Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Information Security Aspects of Business Continuity
Hi. I am currently working on a project - Implementing Iso27001 for the IT department (Support function- No. of employees is 6) of an organisation. I need clarification regarding the control " Information Security Aspects of Business Continuity". would this be applicable to them ? they are just in the planning phase of DRP and they do not have BCP in Place as of now.
Answer:
Information Security Aspects of Business Continuity is not a control, is a domain (domain A.17) composed by the controls A.17.1.1, A.17.1.2, A.17.1.3, and A.17.2.1. These controls are basically for implement a Business Continuity Plan or a Disaster Recovery Plan in your business. We recommend you to develop a Disaster Recovery Plan because it is related to the Infrastructure IT, so you can find a template for this here (you can see a free version clicking on Free Demo tab) Disaster Recovery Plan : https://advisera.com/27001academy/documentation/disaster-recovery-plan/
Regarding to the applicability, these controls are applicable to your employees if the Di saster Recovery Plan or the Business Continuity Plan can affect their job, and also if they are in the scope of the ISMS. Here is very important the awareness, because each one need to know what to do in case of activation of the plan (DRP or BCP). -
Applicability of ISO 27001 procedures in scope with multiple departments
This questions stems from the fact that many of our existing documentation such as standards and procedures have been written up that gives the reader the impression that the controls mentioned in these documents are minimum requirements that are to be applied to all in-scope-units; whereas, in the first instance the control would have been chosen as an answer to one unit's risk.
Answer:
You should decide on your own whether your documents (e.g. policies, procedures, etc.) will apply to your whole organ ization, to your whole ISMS scope, or only to a particular organizational unit. However, when writing your documents, then you have to specify clearly to which organizational units they apply to; you can also specify this information in the Statement of Applicability.
This article can also help you: How to define the ISMS scope https://advisera.com/27001academy/blog/2014/10/13/how-to-define-the-isms-scope/
2. Can or should the scope document be reviewed periodically?
Answer:
ISMS scope document should be definitely reviewed periodically, typically this is once a year, before you start doing the risk assessment. -
ISO 9001 and ISO 27001Requerimientos ISO 27001
Our customer currently has ISO 9001 implemented. Which documents should we ask for so we can revise and use for ISO 27001?
Answer:
There are some some common points in both standards, but keep in mind that the ISO 9001 is being updated, and the final version is expected by the end of 2015. The structure of the new ISO 9001:2015 is more similar to the ISO 27001:2013, so it will be more easy the ISO 9001:2015 take place.
Anyway, with the current version of ISO 9001 there are many similar things, to know more about this, please read this article Using ISO 9001 for implementing ISO 27001 : https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
Maybe this webinar can be also interesting for you ISO 27001 implementation: How to make it easier using ISO 9001 : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
Finally, if you are interesting in the changes of the new ISO 9001:2015, this article can be interesting for you 5 Main C hanges Expected in ISO 9001:2015 from the 2014 Draft International Standard (DIS) : https://advisera.com/9001academy/knowledgebase/5-main-changes-expected-in-iso-90012015-from-the-2014-draft-international-standard-dis/ Hemosrecibido la siguiente pregunta:
Tengo una duda?, los dominios son como los requisitos o requerimientos?, es el deber ser de la norma ISo 27001?, o los requiesitos son los que usted expone en una pagina donde habla de lo siguiente:
1.Diagnostico y formulacion
1.1. Apoyo de la dirección
1.2. Tomarlo como un proyecto
1.3. Definir el alcance del SGSI
1.4. Política del SGSI
1.5. Definir la metodología de la evaluación de riesgos
1.6. Realizar la evaluación y el tratamiento de riesgos
1.7. Redactar la declaración de aplicabilidad
1.8. Redactar el plan de tratamiento del riesgo
1.9. Determinar como medir la eficacia de los controles
1.10. Implementación de controles y procedimientos obligatorios
1.10.1. Procedimiento para el control de la documentación
1.10.2. Procedimiento para auditorias internas
1.10.3. Procedimiento para medidas correctivas
1.11. Implementar programas de capacitación y concienciación
1.12. Hacer funcionar el SGSI
1.13. Supervisión del SGSI
1.14. Auditoria interna
1.15. Revisión por parte de la dirección
1.16. Medidas preventivas y correctivas
Respuesta:
Esta lista es sólo una guía para implementar la ISO 27001 en su organización, pero cada punto está relacionado con un requisito de la norma. Por tanto, necesitas implementar todos los requisitos de ISO 27001, y para hacer esto, puedes utilizar nuestra lista de 16 pasos.
Por otra parte, recuerda que en la implementación necesitarás desarrollar políticas y procedimientos, y creo que este artículo puede ser interesante para ti Siete pasos para implementar políticas y procedimientos : https://advisera.com/27001academy/es/knowledgebase/siete-pasos-para-implementar-politicas-y-procedimientos/
Y este artículo relacionado con los documentos obligatorios que necesitas para implementar la ISO 27001, también te puede resultar interesante: Lista de documentos obligatorios exigidos por la norma ISO 27001 (revision 2013) : https://advisera.com/27001academy/es/blog/2015/05/04/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/
Por último, ten en cuenta que después del análisis y tratamiento de riesgos tendrás que implementar controles de seguridad, los cuales puedes encontrar en el Anexo A del estándar. Si necesitas más información al respecto, por favor lee este artículo (en inglés) "Overview of ISO 27001:2013 Annex A" : https://advisera.com/27001academy/iso-27001-controls/
Y también te puede resultar interesante este artículo (también en inglés) "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Accept the risk
My Organisation would like to go for ISO-27001 Certification for its Data Center.Various Applications (All Application belongs to Single client) are hosted some of them Critical and some of them not.All Applications hosted in Datacenter does not have DR.
Some of hosted Applications in Datacenter is critical and it affects their operations part.Due to lack of finance,DR is not operational.It will be operational but will take more time.
So Can I proceed for ISO-27001 Certification right now even when i dont have DR for all application hosted in Data Center???Is there any mandatory requirement of having DR in place.
What about If my client is ready to accept the risk regarding unavailability of application for few hours or even days??
Answer:
The right way is this: You need to perform the risk assessment & treatment, and the first thing that you need is to calculate the risks related to the applications (or to the all Data Center). If after this, the risk is above of the acceptable level, you can:
Reduce the risk (applying security c ontrols)
Accept the risk
Avoid the risk
Transfer the risk
So, in your case, I think that the best is to accept the risk, this means that you know the risks, but due to lack of budget you cannot reduce it. But in this case, it is very important that the top management knows and approve the situation. On this way, you could certify the ISO 27001 in your organization.
Anyway, I think that the best, if you can, is that you implement a DR in some applications, as minimal in the critical applications, on this way you could recover a part of the IT infrastructure.
For more information about the risk assessment & treatment, please read this article Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Awareness for a IT team
Do you have awareness materials which I can use for end users. Also is there anything separate for creating awareness for IT team. What should be included in the IT team training?
Answer:
Regarding to the users, you can use our presentation Why ISO 27001 Awareness presentation. You can find it in our section of free downloads here : https://advisera.com/27001academy/free-downloads/
Regarding to the IT team, it is more complex because there are many security controls related to technology in the standard, and there are different (firewalls, control access, vulnerabilities). Generally IT people has knowledge enough to implement technological controls, but also it is necessary that they are aware in information security, so my recommendation for you is that use the first presentation for this people too. If not, if your IT team is junior, maybe will be necessary some technical certifications like MCSA, LPI, CEH, etc. -
Doubts about A.14.2.5
Can you please help us and provide some detailed information as to what should be covered in A.14.2.5 of ISO 27002:2013.
Answer:
Sure, I will give you information about this. If you see the Implementation guidance of the control 14.2.5 in the ISO 27002:2013, you can read this: Security should be designed into all architecture layers (business, data, applications and technology) balancing the need for information security with the need for accessibility. So, this control is related to the large information system design, which also include the software development.
If you need a template to implement this control, this can be interesting for you (you can see a free version clicking on Free Demo tab) Secure Development Policy": https://advisera.com/27001academy/documentation/secure-development-policy/
And also this template can be interesting for you Operating Procedures for Information and Communication Technology : https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
Please, let us know if you need more information about this control. -
External CISO
We purchased the consultants kit from your team and so far it has been great. We have starting helping one of our clients with their iso initiative, and we ran into a question I was hoping you could answer.
We perform most all IT functions for this company including its security monitoring, what is the greatest role we can fill with their ISO project team. Can we handle all the traditional functions of a CISO as described in your blog and toolkit? In essence we are already performing those capabilities on a greatly reduced scale. Or do they need to have an internal employee fill that role?
Answer:
Yes, your company can perform tasks related to the manage of the ISMS, including functions of a CISO, so it i not necessary that the company has an internal employee for the CISO position. Here is important that the company that wants to implement the ISO 27001 has the necessary knowledge about the standard to implement it, and they can request services of an external company to do it. But in this case, remember that it is very important to take in place agreements between both companies. Your company will be a supplier for your client, so the template Supplier Security Policy" can be interesting for you. You can find it in the folder 08 Annex AA.15 Supplier relationships.
Finally, I think that these articles can be interesting for you:
What is the job of Chief Information Security Officer (CISO) in ISO 27001?: https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Chief Information Security Officer (CISO) - where does he belong in an org chart?: https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/ -
Security Manager Position
There are some tasks that you need to perform in the maintenance of the ISMS, for more information, please read this article "How to maintain the ISMS after the certification" :
https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/ -
Firewall and suppliers
1. How to use ISO 27001 for an assessment around the firewall in a company.
2. How can I look into the governance around 3rd parties that the company work with, including those that they use for penetration testing (Using ISO 27001).
Answers:
Point 1:
The core of the ISO 27001 is the risk assessment & treatment, so you can think in a firewall as an asset (hardware type), so you can perform the risk assessment including the firewall as an asset. After the risk assessment, you will have the risk level related to the firewall (and you will need to perform the risk treatment). I think that this free webinar can be interesting for you The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Also this article about how to use firewalls in ISO 27001 can be interesting for you How to use firewalls in ISO 27001 and ISO 27002 implementation : https://advisera.com/27001academy/blog/2015/05/25/how-to-use-firewalls-in-iso-27001-and-iso-27002-implementation/
Point 2:
Basically you will need a Supplier Security Policy, but for more information this article can be interesting for you 6-step process for handling supplier security according to ISO 27001 : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
ISO 27001 courses for beginners
I would like to know about iso27001 courses for beginners. I have made some awareness presentations during my organizations internal audits so I already have introduction of iso27001.
Could you please send me guidance document on iso27001 courses for beginners rather than webinars because I want to read the details.
Answer:
Basically you can perform 2 type of courses depending if you want to be consultant of auditor:
Regarding to the consultant, this free webinar can be interesting for you How to become an ISO 27001 / BS 25999-2 consultant : https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
And regarding to the lead auditor, this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Also this articles can be interesting for you:
How to learn about ISO 27001 and BS 25999-2 : https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
Lead Audito r Course vs. Lead Implemented Course Which one to go for? : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
Finally, all our resources (articles, webinars, ebooks, templates, etc) will give you a knowledge about information security (and also business continuity) that you can use to acquire knowledge and become a consultant or lead auditor of ISO 27001. So, we recommend you to review all our resources, and please feel free to ask us any doubt.