Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Relacion entre el control documental de la ISO 27001:2005 e ISO 27001:2013
El cambio más importante es que en la nueva revisión del estándar no es obligatorio tener un procedimiento documentado para la gestión de documentos, aunque es necesario documentar las salidas (y esto es exactamente igual para otros procedimientos como el de la Auditoría interna, las acciones correctivas, etc.)
Por último, te recomiendo leer este artículo, creo que es muy interesante para ti (en inglés) A first look at the new ISO 27001: https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/ -
ISO 27001:2005 vs ISO 27001:2013
1. CAR
· There are some new CAR requirements, but it is just similar as what we are doing now for 2005 which confuse me.
i. To react to nonconformities and take action, as applicable, to control and correct the nonconformity and deal with the consequences.
ii. To determine whether similar nonconformities exist, or could potentially occur.
2. Preventive action
· It is removed from 2005 and replaced by issues. Issues will be dealt with in Risk Assessment which confuse me?
3. Risk Assessment,
· Risk Owner and Risk Assessment Acceptance Criteria are not covered in 2005. Maybe you can help to provide some templates and examples for that?
4. 9.1 Monitoring, measurement, analysis and evaluation.
· Is it the same as ISMS Objective? To evaluate whether we achieve the objective? Or it means we may have a more detailed measurement method?
Answers:
Point 1: There is no important changes, but now in the 2013 revision is not necessary to have a document for the corrective actions, only is mandatory to have records about the results of corrective actions.
Point 2: Exactly, in the ISO 27001:2013 (and other ISOs, for example ISO 22301) does not exists a clause for the preventive actions, but we can consider the risk assessment & treatment as a global preventive action.
Point 3: Sure, we have an interesting article about the risk owners that you can read here (remember that the asset owner is kept in the standard) Risk owners vs. Asset owners in ISO 27001:2013: https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/. About the Risk acceptance, please read this Risk appetite and its influence over ISO 27001 implementation : https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/. Also can be interesting for you our methodology of risk assessment, please check it out (you can see a free version if you click on Free Demo tab) : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
Point 4: The clause 9.1 is related to the measurement method, and you can use this to measure the achievement of the information security objectives, but it is defined as requisite in the clause 6.2 Information security objective and planning to achieve them. So, it is the difference: 6.2 is for the definition of the objectives, and 9.1 is for the measurement of them.
Finally, in this article you can find more information about how to make a transition from ISO 27001:2005 to 2013 revision, please check it out How to make a transition from ISO 27001 2005 revision to 2013 revision": https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/. -
Liderar proyecto SGSI
El proyecto debe ser liderado por la Alta Dirección, y esta debe establecer un recurso que coordine las actividades de implementación del SGSI (por ejemplo un jefe de proyecto). Ambas áreas jugarán un papel importante en la implementación, y pueden trabajar juntas: Por una parte el área de gestión de riesgos puede realizar el análisis y tratamiento de los riesgos relacionados con la seguridad de la información, y por otra parte, el área de tecnologías puede ayudar en el tratamiento de los riesgos cuando las acciones que sean necesarias llevar a cabo estén directamente relacionadas con las tecnologías (por ejemplo: configurar firewalls, segregar redes, cifrar pendrives, etc).
Por último, al principio del proyecto es muy importante definir un plan de proyecto, y aquí podrás encontrar mayor información al respecto (en ingl és) : ISO 27001 project How to make it work : https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/ -
Internal audit vs Gap analysis
I suppose that you refer to the Internal Audit when you say Fault finding, because one of the objectives of the Internal Audit is to find faults. If so, the difference between both is that the Gap analysis is performed at the beginning of the project of implementation, to compare the status of the organization with the requirements of the standard, and it is not mandatory. On the other hand, the Internal Audit must to be performed each year before the certification audit, and it is mandatory (is established as requirement in the clause 9.2 of the ISO 27001:2013).
Remember that we have an article very interesting about how to make an internal audit checklist, if you want to see it, please check out this How to make an Internal Audit checklist for ISO 27001 / ISO 22301: https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Keep documents
Answer:
The standards ISO (ISO 27001, ISO 22301, ISO 20000, ISO 9001) does not establish a specific time to keep documents, but some countries have legal regulations to keep certain documents (agreements, SLA, etc.) during a minimal time, after that it is not mandatory to continue keeping them. So, usually you can keep your documents indefinitely, but I recommend you to search information about legal regulation in your country.
Related to the version control, you mean the the version control of a Management system? For example ISO 27001? If so, can be applied to all documents in your business (all company wide), there is no problem, although in a Management System usually applies only for the documents related to the system. -
UKAS and ANAB accreditation
UKAS is a full member of European and International Mutual Recognition Agreements (such as the European cooperation for Accreditation, International Accreditation Forum and International Laboratory Accreditation Cooperation). This means that all UKAS accredited certificates and reports (with the exception of those related to EU Regulations/Directives and Schemes) shall continue to be recognised within Europe and around the world.
An ISO certificate issued by a UKAS accredited certifying body will be recognised in the EU.
Both ANAB and UKAS are members of the International Accreditation Forum, so a certification body accredited by either UKAS or ANAB should be recognised almost anywhere in the world.
-
Physical security policy and malware policy
There is a set of controls related to the Physical security in the Annex A of the ISO 27001:2013: "A.11 Physical and environmental security", but you do not need a policy for this, neither is mandatory to have a document to implement those controls. Anyway, if you are interested in the physical security, please read this article Physical security in ISO 27001: How to protect the secure areas : https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
Related to the malware, you can find in the Annex A of the ISO 27001:2013 the control "A.12.2.1 Controls against malware, but again it is not mandatory to have a document to implement this control. Anyway, you can establish a formal policy to prohibe the use of unauthorized software.
Finally I recommend you to re ad this article "How to structure the documents for ISO 27001 Annex A controls" : https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/ -
Questionnaire for ISO 27001
We do not have a specific document to produce a questionnaire for ISO 27001, but we have a methodology to identify threats/vulnerabilities and calculate risks (related to information security). With this methodology, you can identify risks and establish priorities to make a treatment of them. If you want more information about our methodology, please read this article How to write ISO 27001 risk assessment methodology : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Also you can find here a catalog of threats/vulnerabilities: https://www.infosecpedia.in************************** -
Recommendation about Business Continuity Management
If you want to implement a BCM (Business Continuity Management) in you organization it is better the ISO 22301, because it is more focused in Business Continuity. The ISO 27001 is focused in information security, and has security controls for the Business Continuity, but ISO 22301 is more extensive and precise with Business Continuity. Anyway you can combine both, and in this case you can have a management system for the business continuity and the information security in your organization, which can add value.
Finally, here you can see a webinar about ISO 27001 and ISO 22301 "Free webinar - ISO 27001 & ISO 22301: Why is it better to implement them together?" : https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
Controls in SoA
Sure, you can do it as a best practice, there is no problem, but remember include this information as justification in the SoA.