above of the acceptable level, you can:
Reduce the risk (applying security c ontrols)
Accept the risk
Avoid the risk
Transfer the risk
So, in your case, I think that the best is to accept the risk, this means that you know the risks, but due to lack of budget you cannot reduce it. But in this case, it is very important that the top management knows and approve the situation. On this way, you could certify the ISO 27001 in your organization.
Anyway, I think that the best, if you can, is that you implement a DR in some applications, as minimal in the critical applications, on this way you could recover a part of the IT infrastructure.
For more information about the risk assessment & treatment, please read this article Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Awareness for a IT team
Do you have awareness materials which I can use for end users. Also is there anything separate for creating awareness for IT team. What should be included in the IT team training?
Answer:
Regarding to the users, you can use our presentation Why ISO 27001 Awareness presentation. You can find it in our section of free downloads here : https://advisera.com/27001academy/free-downloads/
Regarding to the IT team, it is more complex because there are many security controls related to technology in the standard, and there are different (firewalls, control access, vulnerabilities). Generally IT people has knowledge enough to implement technological controls, but also it is necessary that they are aware in information security, so my recommendation for you is that use the first presentation for this people too. If not, if your IT team is junior, maybe will be necessary some technical certifications like MCSA, LPI, CEH, etc. -
Doubts about A.14.2.5
Can you please help us and provide some detailed information as to what should be covered in A.14.2.5 of ISO 27002:2013.
Answer:
Sure, I will give you information about this. If you see the Implementation guidance of the control 14.2.5 in the ISO 27002:2013, you can read this: Security should be designed into all architecture layers (business, data, applications and technology) balancing the need for information security with the need for accessibility. So, this control is related to the large information system design, which also include the software development.
If you need a template to implement this control, this can be interesting for you (you can see a free version clicking on Free Demo tab) Secure Development Policy": https://advisera.com/27001academy/documentation/secure-development-policy/
And also this template can be interesting for you Operating Procedures for Information and Communication Technology : https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
Please, let us know if you need more information about this control. -
External CISO
We purchased the consultants kit from your team and so far it has been great. We have starting helping one of our clients with their iso initiative, and we ran into a question I was hoping you could answer.
We perform most all IT functions for this company including its security monitoring, what is the greatest role we can fill with their ISO project team. Can we handle all the traditional functions of a CISO as described in your blog and toolkit? In essence we are already performing those capabilities on a greatly reduced scale. Or do they need to have an internal employee fill that role?
Answer:
Yes, your company can perform tasks related to the manage of the ISMS, including functions of a CISO, so it i not necessary that the company has an internal employee for the CISO position. Here is important that the company that wants to implement the ISO 27001 has the necessary knowledge about the standard to implement it, and they can request services of an external company to do it. But in this case, remember that it is very important to take in place agreements between both companies. Your company will be a supplier for your client, so the template Supplier Security Policy" can be interesting for you. You can find it in the folder 08 Annex AA.15 Supplier relationships.
Finally, I think that these articles can be interesting for you:
What is the job of Chief Information Security Officer (CISO) in ISO 27001?: https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Chief Information Security Officer (CISO) - where does he belong in an org chart?: https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/ -
Security Manager Position
There are some tasks that you need to perform in the maintenance of the ISMS, for more information, please read this article "How to maintain the ISMS after the certification" :
https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/ -
Firewall and suppliers
1. How to use ISO 27001 for an assessment around the firewall in a company.
2. How can I look into the governance around 3rd parties that the company work with, including those that they use for penetration testing (Using ISO 27001).
Answers:
Point 1:
The core of the ISO 27001 is the risk assessment & treatment, so you can think in a firewall as an asset (hardware type), so you can perform the risk assessment including the firewall as an asset. After the risk assessment, you will have the risk level related to the firewall (and you will need to perform the risk treatment). I think that this free webinar can be interesting for you The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Also this article about how to use firewalls in ISO 27001 can be interesting for you How to use firewalls in ISO 27001 and ISO 27002 implementation : https://advisera.com/27001academy/blog/2015/05/25/how-to-use-firewalls-in-iso-27001-and-iso-27002-implementation/
Point 2:
Basically you will need a Supplier Security Policy, but for more information this article can be interesting for you 6-step process for handling supplier security according to ISO 27001 : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
ISO 27001 courses for beginners
I would like to know about iso27001 courses for beginners. I have made some awareness presentations during my organizations internal audits so I already have introduction of iso27001.
Could you please send me guidance document on iso27001 courses for beginners rather than webinars because I want to read the details.
Answer:
Basically you can perform 2 type of courses depending if you want to be consultant of auditor:
Regarding to the consultant, this free webinar can be interesting for you How to become an ISO 27001 / BS 25999-2 consultant : https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
And regarding to the lead auditor, this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Also this articles can be interesting for you:
How to learn about ISO 27001 and BS 25999-2 : https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
Lead Audito r Course vs. Lead Implemented Course Which one to go for? : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
Finally, all our resources (articles, webinars, ebooks, templates, etc) will give you a knowledge about information security (and also business continuity) that you can use to acquire knowledge and become a consultant or lead auditor of ISO 27001. So, we recommend you to review all our resources, and please feel free to ask us any doubt. -
Pre-certification audit
The subject heading should give you an indication of what I need. what time frame am I looking at, implementing and conducting the pre-certification audit for an IT company of about 30 individuals. Can you perhaps send me an example of an ISMS? that would be very helpful.
Answer:
Sure, you will have our help. A pre-certification audit is not necessary by the standard (before the certification audit, only is necessary the internal audit), but it can be interesting for your company because can give you feedback about the situation and the level of compliance of your company, which can also help your company to face better the certification audit.
This article can be very interesting for you Becoming ISO 27001 certified How to prepare for certification audit : https://advisera.com/27001academy/iso-27001-certification/
Also this article can be interesting Should your company go for the ISO 27001 / ISO 22301 certification? : https://advisera.com/27001academy/iso-27001-certification/
And finally, this article about deviations of the audit (you need to avoid Major nonconformities), can be interesting for you Major vs. Minor nonconformities in the certification audit : https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
Finally, regarding to the example of ISMS, you can see our templates (you can see a free version clicking on Free Demo tab): https://advisera.com/27001academy/iso-27001-documentation-toolkit/ -
Functionalities of external auditor
Can i know the functionalities of external auditor?
Answer:
Basically review that all requirements established by the standard are in place in the organization. To do this, the lead auditor needs to perform interviews with staff of the organization, perform tests of security controls compliance, review of documentation, etc. Finally at the end of the audit the Lead Auditor also need to develop a report with all deviations detected, and it needs to be presented to the company.
If you are interested in become a lead auditor, this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Finally, maybe this article can be interesting for you "Infographic: The brain of an ISO auditor - What to expect at a certification audit" : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/ -
Plan de Tratamiento de Riesgos y SOA
1.-Quisiera saber como elaborar un plan de tratamiento de riesgo en general. Existe alguna plantilla con los campos que debo considerar o recomendaciones de como hacerlo? Estoy a punto de certificarme como Auditor Interno en ISO 27001 y tengo esta duda .
2.-He revisado que existe varios formatos de SOA , que columnas si o si debería considerar en mi Declaración.
Respuestas:
Punto 1:
Si necesitas una plantilla para el Plan de Tratamiento de Riesgos, puedes usar esta (puedes ver una versión gratuita clickeando en la pestaña "Demo gratis"): https://advisera.com/27001academy/es/documentation/plan-de-tratamiento-de-riesgos/
Este artículo también te puede resultar interesante (en inglés) "Qualifications for an ISO 27001 Internal Auditor": https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
Por otra parte, ten en cuenta que no es lo mismo el Plan de Tratamiento de Riesgos, que el Proceso de Tratamiento de Riesgos, aquí podrás encontrar las diferencias (en inglés) Risk Treatment Plan and Risk Treatment Process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Punto 2:
Sobre el SOA, puedes usar nuestra plantilla (recuerda que puedes ver una versión gratuita clickeando en la pestaña "Demo gratis"): https://advisera.com/27001academy/es/documentation/declaracion-de-aplicabilidad/
Finalmente, quizás pueda resultarte interesante este artículo sobre el SOA (en inglés) The importance of Statement of Applicability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/