Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Group of assets
In the risk assessment table I can use a group/category of assets such as laptops in the asset name section, and identify the threats and vulnerabilities for that category correct? In the inventory of assets do I need to list each asset of the category then?
Example:
Category: laptops
Asset name: [name]-laptop
Or can I keep this section high level as well as example:
Category: ICT and Other equipment
Asset name: Laptops
Answer:
Yes, you can have an asset named laptops in your inventory of assets, and after in the Risk Assessment Table you need to identify threats/vulnerabilities related to it (related to all laptops that have the same threats/vulnerabilities). So, you can have this:
Category: ICT
Asset name: Laptops -
Business Continuity Policy
Really they are the same thing (although the term "Business Continuity Management System Policy" does not exist in ISO 22301), so think in an unique term, for example Business continuity policy. Please read this article, I think that can be very interesting for you The purpose of Business continuity policy according to ISO 22301 : https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/ -
Training and exam of Lead implementor
Also I found some material in this link. ( don't worry. I am comfortable with the resources from you. ) . It has very long list of documents. But our toolkit has this many?
https://www.itgovernance.co.uk/download/ISMS_27001-2013_ContentsList.pdf
Answer:
Both companies (BSI and PECB) are very good, therefore any of the 2 may be a well choice for the course of Lead implementer. Anyway, we have have free resources that you can use for gain good knowledge about the ISO 27001, you can find them here: https://advisera.com/27001academy/free-downloads/
We have created our ISO 27001 Documentation Toolkit for smaller and mid-sized companies - this is why we have optimized both the number of documents and their size - in our opinion if you had more documents this would create an overkill for smaller companies. Of course, our toolkit has all the mandatory documents required for the certification. -
Competences in ISO 27001:2013
Documenting the competences does not differ in 2013 and 2005 revisions of ISO 27001 - if you go for any trainings, you need to have some kind of a record (e.g. the certificate). On the other hand, you do not need any formal qualifications to manage the ISMS - if everything works well, this is a proof of your competence.
This article will also help you with the transition: How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ -
Risk management in BCMS and ISMS
There is no important difference, and you can use the same main technique for the risk management in a BCMS and in an ISMS, but you keep in mind that in the case of the ISMS you need to identify risks related to information security, and in the case of the BCMS you need to identify risks related to business disruption (it is the main difference).
Finally, I think that this article can be interesting for you Can ISO 27001 risk assessment be used for ISO 22301? : https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/. And also can be interesting this article How to organize initial risk assessment according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/04/29/how-to-organize-initial-risk-assessment-according-to-iso-27001-and-iso-22301/. -
Validate documents
Answer:
Sure, if you have purchased our Premium toolkit you can send us until 5 documents and we will review them -
Laws, regulations and ISO 27001 / PCI-DSS
Thank you for replay. Currently we are in process of certification for security standard PCI-DSS for bank card environment.
For other bank organizational units we would like to update regulations to cover requirements of ISO 27001 standard. For this topic I am looking for additional information.
In addition we are using SIEM system (***). Regarding update internal regulation about this we need more information about best practice in this area. Could you help us with more information in this area? We need more information about draft standard ISO 27044 and best practice in this area.
Answer:
If you want to implement the ISO 27001 standard in your organization, you can use our templates, which have all necessary documentation. You can see here a free version of each document clicking on Free Demo tab: https://advisera.com/27001academy/iso-27001-documentation-toolkit/. Regarding regulations, here you can find a list of international laws and regulations related to the information security and business continuity: https://www.infosec pedia.info/laws-regulations-information-security-business-continuity. Also can be interesting for you to know that you can integrate ISO 27001 and PCI-DSS, here you can find more information about this PCI-DSS vs. ISO 27001 Part 1 Similarities and Differences : https://advisera.com/27001academy/knowledgebase/pci-dss/ and PCI-DSS vs. ISO 27001 Part 2 Implementation and Certification : https://advisera.com/27001academy/knowledgebase/pci-dss/
Unfortunately, we have currently no materials on SIEM/ISO 27044 - when we publish any such materials we will certainly let you know.
-
Information security and BCM/BCP strategies
Yes, our toolkit ISO 27001 Documentation Toolkit is related to information security, but our toolkit ISO 22301 / BS 25999 is related to Business Continuity. Also we have an integration of both ISO 27001 & ISO 22301 Premium Documentation Toolkit, you can download it here (you can see a free version of each document if you click on Free Demo tab): https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/ (please see the section Business Continuity Strategy if you need specific information about BCM/BCP strategies) -
Security risks dealing with suppliers
Presently, our risk assessment is assessing risks that refer to assets vs. CIA.
Other risks that are brought to our attention are those from security incidents /breaches etc, so this is the easy part.
Answer:
If you outsource part of your processes or allow a third party to access your information, you should assess the risks to confidentiality, integrity and availability of your information. For example, during the risk assessment you may realize that some of your information might be exposed to the public and create huge damage, or that some information may be permanently lost. Based on the results of risk assessment, you can decide whether the next steps in this process are necessary or not for example, you may not need to perform a background check or insert security clauses for your cafeteria supplier, but you probably w ill need to do it for your software developer. For more information about it, you can read this article 6-step process for handling supplier : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Policy for mobile device/teleworking, NDAs and metrics
1) Can I make one policy for Mobile Device and Tele-working since both are almost similar. Is that accepted ?
2) Isn't confidentiality statement equal to NDA which every employee signs ( our company ensures that every employee signs the NDA which has confidentiality requirements too). Isn't this sufficient ?
3) Similarly with Statement of Acceptance of ISMS. Our company's NDA covers all these aspects and is signed by everyone in the Organization.
4)Request some help on ISMS Metrics. How to align ISMS Objectives to Business Strategy ?
Answer:
Point 1: Yes, you can have a unique document for both, but remember that they are not mandatory for the standard. You can see a list of mandatory documents (and non-mandatory) here List of mandatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Point 2: Yes, I think that it is enough. Here keep in mind that the NDA signed is a record that you need to manage, and here you can find information about this Records management in ISO 27001 and ISO 22301: https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
Point 3: Ok, here you can also cover it with your companys NDA.
Point 4: You need to think in the objectives that your organization has to obtain the ISO 27001, what benefits expect your business with the implementation? For example, you have a business that sells through Internet, security objectives? Identify information security risks related to the web application (and reduce them). Anyway, I think that this article can be interesting for you ISO 27001 control objectives Why are they important? : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/. Finally, this article can be interesting for you Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/.