Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Objectives


    Usually, the objectives are set at two levels: 1) General ISMS level, and 2) Security controls. For the point 1) you can use our template “Information Security Policy” (you can find it in the folder: 03 ISMS Scope Document). And for the point 2), because as you know it is related to the security controls, you can use our template “Statement of Applicability” (you can find it in the folder: 06 Statement of Applicability).
     
    Regarding to the Plan to achieve the objectives, you need the Risk Treatment Plan. You can find our templates about it in the folder: 05 Risk Assessment and Risk Treatment Methodology.
     
    Finally, I think that this article can be very useful for you “ISO 27001 control objectives – Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  • Definicion del alcance


    Por otro lado, los end-points (pc de escritorio, laptops, etc.) son atendidas en los aspectos de correcto funcionamiento (hardware, software, seguridad) por las áreas de TI, pero son los usuarios quienes guardan información, usan pen-drives, consultan páginas no seguras, etc. Y este uso puede, por ejemplo, introducir virus en la red o filtrar información (de la cual es custodio el área de TI) hacia el exterior. ¿Cómo se es tablece el límite?

     

    Respuesta:

    En relación a la primera pregunta, si el departamento de IT está incluido en el alcance de la ISO 27001, efectivamente, tienen que controlar la integridad de la información, ¿Cómo pueden hacerlo? Implementando un control de acceso (hay un grupo de controles en el estándar para este propósito), en este caso, sólo las personas autorizadas podrán acceder y modificar la información. Por tanto, el departamento de TI puede controlar cómo la información es introducida en los sistemas de información.

    En relación a la segunda pregunta, el alcance aplicará a aquellas personas que están implicadas en el alcance del SGSI, por tanto si el departamento de TI está incluido, los controles de seguridad serán para el personal del departamento de TI.
     
    Finalmente, si necesitas más información sobre cómo definir el alcance, te recomiendo que leas este artículo (en inglés)  “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  • Qualitative and quantitative risk assessment


    You can use a mix of both as long as you are able to produce consistent and comparable results - e.g. you can use qualitative risk assessment for all risks, and then quantitative risk assessment only for the biggest risks. Keep in mind that the ISO 27001 not establishes how you have to develop your methodology. If you want to know the basic steps of our methodology (very easy and helpful), please read this article “ISO 27001 risk assessment & treatment – 6 basic steps": https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • ISMS for a Manufacturing Unit


    Our templates are develop for any type of business (small and medium), so you can use them for a Manufacturing Unit. Here you can see our toolkit, and you can see a free version of each document if you click on “Free Demo” tab: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
     
    Also I recommend this article if you need information about the implementation of the ISMS in any business: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
     
    And if you are interested in make an internal audit, this article will be very helpful “How to make an Internal Audit checklist for ISO 27001 / ISO 22301": https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
     
    Finally, our methodology of risk assessment & treatment is asset-based, and you can find information about the 6 mains steps in this article “ISO 27001 risk assessment & treatment – 6 basic steps": https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • Controls in Risk Treatment Plan

    In the risk assessment, the important is the acceptable level of risk (and remember that in a risk assessment asset-based it is related with each asset). If the risk is above of the acceptable level, then you need to reduce it with security controls in the Risk Assessment Plan, if not, it is not necessary. And the Risk Treatment Plan will have all controls that you need to reduce the risks identified in the risk assessment.

    For more information about the risk assessment & treatment, please read this article "ISO 27001 risk assessment & treatment - 6 basic steps": https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • gap analysis for ISO 27001

    First of all, the gap analysis is not mandatory in the ISO 27001. Anyway, If you want to do it, you can see it as an internal audit, with the difference that the gap is performed at the beggining of the project (when all is without implement). So, I recommend you this article “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
     
    Also I recommend you to read this "ISO 27001 gap analysis vs. risk assessment" : https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
     
    And of course, you can use our template “Internal Audit Report” : https://advisera.com/27001academy/documentation/internal-audit-report/

  • Encrypted Messenger app


    The ISO 27001 certificate is not mandatory, but if you implement and certify it, you can give good image and warranty of information security to your customers, because this standard establishes requisites to manage the protection of the information.  Also the annex A of the ISO 27001 has a set of security controls related to the development (for example: access control to the source code, secure development environment, system security testing, etc), that maybe can be helpful for your business. 

    If you want to know more information about the ISO 27001, please read this article “The basic logic of ISO 27001: How does information security work?” : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  • Set of assets


    When you have a set of assets with the same features which are affected with the same threats/vulnerabilities, you can create a set of assets with them. This set will be an unique asset, so you can define the same asset owner. It is my recommendation, but keep in mind that the standard not establishes how you have to do it, so you can have in your list all repeated assets, but I think that it is not efficient.

    If you need more information about how to handle asset register, please read this article “How to handle Asset register (Asset inventory) according to ISO 27001": https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • ISO 27001 for a Data Center


    It is quite common that a company wants to certify its data center. To do this, you need to think about this like a project, so basically the first thing that you need is a project plan. Please read this article for more information about this “ISO 27001 project – How to make it work": https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/

    About the Statement of Applicability, it is one of the more important documents in the ISMS for any company, because basically is a list of controls with the applicability of each one (which are applicable and and which are not). So, you can write this document only after the execution of the risk assessment & risk treatment. To know more about the main activities that you need to perform in the implementation of the ISMS please re ad this article “ISO 27001 implementation checklist" : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

  • Software development company


    If your projects are include in the scope of the ISMS, sure, you need to implement both controls, because both are related with the protection of the information (it is the more important thing in the ISO 27001).

    In the Annex A, you can find this security control: A.9.4.3 Password management system. What could happen if your company do not have this control? Any unauthorized person could have access to restricted information.

    Also you can find this control: A.12.4.1 Event logging. Here you can ask me: Why this control is important? If there are many attempts of unauthorized access, it is likely that someone is trying to access to restricted information, and you need a control to avoid this.

    Therefore, if you implement an ISMS in your organization, and the risk assessment determines that the risk level is not acceptable, you must implement these 2 controls. 

    Finally I recommend you this article where you can find more information about ISO 27001 "What is ISO 27001?": https://advisera.com/27001academy/what-is-iso-27001/
Page 1078-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +