Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Section 9.1 - Monitoring, Measurement, Analysis and Evaluation


    ISO 27001 does not require you to have a separate document for measurement - what is important is to define the objectives and responsibilities who is going to measure whether these objectives are fulfilled.

    Objectives are documented here:

    General ISMS objectives - in the Information Security Policy
    Specific control objectives - in the Statement of Applicability

    Responsibilities for measurement are documented in Information Security Policy (section 4.1).

    These materials will also help you:

    article ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
    webinar ISO 27001 and ISO 27004: How to measure t he effectiveness of information security? https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/

  • Documentacion para auditoria


    Para saber si tu sistema esta preparado para la auditoría de certificación de ISO 27001, la mejor opción es realizar una auditoría interna. De todas formas, si has comprado nuestro toolkit, puedes enviarnos hasta 5 documentos, y nosotros los revisaremos.

    Por otra parte, si quieres consultar la lista de documentos obligatorios por ISO 27001, por favor lee este artículo (en inglés): “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    Este otro artículo también puede ser interesante para ti puesto que trata sobre la auditoría interna (también en inglés)  “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    Por último, creo que este artículo también pued e ser muy interesante para ti (en inglés) "The shortest path to getting " : 

    https://advisera.com/27001academy/blog/2015/03/09/shortest-path-to-getting-iso-27001-certified-as-a-business/

  • Storage of password


    There are some security controls related to the protection and storage of passwords:

    9.3.1 Use of secret authentication information: Regarding to your question, here is important to ensure proper protection of passwords when passwords are used as secret authentication information in automated log-on procedures and are stored.
    9.4.3 Password management system: Regarding to your question, here is important to store and transmit passwords in protected form.

    What is my recommendation? Use a software as a password management system, and store your password there. Also can be interesting that another people of your organization (closer to you) have access to this software.
    Anyway, please remember what is the list of mandatory documents reading this article “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Keep information security


    Yes, I think that you can include it in your Training and Awareness Plan, but remember that the important here is to perform training about information security. So, you can include this course in your plan, but I suppose that your plan also have training in information security.
    I think that this article can be interesting for you for the management of your records in sharepoint: “Records management in ISO 27001 and ISO 22301” : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
    Finally, I recommend you to read this article "How to perform training & awareness for ISO 27001 and ISO 22301" : 

    https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

  • Company allocated temporarily in another company


    We need more information about your scenario. What is the current scope? Anyway, it is not necessary to extend the scope, further if there are assets of another company, you can control them? If not, you also can not perform the risk assessment & treatment. So, I think that the best option here is that you maintain your scope and your inventory of assets. 
    For more information about the definition of the scope, please read this article “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    Anyway, in case there are assets his company is using that are not included in the scope, then they can treat this other company as a supplier.

    Regarding to suppliers, I recommend you to read this article "6-step process for handling supplier security according to ISO 2700 1" : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • SoA and mandatory documents


    Question 1: Does this then mean that when the SOA controls are selected that the controls linked to the mandatory documents also needs to be selected for implementation?
    Question 2: If that specific control has not been linked as a mitigating control to an identified risk, why must the document then be developed and implemented?
    ·         Secure system engineering principles (clause A.14.2.5)
    ·         Supplier security policy (clause A.15.1.1)
    ·         Incident management procedure (clause A.16.1.5)
    ·         Business continuity procedures (clause A.17.1.2)
     

    Answer 1: If you have in your SoA a control that have been applied and it is related to a mandatory document, sure, you need to implement (and document) it.
    Answer 2: If you do not apply a control (related to a mandatory document), it is not necessary to develop a document for it. Another scenario is: you have a control that applies, but it is not related to a mandatory document, so it is not necessary to develop it. And another scenario: you have a control that applies, and it is related to a mandatory document, so it is necessary to develop it.
    Anyway, in the most of companies all controls related to the mandatory document are applied, so in the most of cases you will need to develop all mandatory documents because they will be related to controls that apply to the organization.
    Finally, I think that this article can be interesting for you, please read it “The importance of Statement of Applicability for ISO 27001” : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  • Category of assets


    So to clarify, in your example of asset categories if I have a grouped assets under “application software (licensed)” , I can perform my risk assessment based on this group if the threat and vulnerabilities applies to the group of assets.
    So in my inventory of assets, all I need to do is complete the table with the same information I used in the risk assessment table:

    ID

    Asset category

    Name of asset

    Asset owner

    Asset description

     1

     Applications and databases

     application software (licensed)

     IT

     Licenced application software.

    Would this be sufficient or would I need to list all licenced software?
     

    Answer:

    Yes, you are right, in your risk assessment you can have a group of assets (type software) and identify threats and vulnerabilities that applies to it (threats and vulnerabilities related to software), but in your case, I think that it will be better if you have 2 different groups of assets: “Applications” and “Databases”, because risks can be different. Only if after performing the risk assessment you see that they have the same risk, you can consider integrate them in an unique group.
    Finally, keep in mind that additionally, in accordance with intellectual property legislation, you must to have a inventory of your licensed software.

  • Measurement of the absolute risk

    To evaluate the risk, you should take in consideration the security controls that exist in the organization for each asset. This approach is more real and more closer to the reality of your business, because considers the current controls. If not, you will have a point of view that not reflects the reality. So, our recommendation is the first approach, I mean, that you consider current security controls.

  • Integrate policies


    Why do you want to integrate them in an unique document? We think that it is better if you have a high level policy for the ISMS (with strategic intention, objectives, etc) and detailed policies for control access, backups, etc. If you have an unique document, it can be extensive and uncomfortable to read. 
    Finally, I think that this article can be very interesting for you "One Information Security Policy, or several policies?" : 
    https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
    And also can be interesting for you this article: “Information security policy – how detailed should it be?” : https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/

  • Methodology based on ISO 27001 and ISO 27005


    Our Risk assessment methodology is based on ISO 27001 and ISO 27005, and is specially adapted for smaller and mid-sized companies. Further, it is compliant not only with ISO 27001, but also with ISO 22301 (the business continuity standard). 
    Here you can see a free version of our methodology clicking on “Free Demo” tab: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
Page 1071-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +