Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Quick Risk assessment


    No, it is not correct, and it is not a control in the ISO: “The System shall have a logoff button”. One way to perform the risk assessment (although you can develop your own methodology): a.- Identify assets (software can be a type of asset, and an app can be an asset), b.- Identify threats related to the assets (you can do it with a catalogue), c.- Calculate risks (based on impact and likelihood). If the risk is below a level defined by the organization, it is acceptable, and there is no problem (current controls for the asset are sufficient). If the risk is above, then the organization must to apply controls to reduce it to an acceptable level. What controls? The defin ed in the Annex A of the ISO 27001. 
    I recommend you to read these articles:
    “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
    Finally, here there is a free webinar that I think that can be very interesting for you “The basics of risk assessment and treatment according to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Business Continuity


    Yes, we have a template that can help you. Please see this (try our free version clicking on “Free Demo” tab) : https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
     
    Also read this article “How to write business continuity plans?” : https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
     
    And also, can be very interesting for you this free webinar “ISO 22301 Foundations Part 3: Business Continuity Planning" : https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar/
     
    Finally, keep in mind that the ISO 22301 is focused on Business Continuity Management, and it is more detailed for the Business Con tinuity Plan, so we can use it as reference for the development of the Business Continuity Plan required by  A.17 – ISO 27001

  • Disaster


    b.- What constitute a disaster? Or how can You define a disaster in such a way, that both customer and possible vendor know when to activate the DR plan. 

     

    Answer:

    A disaster is basically a situation when the activities are disrupted more then their RTO. You can read more about this here “Activation procedures for business continuity plan” : https://advisera.com/27001academy/blog/2011/09/26/activation-procedures-for-business-continuity-plan/. Keep in mind that “Disaster recovery” and “Business continuity” are not the same (basically the first is a part of the second). To know more about this, please read this article “Disaster recovery vs Business continuity” : https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

    The RTO is the Recovery Time Objective, this means: defined time in your business which a business process must be restored after a disaster. If you need more information about this , please read: “How to implement business impact analysis (BIA) according to ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

    Now, do you need to write a Business Continuity Plan? Please read this article “How to write business continuity plan” : https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/

    Also can be interesting for you read this article “Disaster recovery site – What is the ideal distance from primary site?” : https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

  • Asset management


    a.- Do we have to list assets that contains information only?

    b.- I understand ISMS is about Information Security, but in our asset list we have listed equipment such as UPS, Generator, Cooling system etc.  Is that OK?

    c.- And since we have listed these items in our asset register, it’s also included in our risk register

    d.- Our risk methodology is asset based ( from version 2005 ) . Now in 2013, we know that there’s a flexibility, but we are still keeping it asset based. However can we include other risks that is not derived from Assets – threats/vulnerabilities?

     

    Answer:

    a.- No, if you have chosen to follow the asset-based risk assessment then you have to list both the assets that contain the information (e.g. CD-s, computers, etc.) and the assets that do not contain the information but can influence the security of information (e.g. air conditioning in the server room). 
     
    b.- Yes, you can identify these assets, because they are related to the maintenance of the information systems (U PS, generator, etc), which are related to the information security. 

    c.-  Ok, right whichever list is created first, it will serve for developing the other list. 

    d.- In principle, if the risk is related to the information security, yes, you can include it in your risk assessment. Also you can maintain your Risk methodology asset based. Anyway, I recommend you this article “What has changed in risk assessment  in ISO 27001:2013”: https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/

    Finally, if you need more information about how to identify assets, I recommend you this article “How to handle Asset register (Asset inventory) according to ISO 27001” https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • ISO 27001 on a personal level


    Any company (small, medium and big) can implement and certify the ISO 27001, and our templates are developed for small and medium companies, so if you are interested on it, you can see our Toolkit (you can see a free version of each document if you click on “Free Demo” tab): https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    If you are new in this world of the Information security and the ISO 27001, and you want to learn more about it, can be very interesting for you to see our webinars (you can filter by ISO 27001): https://advisera.com/27001academy/webinars/

    Also you can use our free resources: https://advisera.com/27001academy/free-downloads/

    Finally please let me know if you have any question.

  • Clause 7.2


    You must prove that people involved in the implementation of the ISMS has competence to perform these tasks, and you need to have evidence that gave training to all company employees (mainly those who are involved in the scope of the ISMS) to become aware.

    Finally, I recommend you to read this article, I think that will be useful for you "How to perform training & awareness for ISO 27001 and ISO 22301" : https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

  • Your organization and your customer


    So, is ISO27001 adherent for me? Or just to a company that provides services?

     

    Answer:

    In this scenario, you can implement and certify the ISO 27001 in your organization, and also your customer can implement and certify the ISO 27001 in his business. The unique difference will be the scope of the ISMS. In your case could be your development services, your informations systems that supports your services, etc. In the case of your customer the scope could be the services that they offers, the information systems that supports their services, etc. So, you could have a ISO 27001 certificate, and also your customer could have a ISO 27001 certificate but with a different scope. 
     
    If you need more information about the scope, please re ad this article “How to define the ISMS scope”: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  • Implementation, maintenance and improvement of the ISMS


     

    Answer:

    Resources for the implementation, maintenance and improvement of the ISMS can be primarily people, although you can think also in financial resources, external companies, external services, or any other resource (internal or external) that the organization needs for the implementation of the ISMS. Here there is a point very important: roles and responsibilities of the people involved in the scope of the ISMS, and this can be established in each document of the ISMS. For more information about this, please read this: https://community.27001academy.com/forum/iso-27001-i****************************************************

    By the way, the document to determine financial resources is the Risk Treatment Plan.

  • Risk Treatment Plan and Risk Treatment Process


     

    Answer:

    In the risk assessment table do you need to determined the risk owners and the asset owners, and in the risk treatment plan you need a responsible for the execution of all actions. You can have an unique person for all, but it is not my recommendation because they are different things, different steps in the risk management (assessment and treatment), so I think that it will be better if you can separate them.

  • Clauses and security controls


    True, our Statement of Applicability (and any) starts with the clause A.5. 

    Keep in mind that the ISO 27001 has 11 paragraphs, starting at number 0 and finishing at number 10. Furthermore, the standard has an Annex. So, the standard has 2 parts: "main part of the standard" and the "Annex A”. Whenever there is "A.xz" this means the reference is for Annex A; When there is no "A." this means the reference is for the main part of the standard. The Statement of Applicability only shows information about the security controls (included in the Annex A of the standard), so when we refer to the clause 4, we mean the paragraph 4 of the standard ("4. Context of the organization”)

    For more information about the Annex A of the ISO 27001, please read this article “Overview of ISO 27001:2013 Annex A” : https://advisera.com/27001academy/iso-27001-controls/

    If yo u need more information about the list of mandatory documents required by the ISO 27001, please read this article “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Page 1081-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +