Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Master list of documents

    I've received this question:
    After risk assessment and treatment, I come to find out that there is something called masterlist of documents. I would like to know much about it please. I am not clear about that.
    Answer:
    Master list of documents is not a mandatory document, but it can be very useful for the Internal and External auditors, because they can identify what the organization has.
    The main objective of the master list is that the organization knows which documents exists in the ISMS. So, you need to identify all documents of your ISMS and then include it in the master list. For each document list the name, you can also include the person responsible, number of version and date of last change.
    If you need to know the list of mandatory documents of the ISO 27001:2013, I recommend you this article “List of mandatory documents required by ISO 27001 (2013 revision)”: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Use of secret authentication information


    As you know, this control is for the use of secret authentication information, this means basically that you need to protect the passwords of the users. For this, you can develop a policy (defining length of passwords, share of passwords, change of passwords, etc.), and also you can use software tools (for example Single Sign On) to store and manage them. Obviously the policy and the software can serve as evidence.

    For the development of the policy, I recommend you our resource: “Password Policy”: https://advisera.com/27001academy/documentation/password-policy/

  • Controls A.9.3.1 and A.11.2.8


    Look at the control objective of the A.9.3: “To make users accountable for safeguarding their authentication information”, so the control A.9.3.1 is refer to best practices to protect the password, or the authentication information of the users (there are software tools to store and manage passwords).

    On the other hand, the control A.11.2.8 is refer to unattended user equipment, it means that when a user leave his workstation, the system needs to be blocked (for example with a password).

    This article will explain how to train your employees in such cases: 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

  • NonConformities and Potential Imrovements

    Yes, you can do it! Although as you know, preventive actions are not mandatory in the new version (ISO 27001:2013)

  • Differences in BCM 2005 and 2013 revision of ISO 27001


    In your case the update will be no critical, because the ISO 27001:2013 no has important changes. If you have implemented a BCM in your organization, then the implementation of the domain “A.17 Information security aspects of business continuity management” is basically the same way that it was for the ISO 27001:2005.

    You'll learn more in this article: How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/

  • Using scales for calculating risk


    If you are using scale as High, Medium and Low for impact and Likelihood, syou can use a table like this:

                     Low          Medium     High
    Low           LOW        LOW          MEDIUM
    Medium     LOW        MEDIUM    HIGH
    High          MEDIUM  HIGH         HIGH

    In the table you just cross the impact with the likelihood (for example, columns are the impact, and rows are the likelihood), and in this way get the result of the risk. For example: I= High and L=High; Risk= HIGH, I=Medium and L=High; Risk=HIGH

    Alternative (and simpler) way would be to use the following values: Low = 0, Medium = 1, and High =2; and addition as a way to calculate the risk. So if the I = 2, and L = 1, th en the Risk = 3.

    Also this article can help you: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

  • Pandemic - BCP scenario


    The justification could be: Each year you need to review your BIA and your Risk Assessment, and in the last, you identify that the loss of staff is very important, so you need to include it in your BCP. It can be the same with another situation that you identify in the last BIA/Risk Assessment.

    Read also this article: Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/

    And to respond to that client's question, do we have to add pandemic scenario to our BCP? And currently, we dont include loss of staff in our risk register.

    Answer:

    It should depe nd on the BIA and Risk Assessment, but the pandemic scenario is very usual in a BCP, so we recommended you to include it.

  • ISO 27001 measurement


    Basically you need to measure the achievement of the objectives of security, and the effectiveness of the security controls. To do this, you need metrics, and you can define each one with these fields: Name of the metrics, description, calculation formula, threshold value, objective value, measuring frequency, source, and responsible for the manage of the metric.

    You'll find these materials helpful:

    Article ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
    Webinar ISO 27001 and ISO 27004: How to measure the effectiveness of information security? https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/

  • Incident Log


    Answer:

    ISO 27001 does not prescribe who should do this; best practice is that this is done by a person who coordinates the information security in a company - i.e. Chief Information Security Officer, Information security manager, or similar.

  • ISO 27001 risk assessment


    Risk assessment methodology is a document that describes the rules for your risk assessment - therefore, you should write this methodology before starting to perform the risk assessment. It would be better to choose only the qualitative analysis in your methodology because quantitative is much more difficult, and it is not mandatory.

    There materials will help you:

    article ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    article How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    webinar The basics of risk assessment and treatment ac cording to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Page 1086-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +