Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Acceptable use of assets
Answer:
Control "A.8.1.3 Acceptable use of assets is related to assets associated with information and information processing facilities, so it is not related to human assets. -
Risk Assessment vs Incident Management
We've received the following questions: 1. I would like to know difference between Risk Assessment and Incident Management 2. During risk assessment, we consider Disaster as risk, how can it become incident later, even it identified earlier Answers: 1) Risk assessment is a process where you try to identify all the potential security breaches that might happen in the future. Incidents are the risks that have materialized, i.e. the real breaches that have happened; incident management is a process for managing incidents. 2) Disaster itself is not a risk, it is a threat; it can become an incident if you didn't implement all the security controls to prevent such an incident. -
Exclusion of controls
1. doesn't have any e-commerce activities
2. doesn't have internal software development activities. There are an internal IT department, but software development is externalized.
Answer:
Point 1: In the ISO 27001:2013 there is no control directly related to e-commerce. You can find the control A.14.1.3 Protecting application services transactions but it can be for any transactions, not only related to e-commerce.
Point 2: In principle you can exclude all controls related to the A.14.2 Security in development and support processes: A.14.2.1 Secure development policy, A.14.2.2 System change control procedures. Etc.
Keep in mind that the exclusion of controls can be made only after the risk assessment is finished.
Finally, I recommend you to read this article "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Communication Plan and Corrective Actions
1.- Recently we had a transition Audit we had a Audit finding related to clause 7.4 "communication -No clear reference within ISMS doc. How this is to be managed".
2.- What is the difference between the template for CAPA & CAR ?
Answer:
Point 1: There is no mandatory to have a document for the communications, but you can read this article How to create a Communication Plan according to ISO 27001 : https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/
Point 2: The first is the procedure, and the second is the record. In the new revision of the standard (ISO 27001:2013) there is no preventive actions (has been deleted from the old version), so you do not need to manage preventive actions (although the risk management is a global preventive action). So, you only need a procedure, an a template for the register of corrective actions. Finally, I recommend you to read t his article "Practical use of corrective actions for ISO 27001 and ISO 22301" : https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/ -
Get qualifications
We have free resources that you can use to acquired proper knowledge about the ISO 27001 (presentations for training, white papers, templates, etc). You can find them here: https://advisera.com/27001academy/free-downloads/
Finally this article can be also interesting for you How to learn about ISO 27001 and BS 25999-2 : https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/ -
Security Compliance Management
Answer:
You can find this document in our toolkit List of Legal, Regulatory, Contractual and Other Requirements which is exactly related with your question. You can see it in the folder "02 Procedure for Identification of Requirements"
Also you can see here a list of legal regulations of different countries: https://www.infosecpedia.info/laws-regulatio******************************************* -
Differences between third party and suppliers
There is no important difference, because a supplier is a third party. To identify interested parties, please read this article How to identify interested parties according to ISO 27001 and ISO 22301: https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Regarding to third party agreement vs. Supplier relationships, yes, is a case of terminology, because you can establish relationships with suppliers, and they can be considered as an interested party. Anyway, I recommend you this article about suppliers "6-step process for handling supplier security according to ISO 27001" : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
The owner of the ISO 27001 has been changed to a new departmanet
No, the certification wont be voided. The important here is to adapt your implementation to the new revision of the standard ISO 27001:2013, if not, external auditor of the certification body could identify a major non-conformity in your ISMS. You can read this article about the transition from 2005 revision to 2013 How to make a transition from ISO 27001 2005 revision to 2013 revision": https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
On the other hand, it is important to know that if the scope has changed (if there are new assets), you will need to i mplement again the risk management based on the new scope, if not, again external auditor could identify non-conformities. For more information about the scope, please read this article How to define the ISMS scope : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Information Security Objectives
Information Security Objectives are not only related to confidentiality, integrity and availability, are also related with any improvement that your business hoping to achieve with the implementation of the standard. For example: reduce the number of information security incidentes not registered, improve the client satisfaction, etc.
Usually, the objectives are set at two levels: 1) General ISMS level, and 2) Security controls. Remember that for the point 1) you can use an Information Security Policy. And for the point 2), because as you know it is related to the security controls, you can use the Statement of Applicability. You can see a free version of this document here clicking on "Free Demo" tab: https://advisera.com/27001academy/documentation/statement-of-applicability/
Regarding to the Plan to achieve the objectives, you need the Risk Treatment Plan. Also you can see a free version of this document here clicking on "Free Demo" tab: https://advisera.com/27001academy/documentation/risk-treatment-plan/
Finally, I think that this article can be very useful for you "IS O 27001 control objectives Why are they important?" : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
ISO 27001 and ISO 20000
a. What are the differences between ISO27001 and IS02000?
b. If an organisation is ISO27001 certified and intend to go for ISO2000 certification
1. what are the additional areas needed and to prepare?
2. Generally how long will it take to be ISO20000 certified?
3. How should one advise them on what is needed for the ISO20000?
Answers:
Point a: ISO 27001 establishes requirements for an Information Security Management System, and ISO 20000 establishes requirements for an Service Management System, so ISO 27001 is related to Information Security, and ISO 20000 is related to IT service management.
Point b.1: There are many things, because the objective of both standards is different. For example, in ISO 20000 you need a Configuration management process, or business relationship management process, or service level management process, etc.
Point b.2: It depends on the company, but between 8-12 months
Point b.3: If you want to implementation the ISO 20000, we have free resources, for example ISO 20000 implementation diagram: https://info.advisera.com/20000academy/free-download/iso-20000-implementation-diagram/. Also you can use our toolkit: https://advisera.com/20000academy/iso-20000-documentation-toolkit/ you can see a free version of each document if you click on Free Demo tab