Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Scope of ISO 27001 for a software project


    You can include in the scope of the certification the activities related to your software project, processes related to your software project, department that works on this project, or you can certify all activities related to the whole company. However, you cannot certify only the project itself - the point is that your organization is certified, not your product. 

    For more information about the definition of the scope, you can read this article: “How to define the ISMS scope”: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  • Personal computer in the Inventory of assets


    Basically this is not recommendable, because there can be a risk which the organization cannot control (who updates the software?, who buys the anti-virus?, who makes the backups?).

    To mitigate such risks (for the equipment that are not included in your scope, i.e. not in your asset inventory), you should develop a policy for the use of personal equipment of the personnel, it is known usually as “BYOD” (Bring Your Own Device).

    You can use this template for the development of this policy “Bring Your Own Device (BYOD) Policy”: https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/

  • Auditor findings - Opportunities for improvement


    It is not true. The Opportunity of Improvement are recommendations of the auditor, and never will be a Non-Conformity. However an observation yes, this can become a Non-Conformity if the organization do not resolve it.

    For the internal audit the situation is the same, but in this case is would be interesting that you include in your procedure of internal audit the definition of each finding (Non-Conformity Major, Non-Conformity Minor, Observation, Opportunity of Improvement).

    If you need information for the development of the procedure of Internal Audit, you can see our video tutorial “Documentation Tutorial: How to write ISO 27001/ISO 22301 Internal Audit Procedure and Audit Program”: https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/

  • Master list of documents

    I've received this question:
    After risk assessment and treatment, I come to find out that there is something called masterlist of documents. I would like to know much about it please. I am not clear about that.
    Answer:
    Master list of documents is not a mandatory document, but it can be very useful for the Internal and External auditors, because they can identify what the organization has.
    The main objective of the master list is that the organization knows which documents exists in the ISMS. So, you need to identify all documents of your ISMS and then include it in the master list. For each document list the name, you can also include the person responsible, number of version and date of last change.
    If you need to know the list of mandatory documents of the ISO 27001:2013, I recommend you this article “List of mandatory documents required by ISO 27001 (2013 revision)”: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Use of secret authentication information


    As you know, this control is for the use of secret authentication information, this means basically that you need to protect the passwords of the users. For this, you can develop a policy (defining length of passwords, share of passwords, change of passwords, etc.), and also you can use software tools (for example Single Sign On) to store and manage them. Obviously the policy and the software can serve as evidence.

    For the development of the policy, I recommend you our resource: “Password Policy”: https://advisera.com/27001academy/documentation/password-policy/

  • Controls A.9.3.1 and A.11.2.8


    Look at the control objective of the A.9.3: “To make users accountable for safeguarding their authentication information”, so the control A.9.3.1 is refer to best practices to protect the password, or the authentication information of the users (there are software tools to store and manage passwords).

    On the other hand, the control A.11.2.8 is refer to unattended user equipment, it means that when a user leave his workstation, the system needs to be blocked (for example with a password).

    This article will explain how to train your employees in such cases: 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

  • NonConformities and Potential Imrovements

    Yes, you can do it! Although as you know, preventive actions are not mandatory in the new version (ISO 27001:2013)

  • Differences in BCM 2005 and 2013 revision of ISO 27001


    In your case the update will be no critical, because the ISO 27001:2013 no has important changes. If you have implemented a BCM in your organization, then the implementation of the domain “A.17 Information security aspects of business continuity management” is basically the same way that it was for the ISO 27001:2005.

    You'll learn more in this article: How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/

  • Using scales for calculating risk


    If you are using scale as High, Medium and Low for impact and Likelihood, syou can use a table like this:

                     Low          Medium     High
    Low           LOW        LOW          MEDIUM
    Medium     LOW        MEDIUM    HIGH
    High          MEDIUM  HIGH         HIGH

    In the table you just cross the impact with the likelihood (for example, columns are the impact, and rows are the likelihood), and in this way get the result of the risk. For example: I= High and L=High; Risk= HIGH, I=Medium and L=High; Risk=HIGH

    Alternative (and simpler) way would be to use the following values: Low = 0, Medium = 1, and High =2; and addition as a way to calculate the risk. So if the I = 2, and L = 1, th en the Risk = 3.

    Also this article can help you: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

  • Pandemic - BCP scenario


    The justification could be: Each year you need to review your BIA and your Risk Assessment, and in the last, you identify that the loss of staff is very important, so you need to include it in your BCP. It can be the same with another situation that you identify in the last BIA/Risk Assessment.

    Read also this article: Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/

    And to respond to that client's question, do we have to add pandemic scenario to our BCP? And currently, we dont include loss of staff in our risk register.

    Answer:

    It should depe nd on the BIA and Risk Assessment, but the pandemic scenario is very usual in a BCP, so we recommended you to include it.
Page 1085-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +