Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Third Party SLA for out-of-scope Systems

    Sorry for the delay! Here you have our answers:

    Each company should include in its ISMS scope only the assets they control directly – so overlapping of assets means that they didn't set the scope correctly; and sharing the asset list is not necessary if the ISMS scope document is written precisely enough. The certificate of the ISO 27001 is only for 1 organization, so your organization is responsible of the maintenance of his certificate (in terms of his scope). At this point I recommend you to read this article "How to define the ISMS scope”: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    It is necessary to study each situation, but generally in accordance with my last point, each auditor has to audit each ISMS (based on the scope of each one). So, in this scenario you can develop this SLA, but anyway there will be 2 different ISMS, with 2 different scope, and 2 different internal audit + 2 different certification audit.
     
    Please, if you need more information, give us more information about your situation (scope of your organization, scope of your customer, etc).

  • Risk Assessment Toolkit


    Our Risk Assessment toolkit identifies assets owner, so if you have applications (you can consider it as type of asset), you can have owners to those applications. Also our Risk Assessment toolkit identifies vulnerabilities and threats (and risk owners). Basically there are no questions in our documentation, but catalogs of assets, threats and vulnerabilities the asset owners can choose from. You can download our template “Risk Assessment and Risk Treatment Methodology” at this URL (you can see a free version if you click on “Free Demo” tab) : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/

  • Implementation Checklist


    The first thing is that you need all necessary documents (you can use all our templates). Second thing is to adapt all documentation to your organization and implement them. An example: You have our template for the Methodology Risk Assessment (to calculate risks), but what assets, vulnerabilities and threats do you have in your organization? So, you need to complete each document with the information of your business, and generate evidences.

    As you know you can download our templates from this URL: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    Also I recommend you to read this article where you can find basics steps to execute the implementation of the ISO 27001 in your Organization “ISO 27001 implementation checklist”: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    Ans also you can read this article about Annex A "Overview of ISO 27001:2013 Annex A": https://advisera.com/27001academy/iso-27001-controls/

    Finally, please ask us again if you have more question about the implementation of the standard in your organization.

  • Information Security Policy


    In the new ISO 27001:2013, clause 5.2 and A.5.1.1/A.5.1.2 controls are refer to the same thing: Information Security Policy. But, clause 5.2 describes the top-level Information security policy, while controls A.5.1.1 and A.5.1.2 speak about detailed security policies that cover certain areas of information security. Please, read this article for more information “One information Security Policy, or several policies”: https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

     

    What is your recommendation to record that employees were aware of the policies and other ISMS documents? 

     

    Answer:

    There are several ways, but I recommend you to perform training sessions (inviting to all staff). In this sessions you can present the ISMS, requirements, documents, records, etc. For each session, you can have a physical document with signature of attendance of all people. After each session, also you can d evelop a small test to evaluate the awareness of each employee (their results is a evidence). If you need information on how to perform training and awareness for ISO 27001, please read this article “How to perform training & awareness for ISO 27001 and ISO 22301”: https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

  • Documented information


    Yes, it is correct. There are some documents that are mandatory for the ISO 27001 (an example is the Access Control Policy, by the clause A.9.1.1). If you want to know the list of mandatory documents and records (remember that they are different things), you can read this article (also you can see non mandatory documents) “List of mandatory documents required by ISO 27001 (2013 revision)”: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Interested Parties need clarification of this.  I'm looking for an example of a

    The main point here is that you have to identify all interested parties (this is a requisite in the ISO 27001 4.2 a)). So, you need to answer this question: Who are interested parties?

    You will find help about how identify interested parties at this article: "How to identify interested parties according to ISO 27001 and ISO 22301": https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

  • Documents and records


    The first thing is that you have to differentiate between documents and records, they are not the same thing. A document can be a procedure, a methodology, a plan, etc. A record can be result of internal audit, result of management review, logs, etc. So, the difference is that a document describes actions, whereas a record is the result (and evidences for auditors) of actions performed.
    Second thing, you have to read this article to know what are the list of mandatory documents and records that you need in the ISO 27001 (also you can see Non mandatory documents) “List of mandatory documents required by ISO 27001 (2013 revision)”: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Program Source Code

    The control is not only for program source code, is also for associated items, such as designs, specifications, verifications plans and validation plans. It means that you need to control the access to them. This can be achieved by controlled central storage of such code (assigning privileges in a network folder, or in a file server, or in a repository of code with user/password). Also you have to be careful with the libraries, which should not be held in operational systems (furthermore you need also control access to them).

  • ISO 27001:2013 Asset Based Risk Assessment


    If you have Asset based RA, I suppose that you have implemented the ISO 27001:2005 (old version). If so, you current methodology is accepted by the new version ISO 27001:2013, therefore you do not need to make changes. You can see the main changes of the ISO 27001:2013 at this article “What has changed in risk assessment in ISO 27001:2013”: https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
     
    Also, if you need to develop a new methodology accepted by ISO 27001:2013, I recommend you to read this article “How to write ISO 27001 risk assessment methodology": https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

     
    Finally, you can use our “ISO 27001/ISO 22301 Risk Assessment Toolkit”. Remember t hat you can download a free version if you click on the “Free Demo” tab: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

  • Interested parties


    Effectively, you have to identify all interested parties (employee, customers, but also suppliers and partners, shareholders, etc) affected by the scope of the ISO 27001. To do this task, this article will be very useful for you, please read it and if you have another question, ask us “How to identify interested parties according to ISO 27001 and ISO 22301": https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Page 1083-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +