Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11286 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Asset list and Certification Audit
Each company should include in its ISMS scope only the assets they control directly - so overlapping of assets means that they didn't set the scope correctly; and sharing the asset list is not necessary if the ISMS scope document is written precisely enough. The certificate of the ISO 27001 is only for 1 organization, so your organization is responsible of the maintenance of his certificate (in terms of his scope). At this point I recommend you to read this arti cle "How to define the ISMS scope: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Also is it possible to develop an SLA between us in such a way that customer's ISO auditors do not carry out an exhaustive audit of our assets. For e.g. can we include the statement in the SLA that the service provider (i.e. us) is ISO 27001 certified and hence we avoid the duplication. We, as service provider, can always produce information to demonstrate compliance though. With the above approach, the customer would still be able to identify themselves as ISO certified.
Answer:
It is necessary to study each situation, but generally in accordance with my last point, each auditor has to audit each ISMS (based on the scope of each one). So, in this scenario you can develop this SLA, but anyway there will be 2 different ISMS, with 2 different scope, and 2 different internal audit + 2 different certification audit.
Please, if you need more information, give us more information about your situation (scope of your organization, scope of your customer, etc). -
Nomenclature recommended for control of the documentation
As you know, establish a common codification for all documents is not mandatory in the standard, but for me is recommendable because your system will be better ordered. There are various ways, one can be: ISMS-TypeDocument-NameDocument-Version. Example: ISMS-Policy-SecurityPolicy-v1, ISMS-Procedure-InternalAudit-v1, ISMS-Report-InternalAudit-v1, etc.
Finally, please remember what is the list of mandatory documents (and not mandatory), reading this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Risk Acceptance Criteria
The organization can accept the risk, but as you know it is necessary to establish a criteria. What criteria? Please read this article Risk appetite and its influence over ISO 27001 implementation: https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
And always you have to generate evidences, in this case for the approval of the Top Management you can use a record of a meeting. -
Secure System Engineering Principles Document
It is in another document. Keep in mind that, as you know, it is related to the control A.14.2.5, and it is below the section "A.14.2 Security in development and support processes", so to comply with this point you can use this template Secure Development Policy - you will find it in the toolkit in folder 08 Annex A - A.14 System acquisition, development and maintenance: https://advisera.com/27001academy/documentation/secure-development-policy/ -
Some questions about ISO 27001:2013
The purpose is to define a person or entity with the accountability and authority to manage a risk (this a definition that you can find in the ISO 27000:2014). And to determine the risk owners you should aim for someone who is closely related to processes and operations where the risks have been identified. Please read this article for more information Risk owners vs. Asset owners in ISO 27001:2013: https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Is a communication plan mandatory in the ISMS documentation ? (clause 7.4)
Answer:
No, it is not mandatory. You can find a list of mandatory documents here List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/.
The objectives mentioned in clause 6.2, does it refer to the objectives in the Statement Of Applicability (e.g. : in my company, we chose the whole Annex A for our SoA)
Answer:
The objectives in ISO 27001 clause 6.2 can be set both for the whole ISMS, and/or for the control objectives in the Statement of Applicability - usually, the objectives are set at two levels: (1) the general ISMS level, and (2) at the level of security processes or security controls. See also this article: ISO 27001 control objectives Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
Asset category
You can identify it as Outsourced services, because is a service that will be done by a external company. Please read this article for more information about this How to handle Asset register (Asset inventory) according to ISO 27001: https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Risk related to our building
After the Risk Assessment you need to perform the Risk Treatment, and basically for each risk you have 4 options: a.- Apply security controls, b.- Transfer the risk to another party, c.- Avoid the risk by stopping an activity that is too risky, d.- Accept the risk (when the cost for mitigating the risk is higher that the damage itself). In accordance with the situation that you are described, the bes t option for your business is d. In this case, I recommend you to talk with Top Management, because they have to know this situation and they need to accept formally the risks.
Also I recommend you to read this article about the difference between the Risk Treatment Plan and the Risk Treatment process Risk Treatment Plan and Risk Treatment Process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Internal and External Issues
The important here is that you have to define roles and responsibilities of employees of the Organization that are involved in the scope of the ISMS (furthermore, as you know, business strategy and objectives, capabilities and resources, etc).
In the article that you have referenced (Explanation of ISO 27001:2013 clause 4.1 (Understanding the Organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/), there are information enough to comply with the clause 4.1 of the ISO 27001:2013. It is also important that you know that in the Informati on Security Policy you can define the responsibilities. You can see a free version of our template at this URL (please click on Free Demo tab): https://advisera.com/27001academy/documentation/information-security-policy/ And of course, if you need more information please ask us.
In our templates, each policy and procedure defines roles and responsibilities, this is so because the ISO 27001 does not require you to have a centralized list of security roles and responsibilities. You can read more information about this here: https://community.advisera.com/topic/roles-and-responsibilities-2/ -
Third Party SLA for out-of-scope Systems
Sorry for the delay! Here you have our answers:
Each company should include in its ISMS scope only the assets they control directly so overlapping of assets means that they didn't set the scope correctly; and sharing the asset list is not necessary if the ISMS scope document is written precisely enough. The certificate of the ISO 27001 is only for 1 organization, so your organization is responsible of the maintenance of his certificate (in terms of his scope). At this point I recommend you to read this article "How to define the ISMS scope: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
It is necessary to study each situation, but generally in accordance with my last point, each auditor has to audit each ISMS (based on the scope of each one). So, in this scenario you can develop this SLA, but anyway there will be 2 different ISMS, with 2 different scope, and 2 different internal audit + 2 different certification audit.
Please, if you need more information, give us more information about your situation (scope of your organization, scope of your customer, etc). -
Risk Assessment Toolkit
Our Risk Assessment toolkit identifies assets owner, so if you have applications (you can consider it as type of asset), you can have owners to those applications. Also our Risk Assessment toolkit identifies vulnerabilities and threats (and risk owners). Basically there are no questions in our documentation, but catalogs of assets, threats and vulnerabilities the asset owners can choose from. You can download our template Risk Assessment and Risk Treatment Methodology at this URL (you can see a free version if you click on Free Demo tab) : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/