Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Policy for mobile device/teleworking, NDAs and metrics
1) Can I make one policy for Mobile Device and Tele-working since both are almost similar. Is that accepted ?
2) Isn't confidentiality statement equal to NDA which every employee signs ( our company ensures that every employee signs the NDA which has confidentiality requirements too). Isn't this sufficient ?
3) Similarly with Statement of Acceptance of ISMS. Our company's NDA covers all these aspects and is signed by everyone in the Organization.
4)Request some help on ISMS Metrics. How to align ISMS Objectives to Business Strategy ?
Answer:
Point 1: Yes, you can have a unique document for both, but remember that they are not mandatory for the standard. You can see a list of mandatory documents (and non-mandatory) here List of mandatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Point 2: Yes, I think that it is enough. Here keep in mind that the NDA signed is a record that you need to manage, and here you can find information about this Records management in ISO 27001 and ISO 22301: https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
Point 3: Ok, here you can also cover it with your companys NDA.
Point 4: You need to think in the objectives that your organization has to obtain the ISO 27001, what benefits expect your business with the implementation? For example, you have a business that sells through Internet, security objectives? Identify information security risks related to the web application (and reduce them). Anyway, I think that this article can be interesting for you ISO 27001 control objectives Why are they important? : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/. Finally, this article can be interesting for you Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/. -
Acceptable use of assets
Answer:
Control "A.8.1.3 Acceptable use of assets is related to assets associated with information and information processing facilities, so it is not related to human assets. -
Risk Assessment vs Incident Management
We've received the following questions: 1. I would like to know difference between Risk Assessment and Incident Management 2. During risk assessment, we consider Disaster as risk, how can it become incident later, even it identified earlier Answers: 1) Risk assessment is a process where you try to identify all the potential security breaches that might happen in the future. Incidents are the risks that have materialized, i.e. the real breaches that have happened; incident management is a process for managing incidents. 2) Disaster itself is not a risk, it is a threat; it can become an incident if you didn't implement all the security controls to prevent such an incident. -
Exclusion of controls
1. doesn't have any e-commerce activities
2. doesn't have internal software development activities. There are an internal IT department, but software development is externalized.
Answer:
Point 1: In the ISO 27001:2013 there is no control directly related to e-commerce. You can find the control A.14.1.3 Protecting application services transactions but it can be for any transactions, not only related to e-commerce.
Point 2: In principle you can exclude all controls related to the A.14.2 Security in development and support processes: A.14.2.1 Secure development policy, A.14.2.2 System change control procedures. Etc.
Keep in mind that the exclusion of controls can be made only after the risk assessment is finished.
Finally, I recommend you to read this article "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Communication Plan and Corrective Actions
1.- Recently we had a transition Audit we had a Audit finding related to clause 7.4 "communication -No clear reference within ISMS doc. How this is to be managed".
2.- What is the difference between the template for CAPA & CAR ?
Answer:
Point 1: There is no mandatory to have a document for the communications, but you can read this article How to create a Communication Plan according to ISO 27001 : https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/
Point 2: The first is the procedure, and the second is the record. In the new revision of the standard (ISO 27001:2013) there is no preventive actions (has been deleted from the old version), so you do not need to manage preventive actions (although the risk management is a global preventive action). So, you only need a procedure, an a template for the register of corrective actions. Finally, I recommend you to read t his article "Practical use of corrective actions for ISO 27001 and ISO 22301" : https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/ -
Get qualifications
We have free resources that you can use to acquired proper knowledge about the ISO 27001 (presentations for training, white papers, templates, etc). You can find them here: https://advisera.com/27001academy/free-downloads/
Finally this article can be also interesting for you How to learn about ISO 27001 and BS 25999-2 : https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/ -
Security Compliance Management
Answer:
You can find this document in our toolkit List of Legal, Regulatory, Contractual and Other Requirements which is exactly related with your question. You can see it in the folder "02 Procedure for Identification of Requirements"
Also you can see here a list of legal regulations of different countries: https://www.infosecpedia.info/laws-regulatio******************************************* -
Differences between third party and suppliers
There is no important difference, because a supplier is a third party. To identify interested parties, please read this article How to identify interested parties according to ISO 27001 and ISO 22301: https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Regarding to third party agreement vs. Supplier relationships, yes, is a case of terminology, because you can establish relationships with suppliers, and they can be considered as an interested party. Anyway, I recommend you this article about suppliers "6-step process for handling supplier security according to ISO 27001" : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
The owner of the ISO 27001 has been changed to a new departmanet
No, the certification wont be voided. The important here is to adapt your implementation to the new revision of the standard ISO 27001:2013, if not, external auditor of the certification body could identify a major non-conformity in your ISMS. You can read this article about the transition from 2005 revision to 2013 How to make a transition from ISO 27001 2005 revision to 2013 revision": https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
On the other hand, it is important to know that if the scope has changed (if there are new assets), you will need to i mplement again the risk management based on the new scope, if not, again external auditor could identify non-conformities. For more information about the scope, please read this article How to define the ISMS scope : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Information Security Objectives
Information Security Objectives are not only related to confidentiality, integrity and availability, are also related with any improvement that your business hoping to achieve with the implementation of the standard. For example: reduce the number of information security incidentes not registered, improve the client satisfaction, etc.
Usually, the objectives are set at two levels: 1) General ISMS level, and 2) Security controls. Remember that for the point 1) you can use an Information Security Policy. And for the point 2), because as you know it is related to the security controls, you can use the Statement of Applicability. You can see a free version of this document here clicking on "Free Demo" tab: https://advisera.com/27001academy/documentation/statement-of-applicability/
Regarding to the Plan to achieve the objectives, you need the Risk Treatment Plan. Also you can see a free version of this document here clicking on "Free Demo" tab: https://advisera.com/27001academy/documentation/risk-treatment-plan/
Finally, I think that this article can be very useful for you "IS O 27001 control objectives Why are they important?" : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/