Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Riesgos y Declaracion de Aplicabilidad
1. La norma dice en 6.1.1, apartado d que las acciones para hacer frente a los riesgos y oportunidades deben ser integradas e implementadas dentro de SGSI y que además deben ser evaluadas.
Claramente los riesgos se evalúan con la metodología de análisis de riesgos, se tratan con el plan de tratamiento de riesgos y se evalúan con el avance del mismo plan y una herramienta que hemos llamado Tablero de Control. Esto lo hacemos desde la versión anterior, solamente se ha estado mejorando.
La duda nos surge con la evaluación de las oportunidades, porque eso no lo hemos hecho antes. De momento lo que hemos hecho es una guía para que las oportunidades identificadas se comuniquen y el personal esté alerta para aprovecharlas. También incluye una valoración anual para ver cómo se aprovecharon esas oportunidades, pero como sabrás, eso es un poco abstracto y subjetivo para medirlo. ¿Existe alguna herramienta para realizar esta medición o estará bien con lo que te he comentado?
2. En cuanto a la declaratoria de aplicabili dad, me queda la duda si debo incluir los controles propios de la empresa o solamente los controles del anexo de la norma?
Respuesta:
Muchas gracias por tu mensaje, nos alegremos de que el Webinar haya sido de tu agrado. Pronto volveremos a vernos en más webinars. En relación a tus preguntas:
Punto 1: Creo que tu operativa para evaluar las oportunidades cumple con lo establecido en el estándar (identificación y comunicación), ten en cuenta que la ISO 27001 no te dice cómo tienes que hacer algo, por tanto no necesitas una herramienta específica. Pero aquí es muy importante mantener los registros de la evaluación. En cualquier caso, creo que este webinar gratuito también puede ser muy interesante para ti (en inglés) : ISO 27001 and ISO 27004: How to measure the effectiveness of information : https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/
Punto 2: Puedes incluir controles propios de tu negocio en la Declaración de Aplicabilidad, pero también tienes que listar los 114 controles del Anexo A. Realmente la Declaración de Aplicabilidad debe ser completada después del análisis de riesgos, porque dependiendo de los resultados de esto, implementarás controles, y entonces necesitarás incluir la aplicabilidad de cada control en la Declaración de Aplicabilidad. Por tanto, incluirás los controles que necesites como resultado del análisis de riesgos. Si necesitas más información sobre la Declaración de Aplicabilidad, por favor lee este artículo (en inglés) "The importance of Statement of Applicability for ISO 27001": https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Relacion entre el control documental de la ISO 27001:2005 e ISO 27001:2013
El cambio más importante es que en la nueva revisión del estándar no es obligatorio tener un procedimiento documentado para la gestión de documentos, aunque es necesario documentar las salidas (y esto es exactamente igual para otros procedimientos como el de la Auditoría interna, las acciones correctivas, etc.)
Por último, te recomiendo leer este artículo, creo que es muy interesante para ti (en inglés) A first look at the new ISO 27001: https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/ -
ISO 27001:2005 vs ISO 27001:2013
1. CAR
· There are some new CAR requirements, but it is just similar as what we are doing now for 2005 which confuse me.
i. To react to nonconformities and take action, as applicable, to control and correct the nonconformity and deal with the consequences.
ii. To determine whether similar nonconformities exist, or could potentially occur.
2. Preventive action
· It is removed from 2005 and replaced by issues. Issues will be dealt with in Risk Assessment which confuse me?
3. Risk Assessment,
· Risk Owner and Risk Assessment Acceptance Criteria are not covered in 2005. Maybe you can help to provide some templates and examples for that?
4. 9.1 Monitoring, measurement, analysis and evaluation.
· Is it the same as ISMS Objective? To evaluate whether we achieve the objective? Or it means we may have a more detailed measurement method?
Answers:
Point 1: There is no important changes, but now in the 2013 revision is not necessary to have a document for the corrective actions, only is mandatory to have records about the results of corrective actions.
Point 2: Exactly, in the ISO 27001:2013 (and other ISOs, for example ISO 22301) does not exists a clause for the preventive actions, but we can consider the risk assessment & treatment as a global preventive action.
Point 3: Sure, we have an interesting article about the risk owners that you can read here (remember that the asset owner is kept in the standard) Risk owners vs. Asset owners in ISO 27001:2013: https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/. About the Risk acceptance, please read this Risk appetite and its influence over ISO 27001 implementation : https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/. Also can be interesting for you our methodology of risk assessment, please check it out (you can see a free version if you click on Free Demo tab) : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
Point 4: The clause 9.1 is related to the measurement method, and you can use this to measure the achievement of the information security objectives, but it is defined as requisite in the clause 6.2 Information security objective and planning to achieve them. So, it is the difference: 6.2 is for the definition of the objectives, and 9.1 is for the measurement of them.
Finally, in this article you can find more information about how to make a transition from ISO 27001:2005 to 2013 revision, please check it out How to make a transition from ISO 27001 2005 revision to 2013 revision": https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/. -
Liderar proyecto SGSI
El proyecto debe ser liderado por la Alta Dirección, y esta debe establecer un recurso que coordine las actividades de implementación del SGSI (por ejemplo un jefe de proyecto). Ambas áreas jugarán un papel importante en la implementación, y pueden trabajar juntas: Por una parte el área de gestión de riesgos puede realizar el análisis y tratamiento de los riesgos relacionados con la seguridad de la información, y por otra parte, el área de tecnologías puede ayudar en el tratamiento de los riesgos cuando las acciones que sean necesarias llevar a cabo estén directamente relacionadas con las tecnologías (por ejemplo: configurar firewalls, segregar redes, cifrar pendrives, etc).
Por último, al principio del proyecto es muy importante definir un plan de proyecto, y aquí podrás encontrar mayor información al respecto (en ingl és) : ISO 27001 project How to make it work : https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/ -
Internal audit vs Gap analysis
I suppose that you refer to the Internal Audit when you say Fault finding, because one of the objectives of the Internal Audit is to find faults. If so, the difference between both is that the Gap analysis is performed at the beginning of the project of implementation, to compare the status of the organization with the requirements of the standard, and it is not mandatory. On the other hand, the Internal Audit must to be performed each year before the certification audit, and it is mandatory (is established as requirement in the clause 9.2 of the ISO 27001:2013).
Remember that we have an article very interesting about how to make an internal audit checklist, if you want to see it, please check out this How to make an Internal Audit checklist for ISO 27001 / ISO 22301: https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Keep documents
Answer:
The standards ISO (ISO 27001, ISO 22301, ISO 20000, ISO 9001) does not establish a specific time to keep documents, but some countries have legal regulations to keep certain documents (agreements, SLA, etc.) during a minimal time, after that it is not mandatory to continue keeping them. So, usually you can keep your documents indefinitely, but I recommend you to search information about legal regulation in your country.
Related to the version control, you mean the the version control of a Management system? For example ISO 27001? If so, can be applied to all documents in your business (all company wide), there is no problem, although in a Management System usually applies only for the documents related to the system. -
UKAS and ANAB accreditation
UKAS is a full member of European and International Mutual Recognition Agreements (such as the European cooperation for Accreditation, International Accreditation Forum and International Laboratory Accreditation Cooperation). This means that all UKAS accredited certificates and reports (with the exception of those related to EU Regulations/Directives and Schemes) shall continue to be recognised within Europe and around the world.
An ISO certificate issued by a UKAS accredited certifying body will be recognised in the EU.
Both ANAB and UKAS are members of the International Accreditation Forum, so a certification body accredited by either UKAS or ANAB should be recognised almost anywhere in the world.
-
Physical security policy and malware policy
There is a set of controls related to the Physical security in the Annex A of the ISO 27001:2013: "A.11 Physical and environmental security", but you do not need a policy for this, neither is mandatory to have a document to implement those controls. Anyway, if you are interested in the physical security, please read this article Physical security in ISO 27001: How to protect the secure areas : https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
Related to the malware, you can find in the Annex A of the ISO 27001:2013 the control "A.12.2.1 Controls against malware, but again it is not mandatory to have a document to implement this control. Anyway, you can establish a formal policy to prohibe the use of unauthorized software.
Finally I recommend you to re ad this article "How to structure the documents for ISO 27001 Annex A controls" : https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/ -
Questionnaire for ISO 27001
We do not have a specific document to produce a questionnaire for ISO 27001, but we have a methodology to identify threats/vulnerabilities and calculate risks (related to information security). With this methodology, you can identify risks and establish priorities to make a treatment of them. If you want more information about our methodology, please read this article How to write ISO 27001 risk assessment methodology : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Also you can find here a catalog of threats/vulnerabilities: https://www.infosecpedia.in************************** -
Recommendation about Business Continuity Management
If you want to implement a BCM (Business Continuity Management) in you organization it is better the ISO 22301, because it is more focused in Business Continuity. The ISO 27001 is focused in information security, and has security controls for the Business Continuity, but ISO 22301 is more extensive and precise with Business Continuity. Anyway you can combine both, and in this case you can have a management system for the business continuity and the information security in your organization, which can add value.
Finally, here you can see a webinar about ISO 27001 and ISO 22301 "Free webinar - ISO 27001 & ISO 22301: Why is it better to implement them together?" : https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/