Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Reasons to get the certification


    I haven't had a chance to study the docs yet, but will within the next week or so. Our basic questions are: (1) would a certification be useful for our business? (beyond the obvious security benefits) and (2) if so, which certification? ISO, SSAE, etc.
     

    Answer:

    1) There can be various reasons to get the certification, here you can find more information about this “Should your company go for the ISO 27001 / ISO 22301 certification?” : https://advisera.com/27001academy/iso-27001-certification/
    2) ISO has more prestige at international level, so if you want a certificate with an international recognition, we recommend you ISO.

  • Server setting to be compliant for ISO 27001


    I am looking for server setting to be compliant for ISO 27001
     

    Answer:

    From my knowledge, there are no individual servers in, for example in a shop, prepared to be compliant with ISO 27001, because each company needs to configure it in accordance with their business, and also with the requisites of the ISO 27001. Maybe you can find a data center certified in ISO 27001, or a company selling servers, but also to be compliant to ISO 27001 you need to configure the server according to identified risks (establishing a control access policy, setting secure communications, cryptography, etc. )

  • Distance in the ISO 22301


    which part of ISO speak about the distance? We would like to reference to. ISO 22301

     

    Answer:

    There is no specific distance established in the ISO 22301, but there are best practices, so I think that this article can be very interesting for you “Disaster recovery site – What is the ideal distance from primary site?” : https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

  • Document all work procedures


    This came at the point i needed it. I am having some challenges with implenting the iSO27001. I am part of the implementation team at my work place. I have observed resistance at my work place because they think that it will require them to document all their work procedures. People are not willing to put down step by step documents of what and how they do their work. they feel threatended. The challenge i have is am unusure if they will be required to document all they do as part of operational procedures documentation.
    Please how do i handle this.
     

    Answer:

    It is not mandatory to have a document for all clauses or requirements of the ISO 27001:2013, if you want to know the list of mandatory documents (and non mandatory) required by the standard, please read this article: “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    Finally, I recommend you to read this article "8 criteria to decide which ISO 2700 1 policies and procedures to write" : https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Strategic and operational risks


    Top management ownership of risks - I have adopted an approach with has strategic and operational risks.  I believe that strategic risks should be high level and low in number - and example of strategic risk would be systemic failure of ISMS, or information breach due to malware.  At a detailed / operational level, there are many risks, such as windows 2003 server reaching end of support, but I wouldn't expect that to be owned by top management.
    What are your thoughts re this please?
     

    Answer:

    I think that your approach (strategic and operational risks) is correct, according to ISO 27000:2014, the risk owner is “person or entity with accountability and authority to manage a risk”. 

    For more information about this, please read this article “Risk owners vs. Asset owners in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

  • Propuesta certificacion


    quisiera realizar una cotización de cuanto me costaría certificar mi empresa con la ISO 22301:2012
     

    Respuesta:

    Supongo que tienes implementada la ISO 22301 en tu organización. Si es así, como ya sabes el siguiente paso es certificar, y para hacerlo necesitas una entidad certificadora (nosotros podemos ayudarte con la implementación, pero no somos una entidad certificadora). Hay muchas entidades certificadoras en el mundo, por tanto puedes solicitar o pedir una propuesta a varias de ellas y seleccionar la mejor para tu empresa. Finalmente, creo que este artículo puede ser muy útil para ti (en inglés) “How to choose a certification body” : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

  • Disaster recovery and Incident handling


    what is the most important between Disaster recovery and Incident Handling?

     

    Answer:

    The main difference is in timing. When a disruption takes place (related to information security), it can be handled through the procedure of security incidents (and can be generated a register with information about the incident related to the disruption), and after you can activate the Disaster recovery. Here maybe can be interesting to use a tool that help you to activate automatically, under certain parameters, the Disaster recovery when a disruption is detected. 

    Finally, I think that this article about security incidents can be interesting for you “How a change in thinking can stop 59% of security incidents” : https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/

  • Política de claves


    Cuando uno esta llenando la plantilla de implementacion de las políticas ejemplo la política de clave la cual abarcaría los acapite A.9.2.1, A 9.2.2, A.9.2.4, A.9.3.1 y A 9.4.3. Del control  9 de Control de accesos.

    Para salir de esta duda, por que a mi entender es que cuando usted llena la plantilla esta abarca los controles que esta tiene de la norma iso.
     

    Respuesta:

    Sí, estás en lo cierto, todas nuestras plantillas tienen en la pestaña "Características" (o "Features" en la versión en inglés) información sobre las cláusulas de la norma implicadas. Por ejemplo, en la plantilla "Política de claves" puedes ver las cláusulas A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1 y A.9.4.3 (las mismas que has referenciado en tu correo), las cuales efectivamente están relacionadas con la política de claves (o también denominada política de contraseñas). Aquí puedes encontrar dicha plantilla "Política de claves" : https://advisera.com/27001academy/es/documentation/politica-de-claves/
    En cualquier caso, ten en cuenta que este documento no es obligatorio para la ISO 27001:2013, es sólo una buena práctica. Si quieres conocer la lista completa de documentos obligatorios (y no obligatorios) puedes leer el siguiente artículo (en inglés) “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Asset based


    One of ISO practitioner told me According to ISO27K:2013 standard, Risk assessment should be based on services instead assets. It should be services --Threats --Vulnerabilities --risk and then map risk to assets. Is this correct?
    Also will you please share a sample organisation structure that includes CISO, ISM and Information Security officer along with CIO, COO and CEO
     

    Answer:

    With the ISO 27001:2013 is not necessary that your methodology be based on assets, can be based in services or also in process. And you can assign, to each service, threats/vulnerabilities, and after map risks to assets (although I think that this last step is not necessary). Anyway, I recommend you to read this article “What has changed in risk assessment in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
    Regarding to your question related to the CISO, we do not have a document with this, but I think that this article can be interesting for you “Chief Information Security Officer (CISO) - where does he belong in an org chart?” : https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

  • Risk analysis


    Would like to know about ISO 27001:2013 Risk Analysis
     

    Answer:

    It is a good question because is the point more important in the ISO 27001. I recommend you to read this article “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    And also I think that you should see this free webinar “The basics of risk assessment and treatment according to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Page 1065-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +