Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Disaster recovery site
In the Annex A of the ISO 27001 you can see a set of controls related to the disaster recovery (A.17 Information security aspects of business continuity management), but really you only need to implement them depending on the results of the risk assessment, this means that if there are risks maybe you need to implement the A.17 to reduce them. Anyway, ISO 27001 does not require a disaster recovery site; disaster recovery site is only one of the ways to comply with A.17.2.1.
If you want to know more about the risk management, please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
Verify if a company is certified with ISO/IEC 27001
Answer:
There is 2 ways: 1.- Ask the company to show the certificate, 2.-Each certification body has this information (ISO 27001 certificate for each company). So, you need to know the certification body that issued the certificate for the company that you want, and you can to request information about a specific company. Most of the certification bodies have a web form in their website to search this information, but if not, you can directly ask to them. -
Documentation control
The documentation control is mostly for the documentation of the ISMS, and a contract can be a document in the ISMS, but anyway you can apply the documentation control to any document of your company. But for me, It is very hard to consider an email as a document, because there are different emails in a day, and you do not have a control version, changes, etc, The management of particular documents or records does not have to be defined centrally in a Procedure for Document Control - you could have e.g. Supplier Policy where you define the rules for handling supplier contracts.
Finally, please read this article if you need more information about the document management Document management in ISO 27001 & BS 25999-2 : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
ISO 27001 Lead Auditor Exam
Sorry but we do not have this type of information, we only work with the necessary documentation for the implementation of the ISO 27001. If you are interested in receive more information about this, please let us know.
Anyway, this free webinar can be interesting for you: "ISO 27001 Lead Auditor Course preparation training" https://advisera.com/training/iso-27001-lead-auditor-course/ -
Vigencia certificado personal Auditor Lider ISO 27001
Generalmente los certificados personales no tienen un tiempo de validez, o yo por lo menos no conozco ningún certificado personal (Auditor Líder ISO 27001) así. En cualquier caso, si la última capacitación en ISO 27001 fue en el 2009, será muy recomendable que realice algún curso de actualización, porque en el 2013 se realizó una revisión completa del estándar: ISO 27001:2013
Por último, este artículo puede parecerte interesante (en inglés) "How to become ISO 27001 Lead Auditor" : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Capacitacion
Hay algunas recomendaciones que puedes seguir, por favor lee este artículo (en inglés): How to perform training & awareness for ISO 27001 and ISO 22301": https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
También puedes encontrar en nuestra sección "Free Download" una presentación que puedes usar para preparar una sesión de capacitación, por favor échale un vistazo: https://advisera.com/27001academy/free-downloads/ -
ISO 27001 and ISO 27002
There is always a first time. If you refer to the implementation of the ISO 27001, it is composed of a series of stages, and depending of the company, each phase can be more or less easy. If you need a checklist for its implementation, please read this ISO 27001 implementation checklist": https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
If you refer to the implementation of the ISO 27002, also depending of the company will be more/less easy implement the security controls (related to IT, HR, legal, etc.)
On the other hand, ISO 27002 is only a code of best practices, this means that the certification bodies not certify it, so there isn´t specific audit for only the ISO 27002. Although you can see in the Annex A of the ISO 27001 all security controls of the ISO 27002 (which are audited in a ISO 27001 audit), but you can only see a brief description, in the ISO 27002 you ca n see for each control an implementation guide.
If you want to know more about the differences between ISO 27001 and ISO 27002, please read this article ISO 27001 vs. ISO 27002": https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Objectives
Usually, the objectives are set at two levels: 1) General ISMS level, and 2) Security controls. For the point 1) you can use our template Information Security Policy (you can find it in the folder: 03 ISMS Scope Document). And for the point 2), because as you know it is related to the security controls, you can use our template Statement of Applicability (you can find it in the folder: 06 Statement of Applicability).
Regarding to the Plan to achieve the objectives, you need the Risk Treatment Plan. You can find our templates about it in the folder: 05 Risk Assessment and Risk Treatment Methodology.
Finally, I think that this article can be very useful for you ISO 27001 control objectives Why are they important? : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
Definicion del alcance
Por otro lado, los end-points (pc de escritorio, laptops, etc.) son atendidas en los aspectos de correcto funcionamiento (hardware, software, seguridad) por las áreas de TI, pero son los usuarios quienes guardan información, usan pen-drives, consultan páginas no seguras, etc. Y este uso puede, por ejemplo, introducir virus en la red o filtrar información (de la cual es custodio el área de TI) hacia el exterior. ¿Cómo se es tablece el límite?
Respuesta:
En relación a la primera pregunta, si el departamento de IT está incluido en el alcance de la ISO 27001, efectivamente, tienen que controlar la integridad de la información, ¿Cómo pueden hacerlo? Implementando un control de acceso (hay un grupo de controles en el estándar para este propósito), en este caso, sólo las personas autorizadas podrán acceder y modificar la información. Por tanto, el departamento de TI puede controlar cómo la información es introducida en los sistemas de información.
En relación a la segunda pregunta, el alcance aplicará a aquellas personas que están implicadas en el alcance del SGSI, por tanto si el departamento de TI está incluido, los controles de seguridad serán para el personal del departamento de TI.
Finalmente, si necesitas más información sobre cómo definir el alcance, te recomiendo que leas este artículo (en inglés) How to define the ISMS scope : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Qualitative and quantitative risk assessment
You can use a mix of both as long as you are able to produce consistent and comparable results - e.g. you can use qualitative risk assessment for all risks, and then quantitative risk assessment only for the biggest risks. Keep in mind that the ISO 27001 not establishes how you have to develop your methodology. If you want to know the basic steps of our methodology (very easy and helpful), please read this article ISO 27001 risk assessment & treatment 6 basic steps": https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/