Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Política de claves
Cuando uno esta llenando la plantilla de implementacion de las políticas ejemplo la política de clave la cual abarcaría los acapite A.9.2.1, A 9.2.2, A.9.2.4, A.9.3.1 y A 9.4.3. Del control 9 de Control de accesos.
Para salir de esta duda, por que a mi entender es que cuando usted llena la plantilla esta abarca los controles que esta tiene de la norma iso.
Respuesta:
Sí, estás en lo cierto, todas nuestras plantillas tienen en la pestaña "Características" (o "Features" en la versión en inglés) información sobre las cláusulas de la norma implicadas. Por ejemplo, en la plantilla "Política de claves" puedes ver las cláusulas A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1 y A.9.4.3 (las mismas que has referenciado en tu correo), las cuales efectivamente están relacionadas con la política de claves (o también denominada política de contraseñas). Aquí puedes encontrar dicha plantilla "Política de claves" : https://advisera.com/27001academy/es/documentation/politica-de-claves/
En cualquier caso, ten en cuenta que este documento no es obligatorio para la ISO 27001:2013, es sólo una buena práctica. Si quieres conocer la lista completa de documentos obligatorios (y no obligatorios) puedes leer el siguiente artículo (en inglés) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Asset based
One of ISO practitioner told me According to ISO27K:2013 standard, Risk assessment should be based on services instead assets. It should be services --Threats --Vulnerabilities --risk and then map risk to assets. Is this correct?
Also will you please share a sample organisation structure that includes CISO, ISM and Information Security officer along with CIO, COO and CEO
Answer:
With the ISO 27001:2013 is not necessary that your methodology be based on assets, can be based in services or also in process. And you can assign, to each service, threats/vulnerabilities, and after map risks to assets (although I think that this last step is not necessary). Anyway, I recommend you to read this article What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Regarding to your question related to the CISO, we do not have a document with this, but I think that this article can be interesting for you Chief Information Security Officer (CISO) - where does he belong in an org chart? : https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/ -
Risk analysis
Would like to know about ISO 27001:2013 Risk Analysis
Answer:
It is a good question because is the point more important in the ISO 27001. I recommend you to read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
And also I think that you should see this free webinar The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Access control policy
I bought the document Access Control Policy. It is OK but the physical security is nearly not part of this document. The security area concept is necessary for ISO 27001. I try to search for a document to use it as base for my concept. But I was not able to find one. In the ISO 27002 it is defined to create such a concept with several areas (like Zone A, B or C) and to have a matrix which describe the restrictions in the areas. Maybe, such a document can be added to your portfolio.
Answer:
Thanks for your suggestions, but keep in mind that there are different things: A.9 Access control and A.11 Physical and environmental security. The document Access Control Policy is only for A.9 Access control, and for A.11 Physical and environmental security is not mandatory to have a document (See this list of mandatory and non mandatory documents List of mandatory documents required by ISO 27001 (2013 revision): https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/). Any way, related with security areas, you can find in the standard the control A.11.1.5 Working in secure areas, and we have a template for this Procedures for Working in Secure Areas : https://advisera.com/27001academy/documentation/procedures-for-working-in-secure-areas/ I hope that it can help you with your concept.
Finally, this article can be also interesting for you "Physical security in ISO 27001: How to protect the secure areas" : https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/ -
A11.2.7 Secure disposal or re-use of equipment
According to ISO 27001:2013, it is not mandatory, but I would include that it can be recommendable because it is an evidence and can be requested by an auditor, and I think that it very easy to keep records when a secure disposal or reuse of equipment takes place. If you want to know the list of mandatory documents required by the standard (and not mandatory), please read this article "List of mandatory documents required by ISO 27001 (2013 revision)" : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Finally, this article about records can be also interesting for you "Records management in ISO 27001 and ISO 22301" : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/ -
Risk assessment & treatment and Statement of Applicability
Depends of whether it will assist, Statement of applicability - demonstrates controls (Countermeasures) however the part we are missing is the whole risk 'thing' that under pin's it, where is the start point for managing risk, acceptable risk criteria, risk treatment plan etc. as an example ....how would I demonstrate the risk and mitigation and then relate that to the statement of applicability?
Answer:
During the risk treatment you identify the controls that are necessary because you identified risks that need to be decreased, and in the Statement of Applicability (SoA) you can justify the inclusion and exclusion of these controls. So you need a document for the risk treatment and a document for the SoA. Here you can find a free template for both (you can see a free version clicking on Free Demo tab):
Risk Treatment Table: https://advisera.com/27001academy/documentation/risk-treatment-table/
Statement of Applicability: https://advisera.com/27001academy/documentation/statement-of-applicability/
For more information about this, pleas e read this article "ISO 27001 risk assessment & treatment - 6 basic steps" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
ISO 27001 Lead Auditor Course
I have several questions concerning ISO 27001 Lead Auditor Course.
1.- For example if someone has passed this type of course for ISO 27001:2005, can he be the lead auditor for implementation of ISO 27001:2013. Also if someone passes the course for ISO 27001:2013, can he be the lead auditor for the next version of this standard.
2.- My second question is the approximate price of the ISO 27001 lead auditor course .
3.- The next question is the following: Is it necessary to pass the course for internal auditor before taking the course for lead auditor, or you can go straight to the course for lead auditor.
4.- Is ANSI accredited certificate through PECB valid all over the world.
5.- Is English the only language for taking the exam and gaining the ISO 27001 lead auditor certificate, here I am not talking about the attending language of the course.
6.- Can you point me some science conferences in Europe concerning information security standardization.
Answer:
1.- If you have the course of ISO 27001:2005, and you are Lead Auditor with this standard, generally you need to perform other course for the adaptation to ISO 27001:2013, otherwise you only have the certificate for Lead Auditor ISO 27001:2005, which can give you problems to demostrarte your experience with ISO 27001:2013. Anyway, keep in mind that the Lead Auditor course is not for implementers, please read this article Lead Auditor Course vs. Lead Implementer Course Which one to go for? : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
2.- It depends on the company or the trainer, but I think that an estimation can be between $1.000-3000 (40-50 hours)
3.- You can go to the lead auditor course
4.- There are different things. Professional Evaluation and Certification Board (PECB) is an American personnel certification body, while American National Standards Institute (ANSI) is the official US representative of the International Organization for Standardization (ISO) which is related to the certification of companies. So, if you are interested in a personal certification, you can perform a PECB official exam, and you will the accreditation of a US company. For more information about certification for persons vs. organizations, please read this article ISO 27001 certification for persons vs. organizations : https://advisera.com/27001academy/iso-27001-certification/
5.- Depends on the company. Probably in your country there are various companies that perform the course/exam that you want in a local language. Anyway, keep in mind that we have resources in various languages, for example you can see this free webinar ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/
6.- ENISA is the European Union Agency for Network and Information Security, and I think that there you can find information about conferences: https://www.enisa.europa.eu -
Implementation of A.14.3.1 and A.14.2.5 controls
What we have to do for implementation of A.14.3.1 control? also A.14.2.5 Secure System engineering principles?
Answer:
Regarding to the control A.14.3.1, basically you need to implement a control access for the data that the organization uses for tests.
Regarding to the control A.14.2.5, you can read in the "Implementation guidance" of the control 14.2.5 the following: "Security should be designed into all architecture layers (business, data, applications and technology) balancing the need for information security with the need for accessibility". So, this control is related to the large information system design, which also include the development of software. Anyway, you can use our template to implement this control in your organization (you can see a free version if you click on "Free Demo" tab) "Secure Development Policy": https://advisera.com/27001academy/documentation/secure-development-policy/. And also you can use this template related to IT procedures "Operating Procedures for Information and Communication Technology" : https://advisera.com/27001academy/documentation/security-procedures-for-it-department/ -
Supplier policy and risk assessment & treatment
If you can help me about
- example about Supplier relationship policy based on ISO 27001.
- Example methodology based on likelihood and impact criteria.
Answer:
Sure, this is your site. Regarding to the supplier relationship, this article can be interesting for you 6-step process for handling supplier security according to ISO 27001 : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/. At the end of the article, you have a link to the template Supplier Security Policy, you can see a free version clicking on Free Demo tab.
Regarding to the methodology, I suppose that you are referring to the risk assessment & treatment. If so, this article can be interesting for you How to write ISO 27001 risk assessment methodology : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/. And also, at the end of the article, you can find the free template Risk Assessment and Risk Treatment Methodology. This method ology is based on assets, and the risk is calculated by likelihood and consequences (similar to impact) of threats and vulnerabilities. -
Actions to address risks and oportunities - 6.1.1 General
There is no mandatory to have a document for the clause 6.1.1, where you need to have a document is in the clause 6.1.2 and 6.1.3, which are related with 6.1.1 and they describe how to address risks and opportunities. You can see in the standard, at the end of these clauses, "The organization shall retain documented information about.." So, when you see it in a clause, means that you need a document.
If you want to see the list of mandatory documents (and non mandatory) of the standard, please read this article "List of mandatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/