Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Security controls
I am doing PhD in Information Security risk analysis. My focus is on security controls. I am an academician i dont have any practical exposure. I have just cleared the ISO 27001: 2013 lead auditor course conducted by BSI.
Can you help me in this regard.
Answer:
Sure, we have very useful information about security controls. For example, this article can be interesting for you Overview of ISO 27001:2013 Annex A : https://advisera.com/27001academy/iso-27001-controls/
Anyway, in the ISO 27001 there is also a concept important related to the security controls: The Statement of Applicability (SoA), which is a document that establishes the applicability of each control. For more information about this, please read this article The importance of Statement of Applicability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Interested party
Would like some clarifications for the below query
I see in the standard the use of terms such as
- Suppliers ( A15 )
- Contractors ( A.16.1.3 )
- External parties ( A5.1.1 )
- Interested parties
Answer:
All these terms are related to the same thing (although a supplier is an entity that gives you a service, and contractors can be individual external persons that works in your company): Interested parties, and what is it? Basically an interested party can be persons or organizations that can influence your information security business continuity. For more information about interested parties you can read this article How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Análisis de riesgos en un Data Center
Claro, este es tu sitio, aquí encontrarás mucha información y podrás preguntarnos todas tus dudas. En relación al riesgo del Data Center, necesitas una metodología y después necesitas realizar un análisis/tratamiento de riesgos. Una cosa importante: Hay que diferenciar entre análisis de riesgo y tratamiento de riesgo. Aquí encontrarás más información sobre esto: ISO 27001 risk assessment & treatment 6 basic steps": https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
También te recomendamos ver este webinar gratuito sobre los principios básicos del análisis y tratamiento de riesgos: The basics of risk assessment and treatment according t o ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Operation and practices documented
If you want to evaluate risks, the more important thing is to identify threats/vulnerabilities related to each asset, and you can consider current security controls, but in this case it is not necessary (or not mandatory by the standard) to have documents for the operation of these current security controls. When you will need to document the operation or practices is with the implementation of the security controls (risk treatment). For more information about the risk assessment, please read this article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities": https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally, in this article you will find a list of mandatory (and not mandatory) documents List of m andatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Implementacion ISO 27001
Podemos ayudarte en la implementación de la ISO 27001 en tu organización, porque tenemos un toolkit con toda la documentación necesaria y además podemos darte soporte durante la implementación de los documentos. Si estás interesado en nuestras plantillas, puedes ver una versión gratuita aquí clickeando en la pestaña "Demostración gratis"
https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-27001/
Encontrarás el precio de todos los documentos allí (tu también encontrarás todas las plantillas en español). En el precio del toolkit se incluye también tutoriales y webinars grabados; pero no tenemos cursos. Finalmente, para la certificación necesitas elegir una entidad certificadora, y para esto, te recomendamos leer este artículo : "How to choose a certification body : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Does all the Policies and procedured need to be in Word/PDf format?
The standard ISO 27001 does not establish the format of the documents, but we recommend you to use always the same format at least for the procedures (and Excel for records). Anyway, if you want to have a procedure or a policy in Excel format it is not a problem for the standard.
Also this article about the list of mandatory documents (and non mandatory) can be interesting for you "List of mandatory documents required by ISO 27001 (2013)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Employee equipment in the ISMS scope?
I assume you are referring to our ISMS Scope template? If yes, we have suggested to leave out the employee equipment (that is not owned by the company) - e.g. laptops, mobile phones - because this equipment is used also for the private purposes. For such equipment it is much easier to regulate the use with a BYOD Policy - in such way, you can apply security rules to such equipment even if it is outside of the scope of your ISMS.
If you want to include such equipment in the scope, you do not have to list it in the ISMS Scope document - you should simply list all the processes, departments and locations that are included in the scope.
This article will also help you: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Responsabilidad de la dirección y gestion de los recursos
Este es uno de los puntos más importantes de la implementación de la ISO 27001, porque en el SGSI es necesario tomar decisiones, y para esto la alta dirección es completamente necesaria. Por tanto, te recomendamos leer este gran artículo (en inglés) : Roles and responsibilities of top management in ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/ -
Some particular controls partially implemented
Yes, absolutely, you can perform a revision after the implementation and update the state of all security controls in the SoA. Finally, I think that it is interesting to know the importance of the SoA, so please read this article "The importance of Statement of Applicability for ISO 27001":
https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Type of assets
Answer:
If you question is related to classification of assets, yes, absolutely, there can be various types of assets, and a workstation can be type hardware. Regarding the asset inventory, I recommend you to read this article How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And if your question is related to the use of a class of asset called "workstation", you also can include a type of asset "workstation" in your methodology, but I think that it is not a good idea, because a workstation, from the point of view of the information security, can be very similar to a server, so it is better to establish a superior level for both.