Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 on a personal level


    Any company (small, medium and big) can implement and certify the ISO 27001, and our templates are developed for small and medium companies, so if you are interested on it, you can see our Toolkit (you can see a free version of each document if you click on “Free Demo” tab): https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    If you are new in this world of the Information security and the ISO 27001, and you want to learn more about it, can be very interesting for you to see our webinars (you can filter by ISO 27001): https://advisera.com/27001academy/webinars/

    Also you can use our free resources: https://advisera.com/27001academy/free-downloads/

    Finally please let me know if you have any question.

  • Clause 7.2


    You must prove that people involved in the implementation of the ISMS has competence to perform these tasks, and you need to have evidence that gave training to all company employees (mainly those who are involved in the scope of the ISMS) to become aware.

    Finally, I recommend you to read this article, I think that will be useful for you "How to perform training & awareness for ISO 27001 and ISO 22301" : https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

  • Your organization and your customer


    So, is ISO27001 adherent for me? Or just to a company that provides services?

     

    Answer:

    In this scenario, you can implement and certify the ISO 27001 in your organization, and also your customer can implement and certify the ISO 27001 in his business. The unique difference will be the scope of the ISMS. In your case could be your development services, your informations systems that supports your services, etc. In the case of your customer the scope could be the services that they offers, the information systems that supports their services, etc. So, you could have a ISO 27001 certificate, and also your customer could have a ISO 27001 certificate but with a different scope. 
     
    If you need more information about the scope, please re ad this article “How to define the ISMS scope”: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  • Implementation, maintenance and improvement of the ISMS


     

    Answer:

    Resources for the implementation, maintenance and improvement of the ISMS can be primarily people, although you can think also in financial resources, external companies, external services, or any other resource (internal or external) that the organization needs for the implementation of the ISMS. Here there is a point very important: roles and responsibilities of the people involved in the scope of the ISMS, and this can be established in each document of the ISMS. For more information about this, please read this: https://community.27001academy.com/forum/iso-27001-i****************************************************

    By the way, the document to determine financial resources is the Risk Treatment Plan.

  • Risk Treatment Plan and Risk Treatment Process


     

    Answer:

    In the risk assessment table do you need to determined the risk owners and the asset owners, and in the risk treatment plan you need a responsible for the execution of all actions. You can have an unique person for all, but it is not my recommendation because they are different things, different steps in the risk management (assessment and treatment), so I think that it will be better if you can separate them.

  • Clauses and security controls


    True, our Statement of Applicability (and any) starts with the clause A.5. 

    Keep in mind that the ISO 27001 has 11 paragraphs, starting at number 0 and finishing at number 10. Furthermore, the standard has an Annex. So, the standard has 2 parts: "main part of the standard" and the "Annex A”. Whenever there is "A.xz" this means the reference is for Annex A; When there is no "A." this means the reference is for the main part of the standard. The Statement of Applicability only shows information about the security controls (included in the Annex A of the standard), so when we refer to the clause 4, we mean the paragraph 4 of the standard ("4. Context of the organization”)

    For more information about the Annex A of the ISO 27001, please read this article “Overview of ISO 27001:2013 Annex A” : https://advisera.com/27001academy/iso-27001-controls/

    If yo u need more information about the list of mandatory documents required by the ISO 27001, please read this article “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Identify Internal and External issues

    Sure, you can use our template for the identification of internal and external parties "Procedure for Identification of Requirements": https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/

    Also I recommend you to read this article "How to identify interested parties according to ISO 27001 and ISO 22301": https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

  • How to write ISO 27001 risk assessment methodology


    maybe you can answer one question for me beforehand.... how exactly does one evaluate the impact of a risk.. you know.. the percentage stuff.. say for examble an insider incident... an insider exploits their access to steal or modify information.. how do I evaluate the raw probability and the raw impact?

     

    Answer:

    For me it is more easy to use scales, for example: Low, Medium or High - if you explain precisely what each of these grades mean, then it will be rather easy to assess impact or likelihood. If you want, you can see how it's done in our template “Risk Assessment and Risk Treatment Methodology”: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/

    Also you can read this article where we talk about “How to write ISO 27001 risk assessment methodology”: https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

  • Checklist


    - Definition of security roles and responsibilities

    - Acceptable use of assets

    - Secure system engineering principles

    - Business continuity procedures

    - Legal, regulatory, and contractual requirements

    Are these documents in downloaded templates under some other name or they are not available in preview version?

     

    Answer:

     

    Yes, you can find this information in our templates:

    - Definition of security roles and responsibilities: Information Security Policy, paragraph 4.5. You can find this document in the folder: "04 Information Security Policy”. If you want to purchase it separately please see this: https://advisera.com/27001academy/documentation/information-security-policy/

    - Acceptable use of assets: Acceptable Use Policy. You can find this document in the folder: “08 Annex A/A.8 Asset management”. If you want to purchase it separately please see this: https://advisera.com/27001academy/documentation/it-security-policy/

    - Secure system engineering principles: As you know, it is related to the control A.14.2.5, which is below "A.14.2 Security in development and support processes”, so you can use our template “Secure Development Policy”. You can find it in the folder: “08 Annex A/A.14 System acquisition, development and maintenance”. If you want to purchase it separately please see this: https://advisera.com/27001academy/documentation/secure-development-policy/

    - Business continuity procedures: You can find this in the folder “A.17 Business Continuity”. Also If you want to purchase our ISO 22301 documentation toolkit separately please see this: https://advisera.com/27001academy/iso22301-documentation-toolkit/

    - Legal, regulatory, and contractual requirements: Procedure for Identification of Requirements and Appendix List of Legal Regulatory Contractual and Other Requirements. You can find these documents in the folder: “02 Procedure for Identification of requirements”. If you want to purchase it separately please see this: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/

    Finally, please remember that, as you know, you can see a free version of all documents if you click on “Free Demo” tab.

  • Control Effectiveness Report


    Here is important to know that it is necessary to measure the effectiveness of the security controls, because if not, how can you know if they are working fine? A report can be useful as input in the Management review, because gives information about the effectiveness of the ISMS and the security controls to the Top Management (clause 9.3 c) 2) establishes: “The management review shall include consideration of feedback on the information security performance, including trends in monitoring and measurements results"). You can measure the effectiveness of each control, but it is more easy if you do it per control group, or per control objectives. Please read this article “ISO 27001 control objectives – Why are they important” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Page 1081-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +