Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk assessment for Information security


    There are many similarities between ISO 27001 and PCI-DSS, it can be useful for you. According to the requirement 12.2 of PCI-DSS, you need to implement a risk assessment process, so I suppose that you have a risk assessment methodology based on ISO 27005, OCTAVE, or similar. On this case, you can use the same methodology for the implementation of the ISO 27001 (for the risk assessment & treatment),  but thinking on assets related to information security (taking into account the scope of the ISMS). You can read these 2 articles about ISO 27001 and PCI-DSS “PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences” : https://advisera.com/27001academy/knowledgebase/pci-dss/ and “PCI-DSS vs. ISO 27001 Part 2 – Implementation and Certification”: https://advisera.com/27001academy/knowledgebase/pci-dss/
    Regarding to the risk register, if you want, you can try our methodology, there are templates for that you want (you can see a free version of all templates clicking on “Free Demo” tab): https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/

  • ISMS Plan

    Hi,   I have been asked to write a ISMS plan for my organization. My organization wants me to include dependencies, resources, risk sections along with the timelines? Is there any templates for this? can you help me in this??   Thanks, Vijay

  • SCope Documnet, ORg.Chart & Roles and Responsibilities Roles and Responsibil

    Sure, you can merge these documents in an unique document, there is no problem with the standard, although we recommend you to have different documents because there are different things. Also I think that it is very important to not duplicate documents, so for example, if you have a security policy in the Manual, it is not necessary to have another independent document with the same content. 
    Anyway, this article can be interesting for you “Is the ISO 27001 Manual really necessary?” : https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

  • Assessing the risks after the controls are applied


    Basically you should assess the residual risks using the same criteria as described in the article you're referring to - this means you have to think how the consequences would be decreased when the controls are applied, and also how the likelihood would be decreased in the same case.

    For more information please read this article “Why is residual risk so important?” : https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

  • SOA template aligned with 27001:2005 or 2013

    Our Statement of Applicability template is aligned with 2013 revision of ISO 27001, because 2005 revision is not valid any more. The revision does matter, because SoA needs to display all the controls - in 2005 revision there were 133 controls, while in the current 2013 revision there are 114 controls.

    See also this article: Infographic: New ISO 27001 2013 revision – What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/

  • Risks involved in going full ISO compliant


    I assume you are speaking about ISO 27001? For this standard, there is no universal list of risks that would be applicable to every company - the point is that each company must determine which risks are applicable for them.

    These materials will help you:

    article ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    webinar The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    Catalogue of vulnerabilities and threats: https://www.infosecpedia.in**************************

  • ISMS Policy and Objectives

    There are a list of mandatory documents that you need to implement the ISO 27001, and it contains "Information security policy and objectives" that I think is very similar to the document that you need. For more information about the Information Security Policy, please read this article "Information security policy - how detailed should it be?" : https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
    This article can also interesting for you "ISO 27001 control objectives - Why are they important?" : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
    Finally, here you can find a list of mandatory documents (and non mandatory) "List of mandatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Security controls


    I am doing PhD in Information Security risk analysis. My focus is on security controls. I am an academician i dont have any practical exposure. I have just cleared the ISO 27001: 2013 lead auditor course conducted by BSI.

    Can you help me in this regard.
     

    Answer:

    Sure, we have very useful information about security controls. For example, this article can be interesting for you “Overview of ISO 27001:2013 Annex A” : https://advisera.com/27001academy/iso-27001-controls/
    Anyway, in the ISO 27001 there is also a concept important related to the security controls: The Statement of Applicability (SoA), which is a document that establishes the applicability of each control. For more information about this, please read this article “The importance of Statement of Applicability for ISO 27001” : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  • Interested party


    Would like some clarifications for the below query
    I see in the standard the use of terms such as
    -          Suppliers ( A15 )
    -          Contractors ( A.16.1.3 )
    -          External parties ( A5.1.1 )
    -          Interested parties
     

    Answer:

    All these terms are related to the same thing (although a supplier is an entity that gives you a service, and contractors can be individual external persons that works in your company): Interested parties, and what is it? Basically an interested party can be persons or organizations that can influence your information security business continuity. For more information about interested parties you can read this article “How to identify interested parties according to ISO 27001 and ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

  • Análisis de riesgos en un Data Center


    Claro, este es tu sitio, aquí encontrarás mucha información y podrás preguntarnos todas tus dudas. En relación al riesgo del Data Center, necesitas una metodología y después necesitas realizar un análisis/tratamiento de riesgos. Una cosa importante: Hay que diferenciar entre análisis de riesgo y tratamiento de riesgo. Aquí encontrarás más información sobre esto: “ISO 27001 risk assessment & treatment – 6 basic steps": https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    También te recomendamos ver este webinar gratuito sobre los principios básicos del análisis y tratamiento de riesgos:  “The basics of risk assessment and treatment according t o ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Page 1069-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +