Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Keep information security
Yes, I think that you can include it in your Training and Awareness Plan, but remember that the important here is to perform training about information security. So, you can include this course in your plan, but I suppose that your plan also have training in information security.
I think that this article can be interesting for you for the management of your records in sharepoint: Records management in ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
Finally, I recommend you to read this article "How to perform training & awareness for ISO 27001 and ISO 22301" :
https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/ -
Company allocated temporarily in another company
We need more information about your scenario. What is the current scope? Anyway, it is not necessary to extend the scope, further if there are assets of another company, you can control them? If not, you also can not perform the risk assessment & treatment. So, I think that the best option here is that you maintain your scope and your inventory of assets.
For more information about the definition of the scope, please read this article How to define the ISMS scope : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Anyway, in case there are assets his company is using that are not included in the scope, then they can treat this other company as a supplier.
Regarding to suppliers, I recommend you to read this article "6-step process for handling supplier security according to ISO 2700 1" : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
SoA and mandatory documents
Question 1: Does this then mean that when the SOA controls are selected that the controls linked to the mandatory documents also needs to be selected for implementation?
Question 2: If that specific control has not been linked as a mitigating control to an identified risk, why must the document then be developed and implemented?
· Secure system engineering principles (clause A.14.2.5)
· Supplier security policy (clause A.15.1.1)
· Incident management procedure (clause A.16.1.5)
· Business continuity procedures (clause A.17.1.2)
Answer 1: If you have in your SoA a control that have been applied and it is related to a mandatory document, sure, you need to implement (and document) it.
Answer 2: If you do not apply a control (related to a mandatory document), it is not necessary to develop a document for it. Another scenario is: you have a control that applies, but it is not related to a mandatory document, so it is not necessary to develop it. And another scenario: you have a control that applies, and it is related to a mandatory document, so it is necessary to develop it.
Anyway, in the most of companies all controls related to the mandatory document are applied, so in the most of cases you will need to develop all mandatory documents because they will be related to controls that apply to the organization.
Finally, I think that this article can be interesting for you, please read it The importance of Statement of Applicability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Category of assets
So to clarify, in your example of asset categories if I have a grouped assets under application software (licensed) , I can perform my risk assessment based on this group if the threat and vulnerabilities applies to the group of assets.
So in my inventory of assets, all I need to do is complete the table with the same information I used in the risk assessment table:
ID
Asset category
Name of asset
Asset owner
Asset description
1
Applications and databases
application software (licensed)
IT
Licenced application software.
Would this be sufficient or would I need to list all licenced software?
Answer:
Yes, you are right, in your risk assessment you can have a group of assets (type software) and identify threats and vulnerabilities that applies to it (threats and vulnerabilities related to software), but in your case, I think that it will be better if you have 2 different groups of assets: Applications and Databases, because risks can be different. Only if after performing the risk assessment you see that they have the same risk, you can consider integrate them in an unique group.
Finally, keep in mind that additionally, in accordance with intellectual property legislation, you must to have a inventory of your licensed software. -
Measurement of the absolute risk
To evaluate the risk, you should take in consideration the security controls that exist in the organization for each asset. This approach is more real and more closer to the reality of your business, because considers the current controls. If not, you will have a point of view that not reflects the reality. So, our recommendation is the first approach, I mean, that you consider current security controls. -
Integrate policies
Why do you want to integrate them in an unique document? We think that it is better if you have a high level policy for the ISMS (with strategic intention, objectives, etc) and detailed policies for control access, backups, etc. If you have an unique document, it can be extensive and uncomfortable to read.
Finally, I think that this article can be very interesting for you "One Information Security Policy, or several policies?" :
https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
And also can be interesting for you this article: Information security policy how detailed should it be? : https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/ -
Methodology based on ISO 27001 and ISO 27005
Our Risk assessment methodology is based on ISO 27001 and ISO 27005, and is specially adapted for smaller and mid-sized companies. Further, it is compliant not only with ISO 27001, but also with ISO 22301 (the business continuity standard).
Here you can see a free version of our methodology clicking on Free Demo tab: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/ -
Group of assets
In the risk assessment table I can use a group/category of assets such as laptops in the asset name section, and identify the threats and vulnerabilities for that category correct? In the inventory of assets do I need to list each asset of the category then?
Example:
Category: laptops
Asset name: [name]-laptop
Or can I keep this section high level as well as example:
Category: ICT and Other equipment
Asset name: Laptops
Answer:
Yes, you can have an asset named laptops in your inventory of assets, and after in the Risk Assessment Table you need to identify threats/vulnerabilities related to it (related to all laptops that have the same threats/vulnerabilities). So, you can have this:
Category: ICT
Asset name: Laptops -
Business Continuity Policy
Really they are the same thing (although the term "Business Continuity Management System Policy" does not exist in ISO 22301), so think in an unique term, for example Business continuity policy. Please read this article, I think that can be very interesting for you The purpose of Business continuity policy according to ISO 22301 : https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/ -
Training and exam of Lead implementor
Also I found some material in this link. ( don't worry. I am comfortable with the resources from you. ) . It has very long list of documents. But our toolkit has this many?
https://www.itgovernance.co.uk/download/ISMS_27001-2013_ContentsList.pdf
Answer:
Both companies (BSI and PECB) are very good, therefore any of the 2 may be a well choice for the course of Lead implementer. Anyway, we have have free resources that you can use for gain good knowledge about the ISO 27001, you can find them here: https://advisera.com/27001academy/free-downloads/
We have created our ISO 27001 Documentation Toolkit for smaller and mid-sized companies - this is why we have optimized both the number of documents and their size - in our opinion if you had more documents this would create an overkill for smaller companies. Of course, our toolkit has all the mandatory documents required for the certification.