Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Checklist


    - Definition of security roles and responsibilities

    - Acceptable use of assets

    - Secure system engineering principles

    - Business continuity procedures

    - Legal, regulatory, and contractual requirements

    Are these documents in downloaded templates under some other name or they are not available in preview version?

     

    Answer:

     

    Yes, you can find this information in our templates:

    - Definition of security roles and responsibilities: Information Security Policy, paragraph 4.5. You can find this document in the folder: "04 Information Security Policy”. If you want to purchase it separately please see this: https://advisera.com/27001academy/documentation/information-security-policy/

    - Acceptable use of assets: Acceptable Use Policy. You can find this document in the folder: “08 Annex A/A.8 Asset management”. If you want to purchase it separately please see this: https://advisera.com/27001academy/documentation/it-security-policy/

    - Secure system engineering principles: As you know, it is related to the control A.14.2.5, which is below "A.14.2 Security in development and support processes”, so you can use our template “Secure Development Policy”. You can find it in the folder: “08 Annex A/A.14 System acquisition, development and maintenance”. If you want to purchase it separately please see this: https://advisera.com/27001academy/documentation/secure-development-policy/

    - Business continuity procedures: You can find this in the folder “A.17 Business Continuity”. Also If you want to purchase our ISO 22301 documentation toolkit separately please see this: https://advisera.com/27001academy/iso22301-documentation-toolkit/

    - Legal, regulatory, and contractual requirements: Procedure for Identification of Requirements and Appendix List of Legal Regulatory Contractual and Other Requirements. You can find these documents in the folder: “02 Procedure for Identification of requirements”. If you want to purchase it separately please see this: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/

    Finally, please remember that, as you know, you can see a free version of all documents if you click on “Free Demo” tab.

  • Control Effectiveness Report


    Here is important to know that it is necessary to measure the effectiveness of the security controls, because if not, how can you know if they are working fine? A report can be useful as input in the Management review, because gives information about the effectiveness of the ISMS and the security controls to the Top Management (clause 9.3 c) 2) establishes: “The management review shall include consideration of feedback on the information security performance, including trends in monitoring and measurements results"). You can measure the effectiveness of each control, but it is more easy if you do it per control group, or per control objectives. Please read this article “ISO 27001 control objectives – Why are they important” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  • Time out and timed session


     

    Answer:

    These terms are not used in the current ISO 27001:2013. They were used in the ISO 27001:2005 (but focused on Operating Systems) -Controls A.11.5.5 Session time-out (shut down inactive sessions after a defined time) and A.11.5.6 Limitation of connection time (shut down connection after a defined time in high risk applications), so we can think that now are not mandatory. Anyway if your client have implemented both controls, I think that the best is to maintain them.

  • Clause vs related control or vice-versa


    Sorry but we do not have this information. Keep in mind that it is not mandatory in the standard, and I think that it is not useful. Anyway I recommend you to read this article where you can see relations between mandatory documents and clauses of the standard, I think that it will be better useful for you “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Asset list and Certification Audit


    Each company should include in its ISMS scope only the assets they control directly - so overlapping of assets means that they didn't set the scope correctly; and sharing the asset list is not necessary if the ISMS scope document is written precisely enough. The certificate of the ISO 27001 is only for 1 organization, so your organization is responsible of the maintenance of his certificate (in terms of his scope). At this point I recommend you to read this arti cle "How to define the ISMS scope”: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

     

     Also is it possible to develop an SLA between us in such a way that customer's ISO auditors do not carry out an exhaustive audit of our assets. For e.g. can we include the statement in the SLA that the service provider (i.e. us) is ISO 27001 certified and hence we avoid the duplication. We, as service provider, can always produce information to demonstrate compliance though. With the above approach, the customer would still be able to identify themselves as ISO certified.

     

    Answer:

    It is necessary to study each situation, but generally in accordance with my last point, each auditor has to audit each ISMS (based on the scope of each one). So, in this scenario you can develop this SLA, but anyway there will be 2 different ISMS, with 2 different scope, and 2 different internal audit + 2 different certification audit.
     
    Please, if you need more information, give us more information about your situation (scope of your organization, scope of your customer, etc).

  • Nomenclature recommended for control of the documentation


    As you know, establish a common codification for all documents is not mandatory in the standard, but for me is recommendable because your system will be better ordered. There are various ways, one can be: ISMS-TypeDocument-NameDocument-Version. Example: ISMS-Policy-SecurityPolicy-v1, ISMS-Procedure-InternalAudit-v1, ISMS-Report-InternalAudit-v1, etc.
     
    Finally, please remember what is the list of mandatory documents (and not mandatory), reading this article  “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Risk Acceptance Criteria


    The organization can accept the risk, but as you know it is necessary to establish a criteria. What criteria? Please read this article “Risk appetite and its influence over ISO 27001 implementation”: https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
     
    And always you have to generate evidences, in this case for the approval of the Top Management you can use a record of a meeting.

  • Secure System Engineering Principles Document


    It is in another document. Keep in mind that, as you know, it is related to the control A.14.2.5, and it is below the section "A.14.2 Security in development and support processes", so to comply with this point you can use this template “Secure Development Policy” - you will find it in the toolkit in folder 08 Annex A - A.14 System acquisition, development and maintenance: https://advisera.com/27001academy/documentation/secure-development-policy/

  • Some questions about ISO 27001:2013


    The purpose is to define a person or entity with the accountability and authority to manage a risk (this a definition that you can find in the ISO 27000:2014). And to determine the risk owners you should aim for someone who is closely related to processes and operations where the risks have been identified. Please read this article for more information “Risk owners vs. Asset owners in ISO 27001:2013”: https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

     

    Is a communication plan mandatory in the ISMS documentation ? (clause 7.4)

     

    Answer:

    No, it is not mandatory. You can find a list of mandatory documents here “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

     

     The objectives mentioned in clause 6.2, does it refer to the objectives in the Statement Of Applicability (e.g. : in my company, we chose the whole Annex A for our SoA) 

     

    Answer:

    The objectives in ISO 27001 clause 6.2 can be set both for the whole ISMS, and/or for the control objectives in the Statement of Applicability - usually, the objectives are set at two levels: (1) the general ISMS level, and (2) at the level of security processes or security controls. See also this article: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  • Asset category


    You can identify it as “Outsourced services”, because is a service that will be done by a external company. Please read this article for more information about this “How to handle Asset register (Asset inventory) according to ISO 27001”: https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Page 1082-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +