Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Security Policy Information
Yes, you are correct - if you reviewed the policy and no changes were needed, then there is no need to republish such a document. This is basically true for any of your policies and procedures.
However:
1) I find it quite difficult to believe there would be nothing to change in a document after a one-year period.
2) Even if there is absolutely nothing to change, you should have some kind of a record that particular person has reviewed the policy and that the conclusion is there were no changes needed - this could also be done through email.
By the way, 2005 revision of ISO 27001 is not valid any more - currently 2013 revision of ISO 27001 is published, but basically the requirements about reviewing the policies and procedures remained the same. See also: A first look at the new ISO 27001 (2013 draft version) https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/ -
Business Continuity Question
I'm not really sure what is required by SOC 2, but in ISO 22301 the Business continuity policy has a very different function from the Business continuity plan, and therefore these two documents are normally separated.
However, merging those two documents is not forbidden in ISO 22301 - therefore you could theoretically do it although it would be a bit strange and impractical.
See also this article: The purpose of Business continuity policy according to ISO 22301 https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/ -
Need guidence on IT Sec
These articles can help you:
How to learn about ISO 27001 https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Chief Information Security Officer (CISO) - where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
Regarding online classes, you can take a look at our live online trainings via webinar: https://advisera.com/27001academy/webinars/ -
Do we need to document each control?
You do not need to document each control - otherwise you would end up with numerous documents which would become an overkill for you. For instance, you could choose backup as applicable control, and define in the SoA that you will perform backup every 24 hours, but you do not need to write a policy or a procedure for it.
Click here to see which documents are mandatory: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Why write policies before the risk assessment
You need to define the scope before your risk assessment, because you need to know for which areas/departments of your company you need to perform the risk assessment.
Regarding policies, you will write only the top-level Information security policy before the risk assessment, all the other policies you need to write after the risk assessment.
See also this article: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Enterprise risk management and ISO 27001
2. The revised standard expect to incorporate the information security risk with the other enterprise level risk framework
Given the above two expectation, can you pls elaborate how we could integrate the asset base approach and enterprise level risk?
Answer:
First of all, ISO 31000 is not mandatory for ISO 27001:2013 - see this article: ISO 31000 and ISO 27001 How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
Second, information security risks are only a subset of enterprise risks - therefore, you cannot cover all the enterprise risks with information security risk assessment.
Therefore, in my opinion the bes t solution is to use more detailed methodology (e.g. asset based or similar) for information security risk assessment, and use some other methodology for other risks in your company. -
Merging internal audit and information security officer function
As a part of ISMF, I have thought of following representatives :-
1. IT - infrastructure, application and operations
2. Business
3. HR
4. Compliance
5. Admin
6. Internal Control or Audit
Answer: If by "internal control" you mean the department that is performing the internal audit, then the answer is no - internal auditor is in a conflict of interest with the security manager, so you cannot merge those two functions. See also this article: Chief Information Security Officer (CISO) - where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
I assume that by "ISMF" you mean a coordination body for your information security - in this case, yes - I think you have chosen a good balance of people; only I think Internal audit should not be a part of it - again because of conflict of interest. -
Design compliance plan for internal use
Kumar, it is neither option 1 nor 2.
You should start with assessing the risks, because the whole idea of ISO 27001 is centered on risk assessment - once you perform the risk assessment you will know exactly which kind of information security standards/policies/procedures you will need to implement. See this article for details: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
To get the support of your management you need to apply the techniques in this article: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
To see all the detailed steps in the implementation see this article: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Regrading Security Framework
If you want to implement security framework according to ISO 27001, you'll find the implementation steps here: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
The sections/controls you need to implement depend on the results of the risk assessment - see an explanation here: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
For better understanding of the risk treatment plan, see this article: Risk Treatment Plan and risk treatment process Whats the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Confidentiality, integrity and availability in the risk assessment
Reading the standard it says; 6.1.2 c) Apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system
Should I actually record the CIA or just consider each and decide on a consequence/likelihood rating?
Answer: Neither 2005 nor 2013 revision of ISO 27001 require you to assess confidentiality, integrity or availability as a separate valuation, nor do they require you to assess C, I and A separately from the impact, nor do they require you to explicitly identify the relationship between the risk and the C, I, or A. ISO 27001 simply requires you to identify the risk.
Actually, when you look closely, loss of confidentiality, integrity and availability is nothing else but asse ssing the impact. Therefore, you can (a) assess the impact taking into consideration the highest loss from either C, I or A, or (b) you can assess the impact separately for C, for I, and for A.