Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Controls and Clauses Related to BYOD

    Hi Ravi

    All questions are good questions if they allow you to better understand.

    The first issue is that ISO 27001 is not the good place to look, as your question has no relation with the ISMS processes, but with the controls in Annex A. You need to go to ISO 27002 that explains how to implement these controls. In your situation, it is highly recommended to read ISO 27002.

    You could have a look at this blog post : ISO 27001 vs. ISO 27002 (https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

    1)     There are, sadly, no controls on BYOD (understanding ‘personal electronic devices brought at work’) in ISO 27002. You can’t easily control it. The explanation in clause 6.2.1 (Mobile device policy) in ISO 27002 would help you further.

    2)     The only approach from ISO 27001 is risk management and defining the adequate policy. E.g.:

    No classified information will be transmitted to and from BYOD equipment.
    The use of BYOD to take pictures, audio and video recording must be authorised by the management.
    The company will install software on mobile devices enabling it to delete the company information remotely.

    3)     Risk management approach is described in ISO 27005. The main risks are: there comes ‘professional’ information on a non controlled device through received emails, photos, videos and audio recording. Then: who may access this information around the user and what if it’s lost or stolen?

    Finally, you’re right it’s not a mandatory control. This blog post gives the point : List of mandatory documents required by ISO 27001 (2013 revision) - https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Control A.17.1.1 in ISO 27001

    disaster recovery." It's not clear to me if its enough with Polices and Procedures and BIA, or is needed something else (some kind of controls), Could please put some light in my doubts?

    Answer:

    ISO 27001 nor ISO 27002 are not very clear when it comes to business continuity. But yes - BCM policy, business impact analysis, but also identification of context and interested parties should be enough to identify all the requirements for business continuity.

    It seems to me you are referring to your question to ISO 27002, so you should primarily read what ISO 27001 says in its clause 4.

    See also these articles:

    Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
    How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

  • How to become ISO certified for myself


    The most popular ISO 27001 certificates are Lead Auditor and Lead Implementer - these articles will help you learn the details:
    - How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
    - Lead Auditor Course vs. Lead Implementer Course – Which one to go for?  https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

  • CISO role


    2. What is the “Document valid as of date” in all the template, is this the date the template get approved.

    Answers:

    1. ISO 27001 allows you to allocate the responsibility of security to anyone in the organisation as long as (1) he has enough authority, and (2) he has sufficient independence, and 3° he has a minimal of education in security.
    This post will probably help you further: What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

    2. The field ‘Valid as of date’ indicates the date from which the document and its content is applicable. It me be months after validation, for example when the organisation has to acquire and install technology or gain a specific competence.

    Best regards

  • security audit of a hypothetical supplier

    Hi Victor

    The audit should go on how the provider complies with the contract your company did pass with them. Controls A15.1.1 to A15.2.2 are pertinent for the security clauses when they are included in the SOA:
    A15.1.1 Information policy for supplier relationship;
    A15.1.2 Addressing security within supplier agreements;
    A15.1.3 Information and communication technology supply chain;
    A15.2.1 Monitoring and review supplier services;
    A15.2.2 managing changes to supplier services.

    Here is an article that is applicable to your situation: 6-step process for handling supplier security according to ISO 27001: https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    Best regards

    Jean-Luc

  • To whom to handover confidential data in case of a disaster?


    As part of your business continuity plans, you have to define the deputies/substitutes for each and every person who perform certain important activity. Therefore, you have to define upfront who will be responsible to manage those important files in case the persons who are normally in charge for that would be unavailable.

    This article can also help you: Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

  • Mandatory processes


    There is a crucial difference between ISO 27001 and ISO 27002. The first one is a set of requirements for an information security management system. The second one a ‘code of practice’ with a list of controls to operate and manage information security and can be uses without relation with ISO 27001.

    SO 27001 requires an audit and a system of audits. This is a mandatory procedure to make sure the ISMS still complies with the documentation and, if certified, with the certificate.

    This is not the case for ISO 27002 where the controls are to be selected them through a risk management process. None is, initially a mandatory procedure.

    ISO 27002:2013 control 12.7.1  covers the risk that an audit would disturb the business process and the operation. So the intention is completely different to the requirement in ISO 27001 and there is no reason worry about.

    The following references may help you further:
    - ISO 27001 vs. ISO 27002 (103): https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
    - MANDATORY DOCUMENTED PROCEDURES REQUIRED BY ISO 27001 (108): https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - How to maintain the ISMS after the certification (3): https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/

  • List of Legal, Regulatory, Contractual and Other Requirements


    First of all, you should list laws and regulations that are applicable to your company; if you don't have supplier contracts you should list all your partners and customers with whom you have contracts or other arrangements. You should list only those that have an influence on your information security - e.g. those with requirements on backup, access control, physical protection, etc.

    The whole point of this document is to list who is expecting what from your ISMS (i.e. interested parties and their requirements), so that you can start building the ISMS accordingly. See also this article: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

  • ISO 22301 Maintenance Audit requirements

    In your first question I assume you refer to surveillance visits performed by certification bodies? They won't re-audit everything, just some areas of your BCMS they think are not developed enough. See also this article: Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

    There is no special preparation for those surveillance visits, you just have to make sure you do everything you have written in your BCMS documentation. Here is one article that speaks about ISO 27001, but it is completely applicable to ISO 22301 as well: How to maintain the ISMS after the certification https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/

    Regarding the internal audit, it doesn't really matter whether it is performed internally or by an external party as long as in this internal audit the auditor checks whether your company (1) complies with ISO 22301, and (2) complies all the policies, procedures and plans you have written in your BCMS. This article can help you: How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

  • Senior management does not want to spend money and resources


    Of course they won't if they do not see a reason why they should do it. See also this article: ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/

    What level of training a Business Owner [who is in charge of many applications] is required to manage the risk in the applications with PII, with many partners?

    Answer: In my view, business owners should be trained in the following: (1) to understand why the risk assessment and treatment are important for their job, and (2) how to assess the risks (i.e. which scales to use), and (3) how to treat the risks (i.e. which options exist). See also this article: How to organize initial risk assessment according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/04/29/how-to-organize-initial-risk-assessment-according-to-iso-27001-and-iso-22301/

    How to I bring these Business Owners on board to manage risk in their applications?
    [Frankly they will attest any documentation that I ask for..., without understanding the full implications;  but that do not mitigate data security specially under PII].

    Answer: You must teach them what the benefits for their job are - once they accept this, everything else will be easier. Read this article: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

    Poor Compliance (just signing the documents..) does not mitigate risks. How to educate these sr. managers - VPs, Div. heads, div. presidents., etc.)

    Again, find the benefits of information security implementation and communicate those to your top management. This webinar will teach you the techniques: ISO 27001 benefits: How to obtain management support https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
Page 1096-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +