Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Propietario de activos
En relación a los activos, el estándar ISO 27001:2013 no establece que se tenga que definir un responsable para una matriz de activos. Sólo es necesario asignar un propietario para cada activo, y en relación a los riesgos se necesita establecer un propietario del riesgo. Creo que puede ser interesante para ti conocer las diferencias entre ambos, por tanto por favor lee este artículo (en inglés) Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Por otra parte, también te recomiendo este artículo (también en inglés) "How to handle Asset register (Asset inventory) according to ISO 27001" : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
BCP and DR
Neither ISO 27001 nor ISO 22301 require you to have a disaster recovery site. However, what both of these standards require you is to define how you will be able to recover your activities if your primary location is not available any more.
Therefore, if your arrangement with a backup stored at a third party enables you to recover within the Recovery Time Objective (RTO), than this is fine. Of course, your agreement with this third party must reflect all the security risks - see this article: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
See also these articles:
Disaster recovery vs business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/
Backup policy How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/ -
Design the ISMS
For the implementation of a ISMS there are many steps, but the first thing that you need is a project plan. Also is very important (and sometimes hard to achieve) is to obtain management support. For more information about the design of the ISMS, please read this article ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Review of SOA after implementation
Yes, absolutely, you can perform a revision after the implementation and update the state of all security controls in the SoA. Finally, I think that it is interesting to know the importance of the SoA, so please read this article The importance of Statement of Applicability for ISO 27001": https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Conducting ISMS audit
I suppose that you mean internal audit, so in this case basically you have 2 options:
a.- Perform internal audit with own employees (employees who have not been involved in the implementation of the ISMS, since an auditor can not audit their own work). For this I think that can be very useful this article for your employees How to make an Internal Audit checklist for ISO 27001 / ISO 22301": https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
b.- Hiring an external consultant. In this case, the important is to look for an experienced and qualified auditor. Please read this article Qualifications for an ISO 27001 Internal Auditor : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/ -
Process of implementation for ISO 27001
Regarding to consultant, there are different options, you can find more information here 5 criteria for choosing an ISO 22301 / ISO 27001 consultant: https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
Regarding to time frame, here you can find a free calculator Free Calculator Duration of ISO 27001/ISO 22301 Implementation": https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
Regarding to certification cost, our recommendation is to request a proposal to different entities, and to know which is right for you, please use our List of Questions to ask an ISO 27001 or ISO 22301 certification body (MS Word), you can download it here: https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-certification-body/ -
Asset inventory
Why do you want to identify a business owner for the asset inventory? The standard says that it is not necessary, you only need to identify an owner for each asset (control A.8.1.2 Ownership of assets). For this identification, this article can be help you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Section 9.1 - Monitoring, Measurement, Analysis and Evaluation
ISO 27001 does not require you to have a separate document for measurement - what is important is to define the objectives and responsibilities who is going to measure whether these objectives are fulfilled.
Objectives are documented here:
General ISMS objectives - in the Information Security Policy
Specific control objectives - in the Statement of Applicability
Responsibilities for measurement are documented in Information Security Policy (section 4.1).
These materials will also help you:
article ISO 27001 control objectives Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
webinar ISO 27001 and ISO 27004: How to measure t he effectiveness of information security? https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/ -
Documentacion para auditoria
Para saber si tu sistema esta preparado para la auditoría de certificación de ISO 27001, la mejor opción es realizar una auditoría interna. De todas formas, si has comprado nuestro toolkit, puedes enviarnos hasta 5 documentos, y nosotros los revisaremos.
Por otra parte, si quieres consultar la lista de documentos obligatorios por ISO 27001, por favor lee este artículo (en inglés): List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Este otro artículo también puede ser interesante para ti puesto que trata sobre la auditoría interna (también en inglés) How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Por último, creo que este artículo también pued e ser muy interesante para ti (en inglés) "The shortest path to getting " :
https://advisera.com/27001academy/blog/2015/03/09/shortest-path-to-getting-iso-27001-certified-as-a-business/ -
Storage of password
There are some security controls related to the protection and storage of passwords:
9.3.1 Use of secret authentication information: Regarding to your question, here is important to ensure proper protection of passwords when passwords are used as secret authentication information in automated log-on procedures and are stored.
9.4.3 Password management system: Regarding to your question, here is important to store and transmit passwords in protected form.
What is my recommendation? Use a software as a password management system, and store your password there. Also can be interesting that another people of your organization (closer to you) have access to this software.
Anyway, please remember what is the list of mandatory documents reading this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/