Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Enterprise risk management and ISO 27001


    2. The revised standard expect to incorporate the information security risk with the other enterprise level risk framework

    Given the above two expectation,  can you pls elaborate how we could integrate the asset base approach  and enterprise level risk?

    Answer:

    First of all, ISO 31000 is not mandatory for ISO 27001:2013 - see this article: ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

    Second, information security risks are only a subset of enterprise risks - therefore, you cannot cover all the enterprise risks with information security risk assessment.

    Therefore, in my opinion the bes t solution is to use more detailed methodology (e.g. asset based or similar) for information security risk assessment, and use some other methodology for other risks in your company.

  • Merging internal audit and information security officer function


    As a part of ISMF, I have thought of following representatives :-
    1. IT - infrastructure, application and operations
    2. Business
    3. HR
    4. Compliance
    5. Admin
    6. Internal Control or Audit

    Answer: If by "internal control" you mean the department that is performing the internal audit, then the answer is no - internal auditor is in a conflict of interest with the security manager, so you cannot merge those two functions. See also this article: Chief Information Security Officer (CISO) - where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

    I assume that by "ISMF" you mean a coordination body for your information security - in this case, yes - I think you have chosen a good balance of people; only I think Internal audit should not be a part of it - again because of conflict of interest.

  • Design compliance plan for internal use

    Kumar, it is neither option 1 nor 2.

    You should start with assessing the risks, because the whole idea of ISO 27001 is centered on risk assessment - once you perform the risk assessment you will know exactly which kind of information security standards/policies/procedures you will need to implement. See this article for details: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    To get the support of your management you need to apply the techniques in this article: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

    To see all the detailed steps in the implementation see this article: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

  • Regrading Security Framework


    If you want to implement security framework according to ISO 27001, you'll find the implementation steps here: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    The sections/controls you need to implement depend on the results of the risk assessment - see an explanation here: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    For better understanding of the risk treatment plan, see this article: Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

  • Confidentiality, integrity and availability in the risk assessment


    Reading the standard it says; 6.1.2 c) Apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system

    Should I actually record the CIA or just consider each and decide on a consequence/likelihood rating?

    Answer: Neither 2005 nor 2013 revision of ISO 27001 require you to assess confidentiality, integrity or availability as a separate valuation, nor do they require you to assess C, I and A separately from the impact, nor do they require you to explicitly identify the relationship between the risk and the C, I, or A. ISO 27001 simply requires you to identify the risk.

    Actually, when you look closely, loss of confidentiality, integrity and availability is nothing else but asse ssing the impact. Therefore, you can (a) assess the impact taking into consideration the highest loss from either C, I or A, or (b) you can assess the impact separately for C, for I, and for A.

  • ISO 22301 certification


    There is a difference between accreditation bodies and certification bodies: certification bodies issue certificates to companies, while accreditation bodies are government agencies which give approvals (accreditations) to certification bodies.

    Therefore, UKAS provides accreditations not only for ISO 9001 but also for ISO 22301 and other standards. You should check https://www.ukas.com to see which certification bodies have they accredited.

    In the United States the accreditation body is ANAB https://www.anab.org.

  • Status of controls


    ISMS manual is not a required document; however ISO 27001:2013 clause 6.1.3 d) requires you to identify the status of each control in your Statement of Applicability.

    These articles will help you:

    Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
    The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  • A clarification on risk assessment/ treatment


    ISO 27001:2013 does not require you to comply with ISO 31000, nor with ISO 27005 when performing your risk assessment - basically, you have to create your own risk assessment methodology (compliant with ISO 27001) that suits your company.

    See also these articles:

    How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

  • What is cybersecurity?Interpreting the control A.8.1.1

    You'll find the answer here: https://community.advisera.com/topic/iso-27001-2013-amended-version/

  • What is cybersecurity?


    Although this distinction is not yet clearly established, I would say that cybersecurity deals only with digital information, while information security deals also with information in other media (e.g. paper).

    See also this article: What is cybersecurity and how can ISO 27001 help? https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/
Page 1093-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +