Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Weakness, event and incident
Kindly enlighten me with what is the difference between IS weakness, event and incident?
In my opinion, weakness can be an event if it is exploited. And an event can be an incident if it endangers the CIA of organization's information asset.
Answer:
Ok, you are right. In accordance with ISO 27000:2012, a vulnerability "is a weakness of an asset or control that can be exploited by one or more threats, and an event is an occurrence or change of a particular set of circumstances and An event can sometimes be referred to as an incident or accident . So, an incident can be an event. -
Is an accreditation body a government body?
1. Is an accredited body a government body?
In accordance with SAC, the accreditation is (you can see this definition in the FAQ page https://www.sac-accreditation.gov.sg/resources/faq:
Accreditation is the endorsement by an authoritative body (such as SAC) of an organisation's competence, credibility, independence and integrity in carrying out its conformity assessment activities, such as testing, calibration, inspection and certification.
So, an accreditation body needs to be independent, so usually is a body related to the govern of each country.
2. From my understanding, an accredited body is the body that certifies organisation. (This is my company’s goal, to become an accredited body). Thus, in order to become an accredited body, does my company needs to be certify the ISO/IEC 27001 requirements first?
If you want to certifies companies, you need to be a certification body, and you need to be accredited by the accreditation body of your country (SAC). For more information to obtain the accreditation, you can also see the FAQ page of SAC, please read What is the general procedure for getting accreditation? : https://www.sac-accreditation.gov.sg/resources/faq. And in this case I think that it is not necessary that your company certify the ISO 27001, but you need to implement the ISO 17021 and ISO 27006. -
Number of ISO 27001 certificates
During the recent webinar, I asked a question about how many 27001 certifications there were globally and you said around 25,000. Are you able to give me a little more - how many 27001:2013 and how many are UK based for each of 2005 and 2013 versions.
Answer [reply by EAC]
ISO (International Organization for Standardization) publishes every year a report with the number of certificates (of all ISOs) in the world. You can filter here by your country and the ISO 27001 (it is only available until year 2013): https://www.iso.org/the-iso-survey.html?certificate=ISO/IEC%2027001&countrycode=#standardpick
Also you can download a PDF with all results. Regarding 27001:2005 vs ISO 27001:2013, the lasts results of ISO are related to ISO 27001:2005, so maybe you will need to wait this year to see the number of ISO 27001:2013 certificates published in the world. -
Kit documentacion
¡Hola! El kit de documentación que ofrecen incluye la implementación de los controles de la Norma ISO-27001
Respuesta:
Claro, nuestro toolkit incluye todos los documentos necesarios para la implementación de la ISO 27001 en tu organización. Esto significa que el toolkit tiene todos los documentos obligatorios, incluyendo aquellos relacionados con el PDCA y también aquellos documentos relacionados con los controles de seguridad, además incluye algunos documentos no obligatorios. Si quieres ver la lista de documentos obligatorios de la ISO 27001 (y no obligatorios), por favor lee el siguiente artículo "Lista de documentos obligatorios exigidos por la norma ISO 27001 (revisión 2013)" : https://advisera.com/27001academy/es/blog/2015/05/04/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/
En cualquier caso, ten en cuenta que que son plantillas, y necesitas adaptarlas a tu negocio, pero para ello puedes contar con nuestro apoyo. Puedes ver una versión gratuita de todos los documentos clickeando en "Demo gratis" : https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-27001/ -
Auditor Lider ISO 27001
Muy buenas tardes, ayer estuve presente en el webinar y me ayudo a sacarme varias dudas que tenía con respecto a la certificación de la iso27001.
Te molesto para consultarte algo, hace rato que quiero hacer el curso de auditor pero no sé bien cual realizar. Las opciones que tengo es Auditor Interno o Auditor Líder.
Específicamente lo que quiero hacer yo es poder realizar consultoría y auditorias apuntado todo a redes, sistemas de información y seguridad informática.
Estoy dando vueltas hace rato sobre esto y no sé por dónde empezar, que capacitación tendría que realizar primero que otra.
Espero que me puedas dar tu opinión para orientarme un poco ya que tenes mucha experiencia sobre este campo.
Respuesta:
Son 2 cosas diferentes: consultor y auditor, y creo que el primer paso es conocer en profundidad la ISO 27001. Para esto, puedes ver esta presentación gratuita (en inglés) Why ISO 27001 Awareness presentation : https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation/
Este artículo sobre consultores también puede resultarte int eresante (en inglés) How to become an ISO 27001 / ISO 22301 consultant : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
Después de esto, si tienes interés en auditar un SGSI, el próximo paso es realizar un curso para obtener la certificación en Auditor Líder, por tanto este artículo puede ser interesante para ti (en inglés) How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
También puede ser interesante para ti este Webinar gratuito (en inglés) ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/
Finalmente, en relación a las redes, sistemas de información y seguridad informática (esto no es lo mismo que la seguridad de la información), estas cuestiones están más relacionadas con la tecnología, y necesitarás cursos/certificaciones más especializadas, por ejemplo MCSA (Microsoft Certified Solutions Associate), CEH (Certified Ethical Hacker), LPIC (Linux Professional Institute Certification), etc. -
Accreditation body
My company (in Singapore) is interested in becoming a accredited body for ISO/IEC 27001. I did some research on my own and it seems that before I could apply for accreditation for ISO/IEC 27001, I would need to accredited for ISO 17201 before I could apply for ISO/IEC 27001. As I have been reading from many sites, it seems a little confusing and I was wondering if you could provide advises on how to become a accredited body for the mentioned ISO. In addition, could you please recommend any body that does such services.
Answer:
I think that you can not do it, because each country has a national accreditation body, and it tends to be a public entity (related to the government). In Singapore the accreditation body is this: https://www.sac-accreditation.gov.sg
And also you can see the certification bodies accredited by SAC : https://www.sac-accreditation.gov.sg/accredited-org/certified-cab-companies
Anyway, any company can achieve the ISO 27001 certificate (but it is a completely different thing), and for this, you need to implement the ISMS and after you need to choose a certification body. If you are interested about this, you can read this article "How to choose a certification body" : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Clause 4.1 and 7.5
Please explain clause 4.1 and 7.5. Problem is that our company has only three employees (including me) and i dont get the big picture of this clause 7.5
Answer:
Sure, I will give you two interesting articles:
Regarding to the clause 4.1 Understanding the organization and its context, you can read this article Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
Regarding to clause 7.5 Documented information, you can read this article Document management in ISO 27001 & BS 25999-2 : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
Finally, related to your final question i dont get the big picture of this clause 7.5 : This clause (7.5) is related with the management of documents (you need to establish this controls for each document: identification, description, review and approval for suitability and adequacy, format, control of changes, control access, distribution, storage, retention, disposition, control of external documents). And as you know, there are some mandatory documents (if not, please read this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/), so independently of the size of your business, you need to implement documents, and for them you need to establish controls that I have mentioned before. -
Ebook for a network administrator
I work as network administrator and I am looking If I get ebook to enhance my knowledge.
I want to be an ISO 27001 consultant .
Please advise
Answer:
We have a great free ebook, which I think that can be very interesting for your job because it is related to the cybersecurity. You can find it here 9 Steps to Cybersecurity : https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/
Finally, if you want to be a ISO 27001 consultant, maybe this article can be interesting for you How to become an ISO 27001 / ISO 22301 consultant : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/ -
Examples for external documentation relevant to the ISMS
Here are a couple of examples:
Contracts with your clients
Correspondence with third parties about the security issues
ISO 27001 standard itself
Manuals for security software / equipment
etc.
This article might also help you: Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
ISO 9001 and ISO 27001
which are all the similar clauses. i want these information bcz ISO 9001 has 8 clauses whereas 27001 has 10 so i m trying to make a single document out of it
Answer:
First of all, keep in mind that the ISO 9001 is being updated, and the final version is expected by the end of 2015. The structure of the new ISO 9001:2015 is more similar to the ISO 27001:2013 (has 10 clauses and with the same name, but obviously with different content).
Anyway, I think that this article can be very interesting for you Using ISO 9001 for implementing ISO 27001 : https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
Finally maybe these resources can also be interesting for you :
Webinar "ISO 27001 implementation: How to make it easier using ISO 9001" : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
Article "5 Main Changes Expected in I SO 9001:2015 from the 2014 Draft International Standard (DIS)" : https://advisera.com/9001academy/knowledgebase/5-main-changes-expected-in-iso-90012015-from-the-2014-draft-international-standard-dis/