Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
List of Legal, Regulatory, Contractual and Other Requirements
First of all, you should list laws and regulations that are applicable to your company; if you don't have supplier contracts you should list all your partners and customers with whom you have contracts or other arrangements. You should list only those that have an influence on your information security - e.g. those with requirements on backup, access control, physical protection, etc.
The whole point of this document is to list who is expecting what from your ISMS (i.e. interested parties and their requirements), so that you can start building the ISMS accordingly. See also this article: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
ISO 22301 Maintenance Audit requirements
In your first question I assume you refer to surveillance visits performed by certification bodies? They won't re-audit everything, just some areas of your BCMS they think are not developed enough. See also this article: Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
There is no special preparation for those surveillance visits, you just have to make sure you do everything you have written in your BCMS documentation. Here is one article that speaks about ISO 27001, but it is completely applicable to ISO 22301 as well: How to maintain the ISMS after the certification https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/
Regarding the internal audit, it doesn't really matter whether it is performed internally or by an external party as long as in this internal audit the auditor checks whether your company (1) complies with ISO 22301, and (2) complies all the policies, procedures and plans you have written in your BCMS. This article can help you: How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Senior management does not want to spend money and resources
Of course they won't if they do not see a reason why they should do it. See also this article: ISO 27001 project How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
What level of training a Business Owner [who is in charge of many applications] is required to manage the risk in the applications with PII, with many partners?
Answer: In my view, business owners should be trained in the following: (1) to understand why the risk assessment and treatment are important for their job, and (2) how to assess the risks (i.e. which scales to use), and (3) how to treat the risks (i.e. which options exist). See also this article: How to organize initial risk assessment according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/04/29/how-to-organize-initial-risk-assessment-according-to-iso-27001-and-iso-22301/
How to I bring these Business Owners on board to manage risk in their applications?
[Frankly they will attest any documentation that I ask for..., without understanding the full implications; but that do not mitigate data security specially under PII].
Answer: You must teach them what the benefits for their job are - once they accept this, everything else will be easier. Read this article: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Poor Compliance (just signing the documents..) does not mitigate risks. How to educate these sr. managers - VPs, Div. heads, div. presidents., etc.)
Again, find the benefits of information security implementation and communicate those to your top management. This webinar will teach you the techniques: ISO 27001 benefits: How to obtain management support https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
Applicability of A14 for Data Centre
Concern is Reference to Annex A: the 14th domain of ISO 27001:2013 - System acquisition, development and maintenance
Can the entire controls of 14th domain be excluded from Statement of Applicability with appropriate justifying statements?
OR
Would certain sub domains of the 14th domain, which do not specify application relevance and in general addresses 'systems' have to be included in Statement of Applicability?
Answer :
You should select the controls based on 1) legal, regulatory and contractual requirements, 2) risk management activity.
You dont tell if A14 controls are excluded due to the rule above or Application Development and Maintenance are outsourced (because you dont have the internal capability) or are simply excluded from the scope for any other reason.
In the second case, what you out source has to be covered by the controls A15.
However, it sounds me strange to certify an empty IT infrastructure. You probably have data and applications on it. A14.1 is then fully mandatory based on the rule in the first sentence. -
ISMS and Cloud computing
Why would you go for 27017? Are you a client or a provider (IaaS, PaaS or Saas)?
1) ISO 27017 isn't out yet (last CD stage). It has to be used as a complement to ISO 27002:2013 in Cloud environments, as ISO 27018 is for Privacy protection in the Cloud environment (Published last year).
2) You are certified against ISO 27001 not against anything else in informations security. One may use any reference' (s)he wants in complement to Annex A (= ISO 27002:2013).
You may introduce the Cloud in your scope, as more and more IT companies are doing. As a client its an outsourced service; as a provider its part of your activities with possible outsourcing of elements of the cloud.
This article may hop you: « Cloud computing and ISO 27001 / BS 25999 »: https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/ -
How do we identify what are the regulatory, contractual and other requirements
You must find a list of laws and regulations in your country that can potentially be relevant for your ISMS - you can find an unofficial list here: https://www.infosecpedia.info/laws-regulatio******************************************** For contractual obligations, you have to find all the contracts your company has made.
The only way to find out if they are relevant to your company is to read them, or ask someone else to read them for you.
This article can also help you: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
ISMS scope for data center
If the data center facility is not part of your company, then you can describe that only the server + the database is part of your ISMS scope (or only the database if the server is not under your control). See also this article: Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
The ISMS needs to be implemented by all the employees involved, not only by one person who is coordinating the ISMS implementation. Therefore, this coordinator does not need to travel to all your locations if he/she feels comfortable that local employees are doing their job properly. See also this article: ISO 27001 project How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/ -
3rd party security policy vs. Information security policy for supplier relations
Answer: ISO 27001 does not mention "3rd party security policy", so the point is:
1) ISO 27001 requires you to make only one policy to deal with suppliers
2) The difference between 3rd parties and suppliers is that 3rd parties could also include customers
3) Even if you want to cover the security requirements for customers and suppliers, you can do it in one policy, you do not have to separate them. -
Is it an NC
I'm not sure if I understood your question well, but if the provider of training services has signed a contract with the customer where it has obliged to comply with certain requirement, then it must comply with it - otherwise this is a nonconformity.
The point is, a company must comply with all of these: ISO 27001 + laws & regulations + contractual obligations + its own policies and procedures.
This article can also help you: Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/ -
27001 Scope
There might be a serious problem with this reduced scope for the ISMS. Due to the need for connexion with the two other sites, the reduced ISMS scope might be not feasible. This decision should be reviewed and justified.
You may consider the two other sites as external, but the complexity is in the close interactions in/out/in-out that is continuous or at least continual. When describing the scope, you should also clearly describe what is in and what is out.
When there are connections with other entities (be they from the same company or external) you should identify and describe the interfaces with the associated risks of information coming in and going out. Identifying the communic ation channels and the associated risks is also important, depending on the responsibility for protection the ISMS scope has. In your case, you have to use both directions.
In any case, it is easier to have all the 4 locations within the scope.
This post on the blog can also help you: Problems with defining the scope in ISO 27001:
https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/