Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Some questions about ISO 27001
Q1) 'There is no policy or procedure in place listing the controls for documents of external origin.'
So I need to work on the document control proc(or any doc which talks about doc mgmt.) and include topics on how to handle n manage the docs which are NOT prepared by my client.
I tried to list few documents of external origin:
Customer prints
Industry regulations
ISO Standards
References used for your documentation
Corporate guidance documents
Can you tell me what exactly is required when its said 'documents of external origin'?
Q2) How can I help the Management review to include
(A) Changes in external & internal issues that are relevant to ISMS
(B) Feedback on InfoSec performance on fulfillment of information security objectives as required by ISO 27001:2013)
Q3) On clause 4.2, have tried discussing the same with Alan,..
@Alan : Please follow up on this one too
Answer:
Point 1: You are ok, furthermore can be external documents: reports of external auditors, project plans of your clients, and any document external to your organization (where the ISMS is implemented). Anyway, I suggest you that the control of external documents is almost the same as the control of internal documents. For more information, please read this article "Document management in ISO 27001 & BS 25999-2" : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
Point 2: (A) You need to request to any change to external/internal issues and you can develop a report with conclusions about this, (B) You can develop a report of conclusions of the risk assessment & treatment. Also these articles can be interesting for you:
Why is management review important for ISO 27001 and ISO 22301? : https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
How to perform monitoring and measurement in ISO 27001: https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
Point 3: Sorry but I do not understand this question. Can you reformulate it? Anyway, this article about interested parties can be interesting for you How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Basic information about ISO 27001
Sure, we have many interesting articles for you:
What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/
The basic logic of ISO 27001: How does information security work? : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Overview of ISO 27001:2013 Annex A: https://advisera.com/27001academy/iso-27001-controls/
ISO 27001 implementation checklist: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Documentation for cloud services
Answer:
Our templates are developed for any type of business so lots of our clients are cloud companies, anyway if you are interested in cloud computing and information security, this article can be interesting for you Cloud computing and ISO 27001 / BS 25999 : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/ -
Risk assessment for Information security
There are many similarities between ISO 27001 and PCI-DSS, it can be useful for you. According to the requirement 12.2 of PCI-DSS, you need to implement a risk assessment process, so I suppose that you have a risk assessment methodology based on ISO 27005, OCTAVE, or similar. On this case, you can use the same methodology for the implementation of the ISO 27001 (for the risk assessment & treatment), but thinking on assets related to information security (taking into account the scope of the ISMS). You can read these 2 articles about ISO 27001 and PCI-DSS PCI-DSS vs. ISO 27001 Part 1 Similarities and Differences : https://advisera.com/27001academy/knowledgebase/pci-dss/ and PCI-DSS vs. ISO 27001 Part 2 Implementation and Certification: https://advisera.com/27001academy/knowledgebase/pci-dss/
Regarding to the risk register, if you want, you can try our methodology, there are templates for that you want (you can see a free version of all templates clicking on Free Demo tab): https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/ -
ISMS Plan
Hi, I have been asked to write a ISMS plan for my organization. My organization wants me to include dependencies, resources, risk sections along with the timelines? Is there any templates for this? can you help me in this?? Thanks, Vijay -
SCope Documnet, ORg.Chart & Roles and Responsibilities Roles and Responsibil
Sure, you can merge these documents in an unique document, there is no problem with the standard, although we recommend you to have different documents because there are different things. Also I think that it is very important to not duplicate documents, so for example, if you have a security policy in the Manual, it is not necessary to have another independent document with the same content.
Anyway, this article can be interesting for you Is the ISO 27001 Manual really necessary? : https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/ -
Assessing the risks after the controls are applied
Basically you should assess the residual risks using the same criteria as described in the article you're referring to - this means you have to think how the consequences would be decreased when the controls are applied, and also how the likelihood would be decreased in the same case.
For more information please read this article Why is residual risk so important? : https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/ -
SOA template aligned with 27001:2005 or 2013
Our Statement of Applicability template is aligned with 2013 revision of ISO 27001, because 2005 revision is not valid any more. The revision does matter, because SoA needs to display all the controls - in 2005 revision there were 133 controls, while in the current 2013 revision there are 114 controls.
See also this article: Infographic: New ISO 27001 2013 revision What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/ -
Risks involved in going full ISO compliant
I assume you are speaking about ISO 27001? For this standard, there is no universal list of risks that would be applicable to every company - the point is that each company must determine which risks are applicable for them.
These materials will help you:
article ISO 27001 risk assessment & treatment 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
webinar The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Catalogue of vulnerabilities and threats: https://www.infosecpedia.in************************** -
ISMS Policy and Objectives
There are a list of mandatory documents that you need to implement the ISO 27001, and it contains "Information security policy and objectives" that I think is very similar to the document that you need. For more information about the Information Security Policy, please read this article "Information security policy - how detailed should it be?" : https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
This article can also interesting for you "ISO 27001 control objectives - Why are they important?" : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Finally, here you can find a list of mandatory documents (and non mandatory) "List of mandatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/