Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Laws, regulations and ISO 27001 / PCI-DSS
Thank you for replay. Currently we are in process of certification for security standard PCI-DSS for bank card environment.
For other bank organizational units we would like to update regulations to cover requirements of ISO 27001 standard. For this topic I am looking for additional information.
In addition we are using SIEM system (***). Regarding update internal regulation about this we need more information about best practice in this area. Could you help us with more information in this area? We need more information about draft standard ISO 27044 and best practice in this area.
Answer:
If you want to implement the ISO 27001 standard in your organization, you can use our templates, which have all necessary documentation. You can see here a free version of each document clicking on Free Demo tab: https://advisera.com/27001academy/iso-27001-documentation-toolkit/. Regarding regulations, here you can find a list of international laws and regulations related to the information security and business continuity: https://www.infosec pedia.info/laws-regulations-information-security-business-continuity. Also can be interesting for you to know that you can integrate ISO 27001 and PCI-DSS, here you can find more information about this PCI-DSS vs. ISO 27001 Part 1 Similarities and Differences : https://advisera.com/27001academy/knowledgebase/pci-dss/ and PCI-DSS vs. ISO 27001 Part 2 Implementation and Certification : https://advisera.com/27001academy/knowledgebase/pci-dss/
Unfortunately, we have currently no materials on SIEM/ISO 27044 - when we publish any such materials we will certainly let you know.
-
Information security and BCM/BCP strategies
Yes, our toolkit ISO 27001 Documentation Toolkit is related to information security, but our toolkit ISO 22301 / BS 25999 is related to Business Continuity. Also we have an integration of both ISO 27001 & ISO 22301 Premium Documentation Toolkit, you can download it here (you can see a free version of each document if you click on Free Demo tab): https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/ (please see the section Business Continuity Strategy if you need specific information about BCM/BCP strategies) -
Security risks dealing with suppliers
Presently, our risk assessment is assessing risks that refer to assets vs. CIA.
Other risks that are brought to our attention are those from security incidents /breaches etc, so this is the easy part.
Answer:
If you outsource part of your processes or allow a third party to access your information, you should assess the risks to confidentiality, integrity and availability of your information. For example, during the risk assessment you may realize that some of your information might be exposed to the public and create huge damage, or that some information may be permanently lost. Based on the results of risk assessment, you can decide whether the next steps in this process are necessary or not for example, you may not need to perform a background check or insert security clauses for your cafeteria supplier, but you probably w ill need to do it for your software developer. For more information about it, you can read this article 6-step process for handling supplier : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Policy for mobile device/teleworking, NDAs and metrics
1) Can I make one policy for Mobile Device and Tele-working since both are almost similar. Is that accepted ?
2) Isn't confidentiality statement equal to NDA which every employee signs ( our company ensures that every employee signs the NDA which has confidentiality requirements too). Isn't this sufficient ?
3) Similarly with Statement of Acceptance of ISMS. Our company's NDA covers all these aspects and is signed by everyone in the Organization.
4)Request some help on ISMS Metrics. How to align ISMS Objectives to Business Strategy ?
Answer:
Point 1: Yes, you can have a unique document for both, but remember that they are not mandatory for the standard. You can see a list of mandatory documents (and non-mandatory) here List of mandatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Point 2: Yes, I think that it is enough. Here keep in mind that the NDA signed is a record that you need to manage, and here you can find information about this Records management in ISO 27001 and ISO 22301: https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
Point 3: Ok, here you can also cover it with your companys NDA.
Point 4: You need to think in the objectives that your organization has to obtain the ISO 27001, what benefits expect your business with the implementation? For example, you have a business that sells through Internet, security objectives? Identify information security risks related to the web application (and reduce them). Anyway, I think that this article can be interesting for you ISO 27001 control objectives Why are they important? : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/. Finally, this article can be interesting for you Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/. -
Acceptable use of assets
Answer:
Control "A.8.1.3 Acceptable use of assets is related to assets associated with information and information processing facilities, so it is not related to human assets. -
Risk Assessment vs Incident Management
We've received the following questions: 1. I would like to know difference between Risk Assessment and Incident Management 2. During risk assessment, we consider Disaster as risk, how can it become incident later, even it identified earlier Answers: 1) Risk assessment is a process where you try to identify all the potential security breaches that might happen in the future. Incidents are the risks that have materialized, i.e. the real breaches that have happened; incident management is a process for managing incidents. 2) Disaster itself is not a risk, it is a threat; it can become an incident if you didn't implement all the security controls to prevent such an incident. -
Exclusion of controls
1. doesn't have any e-commerce activities
2. doesn't have internal software development activities. There are an internal IT department, but software development is externalized.
Answer:
Point 1: In the ISO 27001:2013 there is no control directly related to e-commerce. You can find the control A.14.1.3 Protecting application services transactions but it can be for any transactions, not only related to e-commerce.
Point 2: In principle you can exclude all controls related to the A.14.2 Security in development and support processes: A.14.2.1 Secure development policy, A.14.2.2 System change control procedures. Etc.
Keep in mind that the exclusion of controls can be made only after the risk assessment is finished.
Finally, I recommend you to read this article "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Communication Plan and Corrective Actions
1.- Recently we had a transition Audit we had a Audit finding related to clause 7.4 "communication -No clear reference within ISMS doc. How this is to be managed".
2.- What is the difference between the template for CAPA & CAR ?
Answer:
Point 1: There is no mandatory to have a document for the communications, but you can read this article How to create a Communication Plan according to ISO 27001 : https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/
Point 2: The first is the procedure, and the second is the record. In the new revision of the standard (ISO 27001:2013) there is no preventive actions (has been deleted from the old version), so you do not need to manage preventive actions (although the risk management is a global preventive action). So, you only need a procedure, an a template for the register of corrective actions. Finally, I recommend you to read t his article "Practical use of corrective actions for ISO 27001 and ISO 22301" : https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/ -
Get qualifications
We have free resources that you can use to acquired proper knowledge about the ISO 27001 (presentations for training, white papers, templates, etc). You can find them here: https://advisera.com/27001academy/free-downloads/
Finally this article can be also interesting for you How to learn about ISO 27001 and BS 25999-2 : https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/ -
Security Compliance Management
Answer:
You can find this document in our toolkit List of Legal, Regulatory, Contractual and Other Requirements which is exactly related with your question. You can see it in the folder "02 Procedure for Identification of Requirements"
Also you can see here a list of legal regulations of different countries: https://www.infosecpedia.info/laws-regulatio*******************************************