Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Big asset inventory


    My question is: Is it required to create one big asset inventory file or it is ok to keep them separately?
     

    Answer: 

    Both options are ok for the standard, but I think that you can keep each inventory files of each department/section and also you can integrate them in a unique file that you can keep separately. In this way I think that will be more easy for you for the risk assessment, because for me is more easy to work with an unique file (in the risk assessment) that with different files.

  • Lograr la certificacion en la norma ISO 22301


    Como ya sabes, antes de la certificación tienes que implementar la ISO 22301 en tu organización, y hay muchas cosas importantes que son necesarias para hacer esto: Plan de proyecto (recursos necesarios, fechas, costes, etc), definición del alcance para la ISO 22301, implementación del PDCA (este es similar al PDCA de otras ISOs como por ejemplo ISO 9001, ISO 27001, etc), e implementar los elementos de la Continuidad de Negocio: BIA, Análisis de Riesgos, Estrategia de Continuidad de Negocio, Plan de Continuidad de Negocio, etc.

    Para mayores detalles sobre la implementación de la ISO 22301, puedes leer este gran libro (en inglés): “Becoming Resilient: The Definitive Guide to ISO 22301 Implementation": https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

    También puedes leer este magnífico artículo, el c ual te ayudará en la implementación de la ISO 22301 (también en inglés) "17 steps for implementing ISO 22301": https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

  • Purchase the ISO 27001 standard


    Unfortunately, we do not sell the ISO standards themselves, we provide the documentation that is necessary for the implementation of ISO standards - see the details here: https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/
     
    You can purchase the ISO standard directly from ISO https://www.iso.org/home.html or from the standardization body in your country.

  • What is the ISO 27001 standard


    The International Standard that establishes a Information Security Management System is the ISO 27001, which is related with the ISO 27002 (code of best practices of information security). If you need more information about the ISO 27001, please read this article “What is the ISO 27001” : https://advisera.com/27001academy/what-is-iso-27001/

    Also if you need more information about specific controls (related to computers), maybe will be very interesting for you the ISO 27002, which has controls related to access control. Also remember that the standards ISOs are more related for companies and business.

  • Scale of BIA to determine RTOs and RPOs


    I have a scale of (1-Low Impact, 2-Medium Impact, and 3-High Impact) so:

    In assessing RTO/RPO for an asset what is the meaning of the impact of 1, 2, or 3? 

        am I correct if I say for RTO:

        - Impact of 1: No user reaction at all

        - Impact of 2: Some users will start calling.

        - Impact of 3: Most users will be affected by unavailability of the asset in this time frame. 

       and for RPO:

         - Impact of 1: loss of data is acceptable and data can be recreated easily.

        - Impact of 2: some data loss is acceptable and missing data can be recreated easily.

        - Impact of 3: no data loss is acceptable and missing data is difficult to recreate.

     

    Answer:

    Yes, you are right, I think that it is very easy and useful for you. If you need more information about how to perform the BIA please read this article “How to implement business impact analysis (BIA) according to ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

  • Aspects in A 14.2.5

    1.- You can read in the "Implementation guidance" of the control 14.2.5 the following: "Security should be designed into all architecture layers (business, data, applications and technology) balancing the need for information security with the need for accessibility". So, this control is related to the large information system design, which also include the development of software.

    2.- You can use our template to implement this control in your organization (you can see a free version if you click on ³Free Demo² tab) "Secure Development Policy": https://advisera.com/27001academy/documentation/secure-development-policy/. And also you can use this template related to IT procedures "Operating Procedures for Information and Communication Technology" : https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
    3.- The auditors will search the documents mentioned above and their records as evidence of implementation.

  • Seguridad de la Informacion en la Gestion de proyectos


    ·         Como lo debo entender este nuevo control?  ,

    ·         Como lo debo aplicar este nuevo control a los proyectos de mi empresa ( por favor me dan un ejemplo)

    En mi empresa el área responsable de proyectos, me está solicitando que los apoye de como abordar este tema en los proyectos organizacionales (tecnología, operacionales, etc).

     

    Respuesta: 

    Básicamente este control significa que hay que tener en mente la seguridad de la información cuando se gestiona un proyecto, por lo tanto, para implementarlo en una organización, puedes hacer lo siguiente: a) Incluir objetivos de seguridad de la información en los objetivos del proyecto, b) Realizar un análisis de riesgos de seguridad de la información en una etapa temprana del proyecto para identificar posibles controles, c) Contar con la seguridad de la información en todas las fases de la metodología de proyectos de la organización

    En cualquier caso, recu erda que no es obligatorio tener un documento para este control. Por favor, si quieres conocer la lista de documentos obligatorios (y no obligatorios) de la ISO 27001, puedes leer este artículo (en inglés) "List of mandatory documents required by ISO 27001 (2013 revision)": 

     https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Impact in the ISO 27001


       2. What's is exactly the type of impact we are referring to? Is it monetary or operational impact? e.g. the impact of a server is down may not have cost but delay in doing work for some users but no monetary impact so how we describe such impact?

       3. When doing the risk assessment in ISO22301 (BCM) do we only assess the impact in terms of availability?

       4. Do we identify an asset as a whole (i.e. hardware and software in case of a server) or not?

     

    Answer:

    1. The impact of a threat affects to the organization. 
     
    2. The impact has to be assessed in terms of the damage to Confidentiality, Integrity and the Availability of the information.
     
    If a server (with critical information) is down, it can be a risk for the organization (which can be based on the Likelihood and the Impact of threats). How can calculate it? I recommend you this free webinar “The basics of risk assessment and treatment according to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
     
    Also I recommend you to see our methodology (you can see a free version if you click on “Free Demo” tab): https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
      
    3. Yes, in this case the risk assessment of the ISO 27001 is more complete, and you also use it for the ISO 22301. Please read this article “Can ISO 27001 risk assessment be used for ISO 22301?” : https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
     

    4. For me is better to identify each type of asset in a different way. For example: machine HP DL-380 (type hardware), Windows 2003 server (type software), electronic documents, procedures, etc (type Information). Why? Because threats that affects to the software are not the same that threats that affects to the hardware and the Information. For more information about register assets, please read this article “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • Information classification


    To me CUG is for a select number of people in say a committee and confidential is for say ‘the person that the information has been sent to only’.

    In your opinion, is the difference correct, if not, why not and do you believe CUG is a useful classification to continue with or just use confidential?

     

    Answer:

    Yes, in my opinion it is correct, although you can also add a lower confidentiality level (for example “Public"). For more information, please read this article: "Information classification according to ISO 27001": https://www.iso27001standard.com/blog/2014/05/12/i*************************************************

  • Page policy document on context of the organization


    If you are referring to the clause 4.1 Understanding the organization and its context of the ISO 27001:2013, this article will help you, please read it “Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)” : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
Page 1079-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +