Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Seguridad de la Informacion en la Gestion de proyectos
· Como lo debo entender este nuevo control? ,
· Como lo debo aplicar este nuevo control a los proyectos de mi empresa ( por favor me dan un ejemplo)
En mi empresa el área responsable de proyectos, me está solicitando que los apoye de como abordar este tema en los proyectos organizacionales (tecnología, operacionales, etc).
Respuesta:
Básicamente este control significa que hay que tener en mente la seguridad de la información cuando se gestiona un proyecto, por lo tanto, para implementarlo en una organización, puedes hacer lo siguiente: a) Incluir objetivos de seguridad de la información en los objetivos del proyecto, b) Realizar un análisis de riesgos de seguridad de la información en una etapa temprana del proyecto para identificar posibles controles, c) Contar con la seguridad de la información en todas las fases de la metodología de proyectos de la organización
En cualquier caso, recu erda que no es obligatorio tener un documento para este control. Por favor, si quieres conocer la lista de documentos obligatorios (y no obligatorios) de la ISO 27001, puedes leer este artículo (en inglés) "List of mandatory documents required by ISO 27001 (2013 revision)":
https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Impact in the ISO 27001
2. What's is exactly the type of impact we are referring to? Is it monetary or operational impact? e.g. the impact of a server is down may not have cost but delay in doing work for some users but no monetary impact so how we describe such impact?
3. When doing the risk assessment in ISO22301 (BCM) do we only assess the impact in terms of availability?
4. Do we identify an asset as a whole (i.e. hardware and software in case of a server) or not?
Answer:
1. The impact of a threat affects to the organization.
2. The impact has to be assessed in terms of the damage to Confidentiality, Integrity and the Availability of the information.
If a server (with critical information) is down, it can be a risk for the organization (which can be based on the Likelihood and the Impact of threats). How can calculate it? I recommend you this free webinar The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Also I recommend you to see our methodology (you can see a free version if you click on Free Demo tab): https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
3. Yes, in this case the risk assessment of the ISO 27001 is more complete, and you also use it for the ISO 22301. Please read this article Can ISO 27001 risk assessment be used for ISO 22301? : https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
4. For me is better to identify each type of asset in a different way. For example: machine HP DL-380 (type hardware), Windows 2003 server (type software), electronic documents, procedures, etc (type Information). Why? Because threats that affects to the software are not the same that threats that affects to the hardware and the Information. For more information about register assets, please read this article How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Information classification
To me CUG is for a select number of people in say a committee and confidential is for say the person that the information has been sent to only.
In your opinion, is the difference correct, if not, why not and do you believe CUG is a useful classification to continue with or just use confidential?
Answer:
Yes, in my opinion it is correct, although you can also add a lower confidentiality level (for example Public"). For more information, please read this article: "Information classification according to ISO 27001": https://www.iso27001standard.com/blog/2014/05/12/i************************************************* -
Page policy document on context of the organization
If you are referring to the clause 4.1 Understanding the organization and its context of the ISO 27001:2013, this article will help you, please read it Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/ -
Information technology and Risk management
It is so because for example if you have a disk drive without data or without information, there are no risks related to the information security (you only have technology), so the risk management in this case it is not necessary. -
Information Security in Project Management and Legal aspects
2) What are the legal aspects I should be looking for a mid sized IT services company.
Answer:
1) As you know, it is related with the control A.6.1.5, and to implement it you can do this in your organization: a) Include information security objectives in project objectives, b) Perform an information security risk assessment at an early stage of the project to identify necessary controls and c) information security is part of all phases of the applied project methodology.
2) Depends of you country, but common laws (at least in Europe) are related with the protection of personal data, intellectual property and electronic signature. To know more information about the laws regulation in each country, please see this List of legal, regulatory, contractual and other requirements" : https://www.infosecpedia.info/laws-regulatio******************************************* -
ISO 27002 certification
I think so, because the ISO 27002:2013 has 114 security controls, and most of them are directly related with technology (Cryptography, Operations security, Communications security, etc). Therefore this certification can help you to prove that you have good knowledge about an International standard which is composed with security controls, many technological. Furthermore, probably with your skills I think that will be very easy to you to pass the exam.
Finally also keep in mind that personal certificates can help your companys ISMS, if you want to know more about this, please read this article How personal certificates can help your companys ISMS : https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/ -
Becoming ISO 27001 auditor
Sorry but we are not sure if you are interested in internal audits or certification audits. The Auditor training course is very recommendable for both, but also is necessary to have experience in the standard (as minimal as a junior consultant). In the case of internal audit, the pay rate depends of your experience and also depends of the company that you want to audit and her location (there are countries where the pay/rate is lower for any job). In the case of the certification audit the pay rate depends of the certification body, and here also your experience will be very important. So, while more experience you have, it will be more easy to you find jobs as auditor, and your pay rate will be higher.
If you want to become an ISO 27001 internal auditor, please read this article Qualifications for an ISO 27001 Internal Auditor: https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
Also you can read this article How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Clauses 4.1 and 4.4
There are no templates for clauses 4.1 and 4.4 because it is not mandatory. Keep in mind that only is mandatory if the standard establishes it. Example: You can see at the end of clause 4.3 The scope shall be available as documented information. And as you know, we have a template for this in the folder "03 ISMS Scope Document.
Remember that you can see the list of mandatory documents here List of mandatory documents required by ISO 27001 (2013 revision)" : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Also you can read this article "Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)": https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/ -
Structure of the Risk Treatment Plan
ISO 27001 does not prescribe the structure of the Risk Treatment Plan, but if you follow the logic of clause 6.2, then you should include the following information: what to implement, by whom, when, using which resources, etc. You can see a preview of the Risk treatment plan here (look for the "Free Demo" tab): https://advisera.com/27001academy/documentation/risk-treatment-plan/
In my opinion, the best would be to organize the Risk treatment plan according to controls - first of all RTP is based on Statement of Applicability (which is also based on controls), and second the implementation will be much easier if the planning is done control by control.
Read also this article: Risk Treatment Plan and risk treatment process Whats the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment