Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS for scratch card manufacturing unit
ISO 27001 is not prescriptive, which means that this standard doesn't tell you which controls you must or must not apply depending on the industry you're in. What this standard does tell you is that you must assess the risks that are related to your particular situation, and then decide which controls to implement and which to exclude. See also this article: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Therefore, ISO 27001 is quite different from PCI DSS which is prescriptive. If your business is related to payment card industry, then PCI DSS will provide much more precise guidelines for security controls. -
Logs management
In a company in the policy they have mentioned log management. but in practice there is no log management system.
At webinar you gave answer as in the server all will be recording. But what is the problem in the organisation there is no server.
Only workstations 160 systems function as workgroup only.
Each and every system it contains logs . what to do in this situation. is it a nc .if nc is it a major or minor.
Their core business is SDLC, and BPO there also no logs.
Answer:
The key question here is : Do need logs at all? Your risk management process will give you the answer. This article can help you:
However, logs are an essential way to register what happens so that you can come back on them when needed. Centralising the logs makes it easier to read and analyse them without impacting on the operations.
Analysing logs require to accessing them first and requires time, and expertise to understand their coding and to discover the trends thats the data hide. Most of the time using a specific tool is he lpful. Doing it with a server allows you 1) to gather all logs on one single place, 2) use one single tool and 3) use the server time and not the work station time, even if the analysis can be done in backlog (outside the work time, and potentially detecting issues to late so you arent able to react adequately) or as a backstage application. You then gain time and the cost of the analysis tools.
These blog posts can probably help you further:
The basic logic of ISO 27001: How does information security work?: https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/.
ISO 27001 risk assessment & treatment 6 basic steps » : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
« Risk assessment tips for smaller companies » : https://advisera.com/27001academy/blog/2010/02/22/risk-assessment-tips-for-smaller-companies/ -
All the controls for development , maintenance , support
Afef,
This is primarily the question of setting the ISMS scope. If your scope covers only the systems you develop and maintain internally, then the controls from Annex A have to apply only to those systems; if you include in your scope also the products you deliver to your customers, then the controls must cover them as well.
If you include in the scope the products you deliver to your customers, then you have to assess all the risks related to information contained in those products, and then you have to apply applicable controls.
This article will explain you the logic of risk assessment and applying controls: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Risk Assessment Methodology
Antoin,
Here are the answers:
1) Yes, this is a classic approach to risk assessment methodology, completely acceptable by ISO 27001; additionally you need to identify the risk owners as well. See also this article: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
2) ISO 27001 does not require you to separate assessments for impact on confidentiality, integrity and availability (in such case the highest value is your impact) - however you can separate them if you want your assessment to be more precise. Usually financial institutions are doing this more detailed approach to risk assessment. -
Communication Plans
What are necesarry for them?
Answer :
There are two sides at your question. One related to the internal and one to the external communication plans.
The internal communication plan concerns how the top management disseminates its requirements and objectives through policies.
- clause 5.1.d requires that the organisation communicate on the importance of effective information security and on compliance to the requirements set in the policy
- clause 5.2.f. requires to communicate the policy within the organisation.
Clause 7.4 (Communication) is the most explicit in answering your question as it insists on defining who, on what, to whom, when and how.
Clause 7.4 also refers to external communication which is a control covered by ISO 27002 in clauses 16 and 17 dealing with Management of information security incidents and improvements and Information security aspects of business continuity management (controls A.16.x and A.17.x in ISO27001 Annex A).
An external communica tion plan is a reactive control in case of incident to inform the targeted interested parties on the nature of the event and the measures you are taking to solve it in the shortest delay. This communication plan has to be prepared in advance to transmit a message of the organisations preparedness.
So the internal and external communication plan should contain
- Who is responsible to organise and operate the communication plan,
- What is the object and the messages contained: policy, requirements, procedures, security awareness, incident warning, etc.
- Who will receive what message,
- When you will communicate and in which conditions
- How the communication should happen: type of communication (mails, screen saver, web page, flyers, etc.) and communication protocols. -
ISO 27001 how to assign risk value
1) ISO 27001:2005 does not require risk value to be assigned to asset risk - this standard requires impact to be one of the factors that determines the level of risk.
2) ISO 27001:2013 does not require risk value to be assigned to owner of the asset risk - this standard also requires impact to be one of the factors that determines the level of risk.
These articles will help you understand these issues:
How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
What has changed in risk assessment in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/ -
Controls and Clauses Related to BYOD
Hi Ravi
All questions are good questions if they allow you to better understand.
The first issue is that ISO 27001 is not the good place to look, as your question has no relation with the ISMS processes, but with the controls in Annex A. You need to go to ISO 27002 that explains how to implement these controls. In your situation, it is highly recommended to read ISO 27002.
You could have a look at this blog post : ISO 27001 vs. ISO 27002 (https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
1) There are, sadly, no controls on BYOD (understanding personal electronic devices brought at work) in ISO 27002. You cant easily control it. The explanation in clause 6.2.1 (Mobile device policy) in ISO 27002 would help you further.
2) The only approach from ISO 27001 is risk management and defining the adequate policy. E.g.:
No classified information will be transmitted to and from BYOD equipment.
The use of BYOD to take pictures, audio and video recording must be authorised by the management.
The company will install software on mobile devices enabling it to delete the company information remotely.
3) Risk management approach is described in ISO 27005. The main risks are: there comes professional information on a non controlled device through received emails, photos, videos and audio recording. Then: who may access this information around the user and what if its lost or stolen?
Finally, youre right its not a mandatory control. This blog post gives the point : List of mandatory documents required by ISO 27001 (2013 revision) - https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Control A.17.1.1 in ISO 27001
disaster recovery." It's not clear to me if its enough with Polices and Procedures and BIA, or is needed something else (some kind of controls), Could please put some light in my doubts?
Answer:
ISO 27001 nor ISO 27002 are not very clear when it comes to business continuity. But yes - BCM policy, business impact analysis, but also identification of context and interested parties should be enough to identify all the requirements for business continuity.
It seems to me you are referring to your question to ISO 27002, so you should primarily read what ISO 27001 says in its clause 4.
See also these articles:
Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
How to become ISO certified for myself
The most popular ISO 27001 certificates are Lead Auditor and Lead Implementer - these articles will help you learn the details:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- Lead Auditor Course vs. Lead Implementer Course Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
CISO role
2. What is the Document valid as of date in all the template, is this the date the template get approved.
Answers:
1. ISO 27001 allows you to allocate the responsibility of security to anyone in the organisation as long as (1) he has enough authority, and (2) he has sufficient independence, and 3° he has a minimal of education in security.
This post will probably help you further: What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
2. The field Valid as of date indicates the date from which the document and its content is applicable. It me be months after validation, for example when the organisation has to acquire and install technology or gain a specific competence.
Best regards