Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk assessment based on processes


     

    Answer:

    Our methodology asset-based is very easy and useful because it focuses on each element that contains information. We only give support for our methodology. Anyway, if you want to focus on business processes (also you can focus on areas of responsibility), you can develop it with the following points:

    1.- List the business process

    2.- Identify the types of business risk

    3.- List the general categories of technical risks and vulnerabilities

    4.- Develop a rating scale for each technical risk category

    5.- Perform the process analysis

    6.- List the risk mitigation practices available for each process

    7.- Define the mitigation cost

    8.- Prioritize potential mitigation steps

  • Confining a registrar to the scope that has been defined


    I realize the ISMS can be a system that covers more than just security operations, but for initial purposes the *** and ISMS are defined as one and the same. The definition will change over time as scope increases. Just curious.

    Answer:

    Just because you have defined a certain ISMS scope does not mean such scope is feasible - for example, if there are no clear boundaries for such a scope, then you would have to expand the scope.

    Therefore, if your scope is not feasible you should listen to the certification auditor; if your scope is feasible then you have to prove to certification auditor why do you think so. Generally, the recommendation is that the information security should cover the entire organization.

    These articles can also help you:

    How to de fine the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  • Record maintenance system


    Sure, an example can be Sharepoint, so you can use it to the documents/records management. Anyway, here you can read an article that I think can be interesting for you “Records management in ISO 27001 and ISO 22301": https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

  • Business Continuity Assessment


     

    Answer:

    We have a webinar about how to conduct an internal audit according to ISO 22301, which I think that can be useful for you, but you need to buy one of our toolkit to see it. I give you the following URL if you are interested in the purchase “Internal audit: How to conduct it according to ISO 27001 and ISO 22301/BS 25999-2": https://www.iso27001standard.com/webinar/internal-audit-how-t************************************************************

  • Include controls in the SOA


    We included a set of controls from 2005 version, but our SOA apparently didn't have strong justification for inclusion. And now we don't want to exclude those controls in 2013 version but sadly we cant find the strong justification.

    Answer:

    If there are another purpose for the inclusion of a control, you can include it in the SOA. For example, if you have controls added by ISO 27001:2005, and you don’t want to exclude them, you can include as justification: Included by ISO 27001:2005

  • ISO 27001 mandatory documents


    Basically you are right, although the new ISO 27001:2013 is more simply in some points (for example in the risk assessment). To know in detail how to make a transition from ISO 27001:2005 to 2013 revision, please read this article “How to make a transition from ISO 27001:2005 revision to 2013 revision": https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/

    Also if you want to know in detail what has changed in the risk assessment, you can read this article “What has changed in risk assessment in ISO 2 7001:2013" : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/

  • Disciplinary actions


    There are a couple of documents related to this: 

    Incident Management Procedure: https://advisera.com/27001academy/documentation/incident-management-procedure/ (If you have our toolkit you can find this document in the folder: 08 Annex AA.16 Information security incident management)
    Statement of Acceptance of ISMS Documents: https://advisera.com/27001academy/documentation/statement-of-acceptance-of-isms-documents/ (If you have our toolkit you can find the document in the folder: 08 Annex AA.7 Human resource security)

    Also, you can see which template covers which control in the document Statement of Applicability template: https://advisera.com/27001academy/documentation/statement-of-applicability/ (If you have our toolkit you can find the document in the folder: 06 Statement of Applicability)

    Finally, keep in mind that it is one of the activities that the CISO of the o rganization needs to perform and it is related to the Human resources management (to know more about this, please read this article: “What is the job of Chief Information Security Officer (CISO) in ISO 27001?” https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/).

  • Big asset inventory


    My question is: Is it required to create one big asset inventory file or it is ok to keep them separately?
     

    Answer: 

    Both options are ok for the standard, but I think that you can keep each inventory files of each department/section and also you can integrate them in a unique file that you can keep separately. In this way I think that will be more easy for you for the risk assessment, because for me is more easy to work with an unique file (in the risk assessment) that with different files.

  • Lograr la certificacion en la norma ISO 22301


    Como ya sabes, antes de la certificación tienes que implementar la ISO 22301 en tu organización, y hay muchas cosas importantes que son necesarias para hacer esto: Plan de proyecto (recursos necesarios, fechas, costes, etc), definición del alcance para la ISO 22301, implementación del PDCA (este es similar al PDCA de otras ISOs como por ejemplo ISO 9001, ISO 27001, etc), e implementar los elementos de la Continuidad de Negocio: BIA, Análisis de Riesgos, Estrategia de Continuidad de Negocio, Plan de Continuidad de Negocio, etc.

    Para mayores detalles sobre la implementación de la ISO 22301, puedes leer este gran libro (en inglés): “Becoming Resilient: The Definitive Guide to ISO 22301 Implementation": https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

    También puedes leer este magnífico artículo, el c ual te ayudará en la implementación de la ISO 22301 (también en inglés) "17 steps for implementing ISO 22301": https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

  • Purchase the ISO 27001 standard


    Unfortunately, we do not sell the ISO standards themselves, we provide the documentation that is necessary for the implementation of ISO standards - see the details here: https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/
     
    You can purchase the ISO standard directly from ISO https://www.iso.org/home.html or from the standardization body in your country.
Page 1079-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +