Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Review of SOA after implementation
Yes, absolutely, you can perform a revision after the implementation and update the state of all security controls in the SoA. Finally, I think that it is interesting to know the importance of the SoA, so please read this article The importance of Statement of Applicability for ISO 27001": https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Conducting ISMS audit
I suppose that you mean internal audit, so in this case basically you have 2 options:
a.- Perform internal audit with own employees (employees who have not been involved in the implementation of the ISMS, since an auditor can not audit their own work). For this I think that can be very useful this article for your employees How to make an Internal Audit checklist for ISO 27001 / ISO 22301": https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
b.- Hiring an external consultant. In this case, the important is to look for an experienced and qualified auditor. Please read this article Qualifications for an ISO 27001 Internal Auditor : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/ -
Process of implementation for ISO 27001
Regarding to consultant, there are different options, you can find more information here 5 criteria for choosing an ISO 22301 / ISO 27001 consultant: https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
Regarding to time frame, here you can find a free calculator Free Calculator Duration of ISO 27001/ISO 22301 Implementation": https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
Regarding to certification cost, our recommendation is to request a proposal to different entities, and to know which is right for you, please use our List of Questions to ask an ISO 27001 or ISO 22301 certification body (MS Word), you can download it here: https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-certification-body/ -
Asset inventory
Why do you want to identify a business owner for the asset inventory? The standard says that it is not necessary, you only need to identify an owner for each asset (control A.8.1.2 Ownership of assets). For this identification, this article can be help you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Section 9.1 - Monitoring, Measurement, Analysis and Evaluation
ISO 27001 does not require you to have a separate document for measurement - what is important is to define the objectives and responsibilities who is going to measure whether these objectives are fulfilled.
Objectives are documented here:
General ISMS objectives - in the Information Security Policy
Specific control objectives - in the Statement of Applicability
Responsibilities for measurement are documented in Information Security Policy (section 4.1).
These materials will also help you:
article ISO 27001 control objectives Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
webinar ISO 27001 and ISO 27004: How to measure t he effectiveness of information security? https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/ -
Documentacion para auditoria
Para saber si tu sistema esta preparado para la auditoría de certificación de ISO 27001, la mejor opción es realizar una auditoría interna. De todas formas, si has comprado nuestro toolkit, puedes enviarnos hasta 5 documentos, y nosotros los revisaremos.
Por otra parte, si quieres consultar la lista de documentos obligatorios por ISO 27001, por favor lee este artículo (en inglés): List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Este otro artículo también puede ser interesante para ti puesto que trata sobre la auditoría interna (también en inglés) How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Por último, creo que este artículo también pued e ser muy interesante para ti (en inglés) "The shortest path to getting " :
https://advisera.com/27001academy/blog/2015/03/09/shortest-path-to-getting-iso-27001-certified-as-a-business/ -
Storage of password
There are some security controls related to the protection and storage of passwords:
9.3.1 Use of secret authentication information: Regarding to your question, here is important to ensure proper protection of passwords when passwords are used as secret authentication information in automated log-on procedures and are stored.
9.4.3 Password management system: Regarding to your question, here is important to store and transmit passwords in protected form.
What is my recommendation? Use a software as a password management system, and store your password there. Also can be interesting that another people of your organization (closer to you) have access to this software.
Anyway, please remember what is the list of mandatory documents reading this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Keep information security
Yes, I think that you can include it in your Training and Awareness Plan, but remember that the important here is to perform training about information security. So, you can include this course in your plan, but I suppose that your plan also have training in information security.
I think that this article can be interesting for you for the management of your records in sharepoint: Records management in ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
Finally, I recommend you to read this article "How to perform training & awareness for ISO 27001 and ISO 22301" :
https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/ -
Company allocated temporarily in another company
We need more information about your scenario. What is the current scope? Anyway, it is not necessary to extend the scope, further if there are assets of another company, you can control them? If not, you also can not perform the risk assessment & treatment. So, I think that the best option here is that you maintain your scope and your inventory of assets.
For more information about the definition of the scope, please read this article How to define the ISMS scope : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Anyway, in case there are assets his company is using that are not included in the scope, then they can treat this other company as a supplier.
Regarding to suppliers, I recommend you to read this article "6-step process for handling supplier security according to ISO 2700 1" : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
SoA and mandatory documents
Question 1: Does this then mean that when the SOA controls are selected that the controls linked to the mandatory documents also needs to be selected for implementation?
Question 2: If that specific control has not been linked as a mitigating control to an identified risk, why must the document then be developed and implemented?
· Secure system engineering principles (clause A.14.2.5)
· Supplier security policy (clause A.15.1.1)
· Incident management procedure (clause A.16.1.5)
· Business continuity procedures (clause A.17.1.2)
Answer 1: If you have in your SoA a control that have been applied and it is related to a mandatory document, sure, you need to implement (and document) it.
Answer 2: If you do not apply a control (related to a mandatory document), it is not necessary to develop a document for it. Another scenario is: you have a control that applies, but it is not related to a mandatory document, so it is not necessary to develop it. And another scenario: you have a control that applies, and it is related to a mandatory document, so it is necessary to develop it.
Anyway, in the most of companies all controls related to the mandatory document are applied, so in the most of cases you will need to develop all mandatory documents because they will be related to controls that apply to the organization.
Finally, I think that this article can be interesting for you, please read it The importance of Statement of Applicability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/