Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Operation and practices documented
If you want to evaluate risks, the more important thing is to identify threats/vulnerabilities related to each asset, and you can consider current security controls, but in this case it is not necessary (or not mandatory by the standard) to have documents for the operation of these current security controls. When you will need to document the operation or practices is with the implementation of the security controls (risk treatment). For more information about the risk assessment, please read this article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities": https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally, in this article you will find a list of mandatory (and not mandatory) documents List of m andatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Implementacion ISO 27001
Podemos ayudarte en la implementación de la ISO 27001 en tu organización, porque tenemos un toolkit con toda la documentación necesaria y además podemos darte soporte durante la implementación de los documentos. Si estás interesado en nuestras plantillas, puedes ver una versión gratuita aquí clickeando en la pestaña "Demostración gratis"
https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-27001/
Encontrarás el precio de todos los documentos allí (tu también encontrarás todas las plantillas en español). En el precio del toolkit se incluye también tutoriales y webinars grabados; pero no tenemos cursos. Finalmente, para la certificación necesitas elegir una entidad certificadora, y para esto, te recomendamos leer este artículo : "How to choose a certification body : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Does all the Policies and procedured need to be in Word/PDf format?
The standard ISO 27001 does not establish the format of the documents, but we recommend you to use always the same format at least for the procedures (and Excel for records). Anyway, if you want to have a procedure or a policy in Excel format it is not a problem for the standard.
Also this article about the list of mandatory documents (and non mandatory) can be interesting for you "List of mandatory documents required by ISO 27001 (2013)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Employee equipment in the ISMS scope?
I assume you are referring to our ISMS Scope template? If yes, we have suggested to leave out the employee equipment (that is not owned by the company) - e.g. laptops, mobile phones - because this equipment is used also for the private purposes. For such equipment it is much easier to regulate the use with a BYOD Policy - in such way, you can apply security rules to such equipment even if it is outside of the scope of your ISMS.
If you want to include such equipment in the scope, you do not have to list it in the ISMS Scope document - you should simply list all the processes, departments and locations that are included in the scope.
This article will also help you: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Responsabilidad de la dirección y gestion de los recursos
Este es uno de los puntos más importantes de la implementación de la ISO 27001, porque en el SGSI es necesario tomar decisiones, y para esto la alta dirección es completamente necesaria. Por tanto, te recomendamos leer este gran artículo (en inglés) : Roles and responsibilities of top management in ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/ -
Some particular controls partially implemented
Yes, absolutely, you can perform a revision after the implementation and update the state of all security controls in the SoA. Finally, I think that it is interesting to know the importance of the SoA, so please read this article "The importance of Statement of Applicability for ISO 27001":
https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Type of assets
Answer:
If you question is related to classification of assets, yes, absolutely, there can be various types of assets, and a workstation can be type hardware. Regarding the asset inventory, I recommend you to read this article How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And if your question is related to the use of a class of asset called "workstation", you also can include a type of asset "workstation" in your methodology, but I think that it is not a good idea, because a workstation, from the point of view of the information security, can be very similar to a server, so it is better to establish a superior level for both. -
Maintenance of the ISMS
I am in a relatively small (around 80 people) software company that already has the 27001 certification and am in a brand new position as Process Innovation Analyst where I have to make sure the certification is updated, improved, etc.
If you have any suggestions as to how to go about making a proper maintenance of the certification I would really appreciate it.
Answer:
It is very important for us to know that our documentation can help you, we appreciate your feedback. One question, Do you have made the update to the new ISO 27001:2013? It is very important. Regarding to the maintenance, the important things is to perform each year the internal audit, management support, measure with your defined indicators, perform test to the business continuity plan, perform meetings to deal with questions related to the ISMS, review the information security policy, define new information security objectives, perform the risk assessment & treatment, etc.
For more information about the maintenance of the ISMS, please read this article How to maintain the ISMS after the certification : https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/ -
Generic SOA
There is no generic SoA, or I don't know this. To know exactly what controls you need to apply in your organization, first you need to perform the risk assessment, which give you information about risks that you need to reduce. And as you know, you can reduce risks with the security controls, and in this case you will need to apply them in the Statement of Applicability.
For more information about the steps for the execution of the risk assessment & treatment, please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Also this article can be interesting for you "The importance of Statement of applicability for ISO 27001" : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Adaptation to ISO 27001:2013
I read this information "Whilst certificates are dated for a three year period, ISO/IEC 27001:2005 will be obsolete from 1 October 2015 and therefore all certificates to the 2005 version of ISO/IEC 27001 expire on this date." from https://www.bsigroup.com/en-GB/iso-27001-i******************************************; which make me quite confuse about the exact expiry data.
Answer:
All companies with the old version of the standard (ISO 27001:2005) have a time for the adaptation to the new version (ISO 27001:2013), but I think that the dates for this adaptation depends of each company. I think that you need to ask directly to your certification body.
Anyway, our recommendation is that you implement as soon as possible the new version. There is no important changes, so it is very easy the adaptation. For know difference between old and new version of the ISO 27001, you can read this arti cle How to make a transition from ISO 27001 2005 revision to 2013 revision : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/