Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 for data center
If the 2 exits are controlled from unauthorized access, there is no problem with the standard, so you need a policy of control access. I think that can be also very interesting to install video cameras in these 2 exits.
In all other respects there is no problem to implement and certify the ISO 27001 in your organization, because it is for the protection of the information of any type of business. Our templates are also developed for any type of business, and also you can have our support. If you are interested, you can see a free version of each template cl icking on Free Demo tab here: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
To start a project of this type, the first thing that you need is a project plan, so this article can be interesting for you ISO 27001 project How to make it work : https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
Finally I think that this article can be very interesting for you ISO 27001 Case study for data centers: An interview with Goran Djoreski : https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ and also this article "Physical security in ISO 27001: How to protect the secure areas" : https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/ -
Economic resources
We offer the toolkit with all templates that you need to implement the ISO 27001, and it has a cost but is very cheap in comparison to other options, so I think that it is the best option for you. Furthermore you can see a free version of all documents clicking on Free Demo, and of course you can ask us any doubt that you have related to the implementation of the ISO 27001 in your organization.
Regarding the internal audit of systems and control methods, we do not have such policy (we do have an internal audit procedure that covers the whole audit process in general), but you can develop your own checklist for technical items reading this article: How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Secure development
1. A.14.2.1 Secure development policy =does this control still applicable for organization that fully outsource their development process?
2. A.14.2.2 =does this control only for during development process (i.e. coding, bug fixing), or does it includes changes when system is put into operations (i.e. new requirements, enhancement)? How does it differ from A.12.1.2? Does operating system patching/updating part of A.14.2.2 or A.12.1.2?
3. A.14.2.5 =is this only applicable for inhouse development? Is this applicable when analyzing system requirements and system design?
Answer:
Point 1:
Yes, you can apply this control, but in this case you need to request a secure development policy to the external company
Point 2:
You can consider this control for development process and also for changes in systems when you put them into operations. The control A.12.1.2 is more general (for all changes related to information security: organization, business processes, information processing facilities, etc.), and the control A.14.2.2 is specifically related to changes to systems within the development lifecycle. I think that operating system patching/updating is more related to the control A.14.2.2
Point 3:
Yes, but here you can also demand a secure system engineering principles to an external company, and yes, you can apply this control when analyzing system requirements and system design. -
Poslovnik ISMS kao generalni dokument
Prilikom implementacije ISO 9001, ISO 14001, OHSAS 18001 i sl. kao glavni dokument, izra?uje se Poslovnik koji sadri opte informacije o privrednom subjektu, pregled procedura i zapisa, eventualno, shemu organizacione strukture. Molim Vas da mi odgovorite kako izraditi Poslovni ISMS kao krovni dokument. Tako?e me interesuje u koju vrstu dokumenata spada dokumentacija iz Anex-a A (procedure ili neto drugo). Unapred zahvaljujem. -
ISO 22301 in the world
Answer:
Keep in mind that the standard is new and it is necessary time to expand to all companies of the world, but the companies interested in the standard is increasing daily, and I am sure that in the next years there will be many companies certified -
Two big doubts
Question 1: According to standard 31000 external issues can be: Setting cultural, social, political, legal, financial, technological, etc. But what information about those items I need to be in compliance with section 4.1 of ISO 27001?
Question 2: Which document should I put this information?
Answer:
Point 1: It is also the same applicable to ISO 27001, anyway this article can help you Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
Point 2: At the end of the article of the point 1, you have a link for the document Procedure for identification of requirements : https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/. You can see a free version of this template clicking on Free Demo tab, and you can use it for the clause 4.1 of the standard. -
Crucial component in any IS procedure
The crucial component of a procedure maybe be the adequate description of each activity. For example, if you have a procedure for the backups, it is very important that it describes all related activities (schedule, number of normal tapes, number of recycled tapes, etc). I think that is also very important the control of changes, to manage the modifications in the procedure.
Finally these 2 articles can be interesting for you:
How to structure the documents for ISO 27001 Annex A controls : https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
How detailed should the ISO 27001 documents be? : https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/ -
Some questions about ISO 27001
Q1) 'There is no policy or procedure in place listing the controls for documents of external origin.'
So I need to work on the document control proc(or any doc which talks about doc mgmt.) and include topics on how to handle n manage the docs which are NOT prepared by my client.
I tried to list few documents of external origin:
Customer prints
Industry regulations
ISO Standards
References used for your documentation
Corporate guidance documents
Can you tell me what exactly is required when its said 'documents of external origin'?
Q2) How can I help the Management review to include
(A) Changes in external & internal issues that are relevant to ISMS
(B) Feedback on InfoSec performance on fulfillment of information security objectives as required by ISO 27001:2013)
Q3) On clause 4.2, have tried discussing the same with Alan,..
@Alan : Please follow up on this one too
Answer:
Point 1: You are ok, furthermore can be external documents: reports of external auditors, project plans of your clients, and any document external to your organization (where the ISMS is implemented). Anyway, I suggest you that the control of external documents is almost the same as the control of internal documents. For more information, please read this article "Document management in ISO 27001 & BS 25999-2" : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
Point 2: (A) You need to request to any change to external/internal issues and you can develop a report with conclusions about this, (B) You can develop a report of conclusions of the risk assessment & treatment. Also these articles can be interesting for you:
Why is management review important for ISO 27001 and ISO 22301? : https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
How to perform monitoring and measurement in ISO 27001: https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
Point 3: Sorry but I do not understand this question. Can you reformulate it? Anyway, this article about interested parties can be interesting for you How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Basic information about ISO 27001
Sure, we have many interesting articles for you:
What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/
The basic logic of ISO 27001: How does information security work? : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Overview of ISO 27001:2013 Annex A: https://advisera.com/27001academy/iso-27001-controls/
ISO 27001 implementation checklist: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Documentation for cloud services
Answer:
Our templates are developed for any type of business so lots of our clients are cloud companies, anyway if you are interested in cloud computing and information security, this article can be interesting for you Cloud computing and ISO 27001 / BS 25999 : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/