Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 risk methodology and corporate guidelines according to ISO 31000
Whether you will change your information security Risk assessment methodology or not, this depends on what you will write in your enterprise risk management (ERM) documents (per ISO 31000). So if your corporate ERM documents allow greater freedom for risk management in particular areas, then you probably won't have to change your ISO 27001 risk methodology, and vice versa.
See also this article: ISO 31000 and ISO 27001 How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Context of the organization in ISO 27001
Yes, you are right, it is not necessary to have a document for the clause 4.1, but the auditor can request you evidences of implementation. If you want to know the list of mandatory documents of the standard, please see this article "List of mandatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Difference between A.8.1.3 and A.8.2.3
A.8.1.3 is a general control aiming at rules for acceptable use of assets - those rules can range from physical protection of the laptop all the way to password complexity. See a note about the Acceptable Use Policy in this article: How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
A.8.2.3 is a control where you have to describe the protection of your information assets based on classification. The general principle is: the higher the classification level, the more protection you need. See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Sharing a server cabinet - is this compliant with ISO 27001?
ISO 27001 does not mention anything about sharing a server cabinet; however it does require you to assess the risks, and apply appropriate controls.
In other words, if you share a server cabinet with a business unit that is not within the scope of your ISO 27001 implementation, you have to treat such business unit as an external party, and regulate your relationship with them through an agreement. See also this article: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Therefore, if you resolve this situation with strict agreement with this business unit, you will still be compliant with ISO 27001. -
ISO 27001 Risk Management
The problem is: is it necessary to be a clear link between a particular risk and a particular Annex A control? I mean; each Annex A control (if we choose to implement it) can be tracked down to a particular risk? And if its the case, then what kind of risks lead us to controls such as A.5.1.1, A.5.1.2?
Answer:
Yes, it is necessary to link particular risks with controls from Annex A because you have to show this relationship in the Statement of Applicability (clause 6.1.3 d) - you have to provide justification for inclusions of particular controls.
Regarding A.5.1.1 (Policies for information security) - basically you can select this control for any risk that is related to organizational issues; A.5.1.2 (Review of the policies for information security) - you can select this control whenever you have a risk related to documentation that is not updated. -
Difference Between ISO 22301 & ISO 22316
ISO 22316 is not published yet - currently it's status is "Under development" - see official ISO website here: https://www.iso.org/standard/50053.html
It is difficult to say what the standard will contain before it reaches the "DIS" status (the official draft). -
Recertification or surveillance audit?
1. We have moved into a new location and
2. We have a new name as well.
We were due for surveillance audit in March'2015. Should we get re-certified or Surveillance Audit is good enough for us?
Answer:
If your main business remained the same, I think you can go with your surveillance audit as planned, and go for the re-certification only once your certificate expires.
However, you should consult with your certification body before the surveillance audit begins. -
Annex SL Implementation for ISO 27001:2013
Annex SL is not required for the implementation of ISO 27001; you can see the steps in the ISO 27001 implementation here: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
However, Annex SL could be useful if you want to implement ISO 27001 together with some other standard like ISO 9001 or ISO 22301 - this article will explain you the details: Has the PDCA Cycle been removed from the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/
Also, this webinar may help you: ISO 27001 implementation: How to make it easier us ing ISO 9001 https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
ISO 27001 Exam
There are many courses and exams related to ISO 27001, so I'm not sure to which one do you refer to - see all the courses here: How to learn about ISO 27001 https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
If you're asking about Lead Auditor Course, this webinar will help you: ISO 27001 Lead Auditor Course preparation training https://advisera.com/training/iso-27001-lead-auditor-course/ -
Cyber Security - ISO 27001
I have downloaded a copy of your book 9 steps to cyber security - Excellent reading.
Answer:
This is correct, cyber security is not explicitly mentioned in ISO 27001 nor ISO 27002. And you are correct, the IT controls you mentioned should be used to protect your information systems from cyber threats. However, as I mentioned in my book 9 Steps to Cybersecurity, IT security is not going to be enough - other organizational controls, as well as human resources management controls (e.g., training & awareness) are also needed.
This art icle may also help you: What is cybersecurity and how can ISO 27001 help? https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/