Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implementation, maintenance and improvement of the ISMS
Answer:
Resources for the implementation, maintenance and improvement of the ISMS can be primarily people, although you can think also in financial resources, external companies, external services, or any other resource (internal or external) that the organization needs for the implementation of the ISMS. Here there is a point very important: roles and responsibilities of the people involved in the scope of the ISMS, and this can be established in each document of the ISMS. For more information about this, please read this: https://community.27001academy.com/forum/iso-27001-i****************************************************
By the way, the document to determine financial resources is the Risk Treatment Plan. -
Risk Treatment Plan and Risk Treatment Process
Answer:
In the risk assessment table do you need to determined the risk owners and the asset owners, and in the risk treatment plan you need a responsible for the execution of all actions. You can have an unique person for all, but it is not my recommendation because they are different things, different steps in the risk management (assessment and treatment), so I think that it will be better if you can separate them. -
Clauses and security controls
True, our Statement of Applicability (and any) starts with the clause A.5.
Keep in mind that the ISO 27001 has 11 paragraphs, starting at number 0 and finishing at number 10. Furthermore, the standard has an Annex. So, the standard has 2 parts: "main part of the standard" and the "Annex A. Whenever there is "A.xz" this means the reference is for Annex A; When there is no "A." this means the reference is for the main part of the standard. The Statement of Applicability only shows information about the security controls (included in the Annex A of the standard), so when we refer to the clause 4, we mean the paragraph 4 of the standard ("4. Context of the organization)
For more information about the Annex A of the ISO 27001, please read this article Overview of ISO 27001:2013 Annex A : https://advisera.com/27001academy/iso-27001-controls/
If yo u need more information about the list of mandatory documents required by the ISO 27001, please read this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Identify Internal and External issues
Sure, you can use our template for the identification of internal and external parties "Procedure for Identification of Requirements": https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/
Also I recommend you to read this article "How to identify interested parties according to ISO 27001 and ISO 22301": https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
How to write ISO 27001 risk assessment methodology
maybe you can answer one question for me beforehand.... how exactly does one evaluate the impact of a risk.. you know.. the percentage stuff.. say for examble an insider incident... an insider exploits their access to steal or modify information.. how do I evaluate the raw probability and the raw impact?
Answer:
For me it is more easy to use scales, for example: Low, Medium or High - if you explain precisely what each of these grades mean, then it will be rather easy to assess impact or likelihood. If you want, you can see how it's done in our template Risk Assessment and Risk Treatment Methodology: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
Also you can read this article where we talk about How to write ISO 27001 risk assessment methodology: https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/ -
Checklist
- Definition of security roles and responsibilities
- Acceptable use of assets
- Secure system engineering principles
- Business continuity procedures
- Legal, regulatory, and contractual requirements
Are these documents in downloaded templates under some other name or they are not available in preview version?
Answer:
Yes, you can find this information in our templates:
- Definition of security roles and responsibilities: Information Security Policy, paragraph 4.5. You can find this document in the folder: "04 Information Security Policy. If you want to purchase it separately please see this: https://advisera.com/27001academy/documentation/information-security-policy/
- Acceptable use of assets: Acceptable Use Policy. You can find this document in the folder: 08 Annex A/A.8 Asset management. If you want to purchase it separately please see this: https://advisera.com/27001academy/documentation/it-security-policy/
- Secure system engineering principles: As you know, it is related to the control A.14.2.5, which is below "A.14.2 Security in development and support processes, so you can use our template Secure Development Policy. You can find it in the folder: 08 Annex A/A.14 System acquisition, development and maintenance. If you want to purchase it separately please see this: https://advisera.com/27001academy/documentation/secure-development-policy/
- Business continuity procedures: You can find this in the folder A.17 Business Continuity. Also If you want to purchase our ISO 22301 documentation toolkit separately please see this: https://advisera.com/27001academy/iso22301-documentation-toolkit/
- Legal, regulatory, and contractual requirements: Procedure for Identification of Requirements and Appendix List of Legal Regulatory Contractual and Other Requirements. You can find these documents in the folder: 02 Procedure for Identification of requirements. If you want to purchase it separately please see this: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
Finally, please remember that, as you know, you can see a free version of all documents if you click on Free Demo tab. -
Control Effectiveness Report
Here is important to know that it is necessary to measure the effectiveness of the security controls, because if not, how can you know if they are working fine? A report can be useful as input in the Management review, because gives information about the effectiveness of the ISMS and the security controls to the Top Management (clause 9.3 c) 2) establishes: The management review shall include consideration of feedback on the information security performance, including trends in monitoring and measurements results"). You can measure the effectiveness of each control, but it is more easy if you do it per control group, or per control objectives. Please read this article ISO 27001 control objectives Why are they important : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
Time out and timed session
Answer:
These terms are not used in the current ISO 27001:2013. They were used in the ISO 27001:2005 (but focused on Operating Systems) -Controls A.11.5.5 Session time-out (shut down inactive sessions after a defined time) and A.11.5.6 Limitation of connection time (shut down connection after a defined time in high risk applications), so we can think that now are not mandatory. Anyway if your client have implemented both controls, I think that the best is to maintain them. -
Clause vs related control or vice-versa
Sorry but we do not have this information. Keep in mind that it is not mandatory in the standard, and I think that it is not useful. Anyway I recommend you to read this article where you can see relations between mandatory documents and clauses of the standard, I think that it will be better useful for you List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Asset list and Certification Audit
Each company should include in its ISMS scope only the assets they control directly - so overlapping of assets means that they didn't set the scope correctly; and sharing the asset list is not necessary if the ISMS scope document is written precisely enough. The certificate of the ISO 27001 is only for 1 organization, so your organization is responsible of the maintenance of his certificate (in terms of his scope). At this point I recommend you to read this arti cle "How to define the ISMS scope: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Also is it possible to develop an SLA between us in such a way that customer's ISO auditors do not carry out an exhaustive audit of our assets. For e.g. can we include the statement in the SLA that the service provider (i.e. us) is ISO 27001 certified and hence we avoid the duplication. We, as service provider, can always produce information to demonstrate compliance though. With the above approach, the customer would still be able to identify themselves as ISO certified.
Answer:
It is necessary to study each situation, but generally in accordance with my last point, each auditor has to audit each ISMS (based on the scope of each one). So, in this scenario you can develop this SLA, but anyway there will be 2 different ISMS, with 2 different scope, and 2 different internal audit + 2 different certification audit.
Please, if you need more information, give us more information about your situation (scope of your organization, scope of your customer, etc).