Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Mandatory documents and records
In the list of required documents, one item " Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)". which document in your tool kit covers this?
Answer:
For the risk assessment we have a template with the following information: categories of assets, catalogue of threats, and catalogue of vulnerabilities. Also the template include a table where you can include information about each asset. This is all that you need, related to the risk assessment, for the implementation of the ISO 27001. If you want, you can see a free version of this document (click on Free Demo tab) Risk Assessment Table" : https://advisera.com/27001academy/documentation/risk-assessment-table/
Keep in mind that this point Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3) is a mandatory record, this is not a mandatory document. We provide templates for documents, but records must be created by each organization - for example, your server will automatically log all the outages of the server, so these will be your records of security events. -
Copy of the ISO 27001 and issues
1. For the ISO27001:2013 standard, shall our company buy a copy for each of the staff? Or just buy some copies for upper management and internal auditors?
2. What is issues in ISO27001:2013? Is it the similar as preventive action in 2005? From my understanding, previously in 2005 preventive action means non-severe issues. But still need managers/staffs to follow up to prevent it from happening again in the future.
Answer:
Point 1: I think that only two persons in your company (project manager for ISO 27001 and internal auditor) need to read the standard, so 2 copies of the standard is enough. The important here is that the staff need to be conscious in information security, and it can be achieved with training performed by a professional in information security. In our section of free downloads https://advisera.com/27001academy/free-downloads/ you can find resources that can help you to do this, for example Why ISO 27001 Awareness presentation.
Point 2: Are different things. Issues are related to the context of the organiz ation and the definition of the scope, while the preventive actions are not explicitly present in the ISO 27001:2013 but you can see the risk management as a global preventive action. About the issues and the context of the organization, you can read this Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/, and regarding changes in the risk management you can read this What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Finally can be interesting for you this article about how to make a transition from ISO 27001:2005 to ISO 27001:2013 How to make a transition from ISO 27001 2005 revision to 2013 revision : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ -
Scope in the ISO 27001:2013
Not necessarily. The new revision of the standard, the ISO 27001:2013, has new requisites and your organization has to adapt to them (I suppose that still has the ISO 27001:2005), but it does not imply that you have to change the scope. Anyway, some certification bodies consider as a major non-conformity if your organization still has the old ISO 27001:2005. For more information about changes between old and new version of the standard, please read this article How to make a transition from ISO 27001 2005 revision to 2013 revision : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
Finally, this article also can be interesting for you "How to define the ISMS scope" : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Differences between ISO 22301 & ISO 31000
thank you.
Answer:
Both standards have different objectives. ISO 31000 is a standard that gives you a guide of best practices for the risk management (any type of risks: information security, environmental, financial, etc). On the other hand, ISO 22301 establishes requirements for the implementation of a Business Continuity Management System, where you need to management risks to avoid interruptions of the business continuity. So, for the implementation of the ISO 22301, you can use the ISO 31000 (but it is not mandatory). Anyway, there is another ISO also related to risks: ISO 27001, which core is the risk management (although only for information security), and in this case there is another guide of best practices focused on information security: ISO 27005 (has the same structure that the ISO 31000).
Finally, this article about ISO 31000 and ISO 27001 can be i nteresting for you ISO 31000 and ISO 27001 How are they related? : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Disaster Recovery Plan ISO 27001
I don't want to implement full Business Continuity, only be complaint with ISO27001 requirements regarding A.17 Information security aspects of business continuity management.
Answer:
Yes, with our template Disaster Recovery Plan 27001 you can cover all requirements established in the Annex A.17. The business continuity is treated in depth in the ISO 22301, but in the ISO 27001 with a Disaster Recovery for the IT infrastructure is enough.
Please let us know if you have more doubts regarding the documentation. -
Clauses 4.1 and 4.2 in a software development organization
Your question is very common, and these are points where ISO 27001 has been aligned with other ISOs, but dont worry we can help you to understand this point. Regarding to the context, please read this article, will be very helpful for you Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/. For example, for internal issues you must to make sure that your information security objectives are aligned with the business strategy. In your business: improve the security of the source code establishing security controls.
Regarding to the interested parties, please read this article How to identify interested parties according to ISO 27001 and ISO 223 01": https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//. In your case, an interested party can be developers, the Internet Service Provider, etc.
Please let us know if you need more help. -
Riesgos y Declaracion de Aplicabilidad
1. La norma dice en 6.1.1, apartado d que las acciones para hacer frente a los riesgos y oportunidades deben ser integradas e implementadas dentro de SGSI y que además deben ser evaluadas.
Claramente los riesgos se evalúan con la metodología de análisis de riesgos, se tratan con el plan de tratamiento de riesgos y se evalúan con el avance del mismo plan y una herramienta que hemos llamado Tablero de Control. Esto lo hacemos desde la versión anterior, solamente se ha estado mejorando.
La duda nos surge con la evaluación de las oportunidades, porque eso no lo hemos hecho antes. De momento lo que hemos hecho es una guía para que las oportunidades identificadas se comuniquen y el personal esté alerta para aprovecharlas. También incluye una valoración anual para ver cómo se aprovecharon esas oportunidades, pero como sabrás, eso es un poco abstracto y subjetivo para medirlo. ¿Existe alguna herramienta para realizar esta medición o estará bien con lo que te he comentado?
2. En cuanto a la declaratoria de aplicabili dad, me queda la duda si debo incluir los controles propios de la empresa o solamente los controles del anexo de la norma?
Respuesta:
Muchas gracias por tu mensaje, nos alegremos de que el Webinar haya sido de tu agrado. Pronto volveremos a vernos en más webinars. En relación a tus preguntas:
Punto 1: Creo que tu operativa para evaluar las oportunidades cumple con lo establecido en el estándar (identificación y comunicación), ten en cuenta que la ISO 27001 no te dice cómo tienes que hacer algo, por tanto no necesitas una herramienta específica. Pero aquí es muy importante mantener los registros de la evaluación. En cualquier caso, creo que este webinar gratuito también puede ser muy interesante para ti (en inglés) : ISO 27001 and ISO 27004: How to measure the effectiveness of information : https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/
Punto 2: Puedes incluir controles propios de tu negocio en la Declaración de Aplicabilidad, pero también tienes que listar los 114 controles del Anexo A. Realmente la Declaración de Aplicabilidad debe ser completada después del análisis de riesgos, porque dependiendo de los resultados de esto, implementarás controles, y entonces necesitarás incluir la aplicabilidad de cada control en la Declaración de Aplicabilidad. Por tanto, incluirás los controles que necesites como resultado del análisis de riesgos. Si necesitas más información sobre la Declaración de Aplicabilidad, por favor lee este artículo (en inglés) "The importance of Statement of Applicability for ISO 27001": https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Relacion entre el control documental de la ISO 27001:2005 e ISO 27001:2013
El cambio más importante es que en la nueva revisión del estándar no es obligatorio tener un procedimiento documentado para la gestión de documentos, aunque es necesario documentar las salidas (y esto es exactamente igual para otros procedimientos como el de la Auditoría interna, las acciones correctivas, etc.)
Por último, te recomiendo leer este artículo, creo que es muy interesante para ti (en inglés) A first look at the new ISO 27001: https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/ -
ISO 27001:2005 vs ISO 27001:2013
1. CAR
· There are some new CAR requirements, but it is just similar as what we are doing now for 2005 which confuse me.
i. To react to nonconformities and take action, as applicable, to control and correct the nonconformity and deal with the consequences.
ii. To determine whether similar nonconformities exist, or could potentially occur.
2. Preventive action
· It is removed from 2005 and replaced by issues. Issues will be dealt with in Risk Assessment which confuse me?
3. Risk Assessment,
· Risk Owner and Risk Assessment Acceptance Criteria are not covered in 2005. Maybe you can help to provide some templates and examples for that?
4. 9.1 Monitoring, measurement, analysis and evaluation.
· Is it the same as ISMS Objective? To evaluate whether we achieve the objective? Or it means we may have a more detailed measurement method?
Answers:
Point 1: There is no important changes, but now in the 2013 revision is not necessary to have a document for the corrective actions, only is mandatory to have records about the results of corrective actions.
Point 2: Exactly, in the ISO 27001:2013 (and other ISOs, for example ISO 22301) does not exists a clause for the preventive actions, but we can consider the risk assessment & treatment as a global preventive action.
Point 3: Sure, we have an interesting article about the risk owners that you can read here (remember that the asset owner is kept in the standard) Risk owners vs. Asset owners in ISO 27001:2013: https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/. About the Risk acceptance, please read this Risk appetite and its influence over ISO 27001 implementation : https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/. Also can be interesting for you our methodology of risk assessment, please check it out (you can see a free version if you click on Free Demo tab) : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
Point 4: The clause 9.1 is related to the measurement method, and you can use this to measure the achievement of the information security objectives, but it is defined as requisite in the clause 6.2 Information security objective and planning to achieve them. So, it is the difference: 6.2 is for the definition of the objectives, and 9.1 is for the measurement of them.
Finally, in this article you can find more information about how to make a transition from ISO 27001:2005 to 2013 revision, please check it out How to make a transition from ISO 27001 2005 revision to 2013 revision": https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/. -
Liderar proyecto SGSI
El proyecto debe ser liderado por la Alta Dirección, y esta debe establecer un recurso que coordine las actividades de implementación del SGSI (por ejemplo un jefe de proyecto). Ambas áreas jugarán un papel importante en la implementación, y pueden trabajar juntas: Por una parte el área de gestión de riesgos puede realizar el análisis y tratamiento de los riesgos relacionados con la seguridad de la información, y por otra parte, el área de tecnologías puede ayudar en el tratamiento de los riesgos cuando las acciones que sean necesarias llevar a cabo estén directamente relacionadas con las tecnologías (por ejemplo: configurar firewalls, segregar redes, cifrar pendrives, etc).
Por último, al principio del proyecto es muy importante definir un plan de proyecto, y aquí podrás encontrar mayor información al respecto (en ingl és) : ISO 27001 project How to make it work : https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/