Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
SOA Related
In Statement of Applicability you could simply add columns "Applicability" and "Status" for each location - this way you would show which controls are applicable for each location, and whether they are implemented or not in a particular location. -
Difference between contingency, recovery and response plans?
ISO 22301 nor ISO 27001 do not prescribe the structure of business continuity plan, but usually the plans are structured as follows:
- Business Continuity Plan is only a top-level document describing some general activities
- Incident Response Plans are the plans where responses to particular incidents is described
- Recovery Plans (for each activity) describe how each activity is to be recovered from a disruption
And yes, the format for these 3 types of plans is often different. This article will also help you: Activation procedures for the business continuity plan https://advisera.com/27001academy/blog/2011/09/26/activation-procedures-for-business-continuity-plan/
As I described above, response plan is used for directly responding to an incident; regarding contingency and recovery plans, the ISO standards do not make a difference between them. -
ISO27001:2013 - 6.1.3 c) - verifying that no controls have been left out
I understand that the policy must dictate that there is a procedure for this, and I have created an entry in the Risk Assessment and Treatment Methodology around this process, however I was wondering if this needed to be evidenced? Would I be required to, for each risk, identify that each control was considered and where it was not selected, why?
Answer:
I have a small correction to your statement - clause 6.1.3 c) of ISO 27001 says "... verify that no necessary controls have been omitted." - therefore you don't have to verify this for each and every risk.
The answer to your question lies in writing the Statement of Applicability - it will enable you:
To decide for each control from the Annex A whether it is applicable or not, and
To declare why you didn't select part icular controls.
Statement of Applicability is a mandatory document, so you'll have everything documented - learn more here: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Implementation guidance ISO 27002
Let me put an example: Based on our risk evaluation we have determined that control 9.4.2 Secure log-on procedures, applies. In our Control Access Policy we have try to follow the implementation guidance for control 9.4.2, as indicated in ISO/IEC 27002:2013, but we can not comply with some requisites. Taking into account that the standard says that a good log-on procedure should, not a good log-on procedure must, we think we are right.
Can we have some problem with certification audit?
Answer:
You are right, ISO 27002 is not mandatory, this is only the guideline. You do not have to apply everything that is written in ISO 27002; you have to apply only what ISO 27001 requires of you.
Unfortunately, sometimes the certification auditors look towards ISO 27002, but you can clear this out very easily with them - simply ask them whether th ey think ISO 27002 is mandatory or not.
This article will help you: ISO 27001 vs. ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Is equipment in data center to be considered as assets or controls?
Answer:
Theoretically, you could consider this equipment as controls only, but to be on the safe side you should consider them as assets, because that way you will be able to assess the risks related to them in a much better way.
For instance, if you considered power generator as an asset, through the risk assessment you might realize that it is not regularly maintained, that the people operating it are not trained, etc. - you probably wouldn't realize such information if you considered the power generator only as a control. -
Definition of asset in ISO/IEC 27000:2014
Answer:
It is true that ISO 27000:2014 does not have a specific definition in clause 2 (Terms and definitions), however it does give an explanation on what assets are in clause 3.1.
By the way, ISO 27000 uses the term "assets" very often in its text, so obviously this term is still very important for the concept of information security. -
Asset owner for the personnel
Answer:
I assume you refer to "personnel" as an asset. In such case, the asset owner is the superior manager of each particular employee. For example, for the employee in the accounting department, the asset owner is the head of the accounting department. -
Does the Impact Reduce When applying Controls
Actually, you have hit the core of the issue with risk assessment and treatment - theoretically, the controls can reduce both the impact and the likelihood, but in 99% of the cases they will reduce only the likelihood.
Here's an example where the control will reduce both the impact and the likelihood:
Asset: database
Threat: electricity outage
Vulnerability: no alternative power source
Control: implement UPS.
With the implementation of intelligent uninterruptible power supply (that will shut down the server once its battery is almost empty) not only will the likelihood reduce, but also the impact because the server will be shut down in a controllable fashion, which means the database integrity will be preserved. -
Information security policy vs. Acceptable use policy
ISO 27001 is not very clear when it comes to this question. However, best practice is the following: Information security policy should be a short top-level document that describes general approach of a company towards information security; Acceptable use policy should be a longer document describing all the security rules that are applicable to all employees.
These articles will also help you:
Information security policy how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/ -
Licensed software in ISO 27001
Answer:
ISO 27001 says that you have to comply with your local laws and regulations; and I'm sure that each country in the world has laws which say that pirated versions of software are illegal.