Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Document all work procedures


    This came at the point i needed it. I am having some challenges with implenting the iSO27001. I am part of the implementation team at my work place. I have observed resistance at my work place because they think that it will require them to document all their work procedures. People are not willing to put down step by step documents of what and how they do their work. they feel threatended. The challenge i have is am unusure if they will be required to document all they do as part of operational procedures documentation.
    Please how do i handle this.
     

    Answer:

    It is not mandatory to have a document for all clauses or requirements of the ISO 27001:2013, if you want to know the list of mandatory documents (and non mandatory) required by the standard, please read this article: “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    Finally, I recommend you to read this article "8 criteria to decide which ISO 2700 1 policies and procedures to write" : https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Strategic and operational risks


    Top management ownership of risks - I have adopted an approach with has strategic and operational risks.  I believe that strategic risks should be high level and low in number - and example of strategic risk would be systemic failure of ISMS, or information breach due to malware.  At a detailed / operational level, there are many risks, such as windows 2003 server reaching end of support, but I wouldn't expect that to be owned by top management.
    What are your thoughts re this please?
     

    Answer:

    I think that your approach (strategic and operational risks) is correct, according to ISO 27000:2014, the risk owner is “person or entity with accountability and authority to manage a risk”. 

    For more information about this, please read this article “Risk owners vs. Asset owners in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

  • Propuesta certificacion


    quisiera realizar una cotización de cuanto me costaría certificar mi empresa con la ISO 22301:2012
     

    Respuesta:

    Supongo que tienes implementada la ISO 22301 en tu organización. Si es así, como ya sabes el siguiente paso es certificar, y para hacerlo necesitas una entidad certificadora (nosotros podemos ayudarte con la implementación, pero no somos una entidad certificadora). Hay muchas entidades certificadoras en el mundo, por tanto puedes solicitar o pedir una propuesta a varias de ellas y seleccionar la mejor para tu empresa. Finalmente, creo que este artículo puede ser muy útil para ti (en inglés) “How to choose a certification body” : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

  • Disaster recovery and Incident handling


    what is the most important between Disaster recovery and Incident Handling?

     

    Answer:

    The main difference is in timing. When a disruption takes place (related to information security), it can be handled through the procedure of security incidents (and can be generated a register with information about the incident related to the disruption), and after you can activate the Disaster recovery. Here maybe can be interesting to use a tool that help you to activate automatically, under certain parameters, the Disaster recovery when a disruption is detected. 

    Finally, I think that this article about security incidents can be interesting for you “How a change in thinking can stop 59% of security incidents” : https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/

  • Política de claves


    Cuando uno esta llenando la plantilla de implementacion de las políticas ejemplo la política de clave la cual abarcaría los acapite A.9.2.1, A 9.2.2, A.9.2.4, A.9.3.1 y A 9.4.3. Del control  9 de Control de accesos.

    Para salir de esta duda, por que a mi entender es que cuando usted llena la plantilla esta abarca los controles que esta tiene de la norma iso.
     

    Respuesta:

    Sí, estás en lo cierto, todas nuestras plantillas tienen en la pestaña "Características" (o "Features" en la versión en inglés) información sobre las cláusulas de la norma implicadas. Por ejemplo, en la plantilla "Política de claves" puedes ver las cláusulas A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1 y A.9.4.3 (las mismas que has referenciado en tu correo), las cuales efectivamente están relacionadas con la política de claves (o también denominada política de contraseñas). Aquí puedes encontrar dicha plantilla "Política de claves" : https://advisera.com/27001academy/es/documentation/politica-de-claves/
    En cualquier caso, ten en cuenta que este documento no es obligatorio para la ISO 27001:2013, es sólo una buena práctica. Si quieres conocer la lista completa de documentos obligatorios (y no obligatorios) puedes leer el siguiente artículo (en inglés) “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Asset based


    One of ISO practitioner told me According to ISO27K:2013 standard, Risk assessment should be based on services instead assets. It should be services --Threats --Vulnerabilities --risk and then map risk to assets. Is this correct?
    Also will you please share a sample organisation structure that includes CISO, ISM and Information Security officer along with CIO, COO and CEO
     

    Answer:

    With the ISO 27001:2013 is not necessary that your methodology be based on assets, can be based in services or also in process. And you can assign, to each service, threats/vulnerabilities, and after map risks to assets (although I think that this last step is not necessary). Anyway, I recommend you to read this article “What has changed in risk assessment in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
    Regarding to your question related to the CISO, we do not have a document with this, but I think that this article can be interesting for you “Chief Information Security Officer (CISO) - where does he belong in an org chart?” : https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

  • Risk analysis


    Would like to know about ISO 27001:2013 Risk Analysis
     

    Answer:

    It is a good question because is the point more important in the ISO 27001. I recommend you to read this article “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    And also I think that you should see this free webinar “The basics of risk assessment and treatment according to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Access control policy


    I bought the document “Access Control Policy”. It is OK but the physical security is nearly not part of this document. The security area concept is necessary for ISO 27001. I try to search for a document to use it as base for my concept. But I was not able to find one. In the ISO 27002 it is defined to create such a concept with several areas (like Zone A, B or C) and to have a matrix which describe the restrictions in the areas. Maybe, such a document can be added to your portfolio.

     

    Answer:

    Thanks for your suggestions, but keep in mind that there are different things: “A.9 Access control” and “A.11 Physical and environmental security”. The document “Access Control Policy” is only for “A.9 Access control”, and for “A.11 Physical and environmental security” is not mandatory to have a document (See this list of mandatory and non mandatory documents “List of mandatory documents required by ISO 27001 (2013 revision)”: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/). Any way, related with security areas, you can find in the standard the control A.11.1.5 Working in secure areas, and we have a template for this “Procedures for Working in Secure Areas” : https://advisera.com/27001academy/documentation/procedures-for-working-in-secure-areas/ I hope that it can help you with your concept.
    Finally, this article can be also interesting for you "Physical security in ISO 27001: How to protect the secure areas" : https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/

  • A11.2.7 Secure disposal or re-use of equipment

    According to ISO 27001:2013, it is not mandatory, but I would include that it can be recommendable because it is an evidence and can be requested by an auditor, and I think that it very easy to keep records when a secure disposal or reuse of equipment takes place. If you want to know the list of mandatory documents required by the standard (and not mandatory), please read this article "List of mandatory documents required by ISO 27001 (2013 revision)" : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    Finally, this article about records can be also interesting for you "Records management in ISO 27001 and ISO 22301" : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

  • Risk assessment & treatment and Statement of Applicability


    Depends of whether it will assist, Statement of applicability - demonstrates controls (Countermeasures) however the part we are missing is the whole risk 'thing' that under pin's it, where is the start point for managing risk, acceptable risk criteria, risk treatment plan etc. as an example ....how would I demonstrate the risk and mitigation and then relate that to the statement of applicability?
     

    Answer:

    During the risk treatment you identify the controls that are necessary because you identified risks that need to be decreased, and in the Statement of Applicability (SoA) you can justify the inclusion and exclusion of these controls. So you need a document for the risk treatment and a document for the SoA. Here you can find a free template for both (you can see a free version clicking on “Free Demo” tab):
    Risk Treatment Table: https://advisera.com/27001academy/documentation/risk-treatment-table/
    Statement of Applicability: https://advisera.com/27001academy/documentation/statement-of-applicability/
    For more information about this, pleas e read this article "ISO 27001 risk assessment & treatment - 6 basic steps" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Page 1065-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +