Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Ebook for a network administrator
I work as network administrator and I am looking If I get ebook to enhance my knowledge.
I want to be an ISO 27001 consultant .
Please advise
Answer:
We have a great free ebook, which I think that can be very interesting for your job because it is related to the cybersecurity. You can find it here 9 Steps to Cybersecurity : https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/
Finally, if you want to be a ISO 27001 consultant, maybe this article can be interesting for you How to become an ISO 27001 / ISO 22301 consultant : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/ -
Examples for external documentation relevant to the ISMS
Here are a couple of examples:
Contracts with your clients
Correspondence with third parties about the security issues
ISO 27001 standard itself
Manuals for security software / equipment
etc.
This article might also help you: Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
ISO 9001 and ISO 27001
which are all the similar clauses. i want these information bcz ISO 9001 has 8 clauses whereas 27001 has 10 so i m trying to make a single document out of it
Answer:
First of all, keep in mind that the ISO 9001 is being updated, and the final version is expected by the end of 2015. The structure of the new ISO 9001:2015 is more similar to the ISO 27001:2013 (has 10 clauses and with the same name, but obviously with different content).
Anyway, I think that this article can be very interesting for you Using ISO 9001 for implementing ISO 27001 : https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
Finally maybe these resources can also be interesting for you :
Webinar "ISO 27001 implementation: How to make it easier using ISO 9001" : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
Article "5 Main Changes Expected in I SO 9001:2015 from the 2014 Draft International Standard (DIS)" : https://advisera.com/9001academy/knowledgebase/5-main-changes-expected-in-iso-90012015-from-the-2014-draft-international-standard-dis/ -
Reasons to get the certification
I haven't had a chance to study the docs yet, but will within the next week or so. Our basic questions are: (1) would a certification be useful for our business? (beyond the obvious security benefits) and (2) if so, which certification? ISO, SSAE, etc.
Answer:
1) There can be various reasons to get the certification, here you can find more information about this Should your company go for the ISO 27001 / ISO 22301 certification? : https://advisera.com/27001academy/iso-27001-certification/
2) ISO has more prestige at international level, so if you want a certificate with an international recognition, we recommend you ISO. -
Server setting to be compliant for ISO 27001
I am looking for server setting to be compliant for ISO 27001
Answer:
From my knowledge, there are no individual servers in, for example in a shop, prepared to be compliant with ISO 27001, because each company needs to configure it in accordance with their business, and also with the requisites of the ISO 27001. Maybe you can find a data center certified in ISO 27001, or a company selling servers, but also to be compliant to ISO 27001 you need to configure the server according to identified risks (establishing a control access policy, setting secure communications, cryptography, etc. ) -
Distance in the ISO 22301
which part of ISO speak about the distance? We would like to reference to. ISO 22301
Answer:
There is no specific distance established in the ISO 22301, but there are best practices, so I think that this article can be very interesting for you Disaster recovery site What is the ideal distance from primary site? : https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/ -
Document all work procedures
This came at the point i needed it. I am having some challenges with implenting the iSO27001. I am part of the implementation team at my work place. I have observed resistance at my work place because they think that it will require them to document all their work procedures. People are not willing to put down step by step documents of what and how they do their work. they feel threatended. The challenge i have is am unusure if they will be required to document all they do as part of operational procedures documentation.
Please how do i handle this.
Answer:
It is not mandatory to have a document for all clauses or requirements of the ISO 27001:2013, if you want to know the list of mandatory documents (and non mandatory) required by the standard, please read this article: List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Finally, I recommend you to read this article "8 criteria to decide which ISO 2700 1 policies and procedures to write" : https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ -
Strategic and operational risks
Top management ownership of risks - I have adopted an approach with has strategic and operational risks. I believe that strategic risks should be high level and low in number - and example of strategic risk would be systemic failure of ISMS, or information breach due to malware. At a detailed / operational level, there are many risks, such as windows 2003 server reaching end of support, but I wouldn't expect that to be owned by top management.
What are your thoughts re this please?
Answer:
I think that your approach (strategic and operational risks) is correct, according to ISO 27000:2014, the risk owner is person or entity with accountability and authority to manage a risk.
For more information about this, please read this article Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
Propuesta certificacion
quisiera realizar una cotización de cuanto me costaría certificar mi empresa con la ISO 22301:2012
Respuesta:
Supongo que tienes implementada la ISO 22301 en tu organización. Si es así, como ya sabes el siguiente paso es certificar, y para hacerlo necesitas una entidad certificadora (nosotros podemos ayudarte con la implementación, pero no somos una entidad certificadora). Hay muchas entidades certificadoras en el mundo, por tanto puedes solicitar o pedir una propuesta a varias de ellas y seleccionar la mejor para tu empresa. Finalmente, creo que este artículo puede ser muy útil para ti (en inglés) How to choose a certification body : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Disaster recovery and Incident handling
what is the most important between Disaster recovery and Incident Handling?
Answer:
The main difference is in timing. When a disruption takes place (related to information security), it can be handled through the procedure of security incidents (and can be generated a register with information about the incident related to the disruption), and after you can activate the Disaster recovery. Here maybe can be interesting to use a tool that help you to activate automatically, under certain parameters, the Disaster recovery when a disruption is detected.
Finally, I think that this article about security incidents can be interesting for you How a change in thinking can stop 59% of security incidents : https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/