Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Vigencia certificado personal Auditor Lider ISO 27001


    Generalmente los certificados personales no tienen un tiempo de validez, o yo por lo menos no conozco ningún certificado personal (Auditor Líder ISO 27001) así. En cualquier caso, si la última capacitación en ISO 27001 fue en el 2009, será muy recomendable que realice algún curso de actualización, porque en el 2013 se realizó una revisión completa del estándar: ISO 27001:2013

    Por último, este artículo puede parecerte interesante (en inglés) "How to become ISO 27001 Lead Auditor" : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/

  • Capacitacion


    Hay algunas recomendaciones que puedes seguir, por favor lee este artículo (en inglés): “How to perform training & awareness for ISO 27001 and ISO 22301": https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
    También puedes encontrar en nuestra sección "Free Download" una presentación que puedes usar para preparar una sesión de capacitación, por favor échale un vistazo: https://advisera.com/27001academy/free-downloads/

  • ISO 27001 and ISO 27002


    There is always a first time. If you refer to the implementation of the ISO 27001, it is composed of a series of stages, and depending of the company, each phase can be more or less easy. If you need a checklist for its implementation, please read this “ISO 27001 implementation checklist": https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
     
    If you refer to the implementation of the ISO 27002, also depending of the company will be more/less easy implement the security controls (related to IT, HR, legal, etc.)
     
    On the other hand, ISO 27002 is only a code of best practices, this means that the certification bodies not certify it, so there isn´t specific audit for only the ISO 27002. Although you can see in the Annex A of the ISO 27001 all security controls of the ISO 27002 (which are audited in a ISO 27001 audit), but you can only see a brief description, in the ISO 27002 you ca n see for each control an implementation guide. 

     
    If you want to know more about the differences between ISO 27001 and ISO 27002, please read this article “ISO 27001 vs. ISO 27002": https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

  • Objectives


    Usually, the objectives are set at two levels: 1) General ISMS level, and 2) Security controls. For the point 1) you can use our template “Information Security Policy” (you can find it in the folder: 03 ISMS Scope Document). And for the point 2), because as you know it is related to the security controls, you can use our template “Statement of Applicability” (you can find it in the folder: 06 Statement of Applicability).
     
    Regarding to the Plan to achieve the objectives, you need the Risk Treatment Plan. You can find our templates about it in the folder: 05 Risk Assessment and Risk Treatment Methodology.
     
    Finally, I think that this article can be very useful for you “ISO 27001 control objectives – Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  • Definicion del alcance


    Por otro lado, los end-points (pc de escritorio, laptops, etc.) son atendidas en los aspectos de correcto funcionamiento (hardware, software, seguridad) por las áreas de TI, pero son los usuarios quienes guardan información, usan pen-drives, consultan páginas no seguras, etc. Y este uso puede, por ejemplo, introducir virus en la red o filtrar información (de la cual es custodio el área de TI) hacia el exterior. ¿Cómo se es tablece el límite?

     

    Respuesta:

    En relación a la primera pregunta, si el departamento de IT está incluido en el alcance de la ISO 27001, efectivamente, tienen que controlar la integridad de la información, ¿Cómo pueden hacerlo? Implementando un control de acceso (hay un grupo de controles en el estándar para este propósito), en este caso, sólo las personas autorizadas podrán acceder y modificar la información. Por tanto, el departamento de TI puede controlar cómo la información es introducida en los sistemas de información.

    En relación a la segunda pregunta, el alcance aplicará a aquellas personas que están implicadas en el alcance del SGSI, por tanto si el departamento de TI está incluido, los controles de seguridad serán para el personal del departamento de TI.
     
    Finalmente, si necesitas más información sobre cómo definir el alcance, te recomiendo que leas este artículo (en inglés)  “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  • Qualitative and quantitative risk assessment


    You can use a mix of both as long as you are able to produce consistent and comparable results - e.g. you can use qualitative risk assessment for all risks, and then quantitative risk assessment only for the biggest risks. Keep in mind that the ISO 27001 not establishes how you have to develop your methodology. If you want to know the basic steps of our methodology (very easy and helpful), please read this article “ISO 27001 risk assessment & treatment – 6 basic steps": https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • ISMS for a Manufacturing Unit


    Our templates are develop for any type of business (small and medium), so you can use them for a Manufacturing Unit. Here you can see our toolkit, and you can see a free version of each document if you click on “Free Demo” tab: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
     
    Also I recommend this article if you need information about the implementation of the ISMS in any business: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
     
    And if you are interested in make an internal audit, this article will be very helpful “How to make an Internal Audit checklist for ISO 27001 / ISO 22301": https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
     
    Finally, our methodology of risk assessment & treatment is asset-based, and you can find information about the 6 mains steps in this article “ISO 27001 risk assessment & treatment – 6 basic steps": https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • Controls in Risk Treatment Plan

    In the risk assessment, the important is the acceptable level of risk (and remember that in a risk assessment asset-based it is related with each asset). If the risk is above of the acceptable level, then you need to reduce it with security controls in the Risk Assessment Plan, if not, it is not necessary. And the Risk Treatment Plan will have all controls that you need to reduce the risks identified in the risk assessment.

    For more information about the risk assessment & treatment, please read this article "ISO 27001 risk assessment & treatment - 6 basic steps": https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • gap analysis for ISO 27001

    First of all, the gap analysis is not mandatory in the ISO 27001. Anyway, If you want to do it, you can see it as an internal audit, with the difference that the gap is performed at the beggining of the project (when all is without implement). So, I recommend you this article “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
     
    Also I recommend you to read this "ISO 27001 gap analysis vs. risk assessment" : https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
     
    And of course, you can use our template “Internal Audit Report” : https://advisera.com/27001academy/documentation/internal-audit-report/

  • Encrypted Messenger app


    The ISO 27001 certificate is not mandatory, but if you implement and certify it, you can give good image and warranty of information security to your customers, because this standard establishes requisites to manage the protection of the information.  Also the annex A of the ISO 27001 has a set of security controls related to the development (for example: access control to the source code, secure development environment, system security testing, etc), that maybe can be helpful for your business. 

    If you want to know more information about the ISO 27001, please read this article “The basic logic of ISO 27001: How does information security work?” : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Page 1077-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +