Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Information security policy vs. Acceptable use policy
ISO 27001 is not very clear when it comes to this question. However, best practice is the following: Information security policy should be a short top-level document that describes general approach of a company towards information security; Acceptable use policy should be a longer document describing all the security rules that are applicable to all employees.
These articles will also help you:
Information security policy how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/ -
Licensed software in ISO 27001
Answer:
ISO 27001 says that you have to comply with your local laws and regulations; and I'm sure that each country in the world has laws which say that pirated versions of software are illegal. -
Information and Classification Policy
Yes, ISO 27001 allows you to use any classification levels you find appropriate.
Example - client confidential covers Client data contained or created using our application software or custom reports created with database tools, Email communications with clients, etc. Is this kind of classification acceptable?
Answer: You should not prescribe the classification levels for particular information in advance - asset owners should decide on classification levels once they assess the confidentiality of particular information in question.
It would be a bit of a complication to label some of the information, so is it acceptable to prescribe that they are not labeled? Just to believe that awareness would be enough?
Answer: Theoretically this is possible, but it is not really recommendable. The problem is the following: if you prescribe that all the information is classi fied if unlabeled, then you are always in danger that someone did not know for this rule.
Should we classify information by the most important one from the group - for the most of the contracts with clients there is the same level of confidentiality, but there is always a couple of them which are super, top level confidential. Should we, because of this, classify all the contracts as top level confidential?
Answer: Probably the best approach in this situation is to classify different contracts with different level of confidentiality.
By the way, this article will help you: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Policy Version Control
For your Information security incident management policy I think it would be better to continue from the old version number - this is because your policy is not a new one, it has a continuity from the old policy that existed before the merger with the QMS document. -
Difference between clauses 5.1.e and 6.1.1.a of ISO 27001:2013
Answer:
Both clauses you refer to have the same text, however clause 5.1 e) refers to the responsibilities of the top management, while clause 6.1.1 a) refers to anyone who performs the planning of the ISMS. -
Interpretation of A.14.2 : Security in development and support processes
Sub-section A.14.2 (Security in development and support processes) applies to any kind of development: software or other type. However, the controls in this sub-section suggest that this development must be related to information systems. So you might have some kind of a development of new products in your systems which do not require any software development. -
ISO 27001 Implementation
You'll find 2 case studies about the ISO 27001 implementation here:
ISO 27001 Case Study Lessons Learned from ISO 27001 Implementation https://advisera.com/27001academy/blog/2012/03/12/lessons-learned-from-iso-27001-implementation/
ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ -
A question about asset inventory
Yes, inventory of assets is a mandatory document (providing that you selected control A.8.1.1 as applicable.) The Asset inventory can be in form of an Excel sheet, or a software/database - you can select the form that suits you best. It does not have to be signed by the top management.
See also this article: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Taking into account the existing controls during the risk assessment
Answer:
Yes, when you assess the impact and the likelihood, you have to take into account the existing controls. In such cases, in the column "Existing controls" you can fill in just a plain description of the control, without referring to ISO 27001 or ISO 27002. -
Certificate validation
Answer:
ISO website has nothing to do with the certificates issued to companies; the purpose of ISO is only to publish the standards.
You should check whether your certification body has the license to issue certificates - i.e. you have to check whether they have the accreditation issued by your local accreditation body (this is usually a government agency). For example, accreditation body in the United Kingdom is UKAS.