Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISMS scope for data center


    If the data center facility is not part of your company, then you can describe that only the server + the database is part of your ISMS scope (or only the database if the server is not under your control). See also this article: Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    The ISMS needs to be implemented by all the employees involved, not only by one person who is coordinating the ISMS implementation. Therefore, this coordinator does not need to travel to all your locations if he/she feels comfortable that local employees are doing their job properly. See also this article: ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/

  • 3rd party security policy vs. Information security policy for supplier relations


    Answer: ISO 27001 does not mention "3rd party security policy", so the point is:

    1) ISO 27001 requires you to make only one policy to deal with suppliers

    2) The difference between 3rd parties and suppliers is that 3rd parties could also include customers

    3) Even if you want to cover the security requirements for customers and suppliers, you can do it in one policy, you do not have to separate them.

  • Is it an NC

    I'm not sure if I understood your question well, but if the provider of training services has signed a contract with the customer where it has obliged to comply with certain requirement, then it must comply with it - otherwise this is a nonconformity.

    The point is, a company must comply with all of these: ISO 27001 + laws & regulations + contractual obligations + its own policies and procedures.

    This article can also help you: Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

  • 27001 Scope


    There might be a serious problem with this ‘reduced’ scope for the ISMS. Due to the need for connexion with the two other sites, the reduced ISMS scope might be ’not feasible’. This decision should be reviewed and justified.

    You may consider the two other sites as ‘external’, but the complexity is in the close interactions ‘in/out/in-out’ that is continuous or at least continual. When describing the scope, you should also clearly describe what is ‘in’ and what is ‘out. 

    When there are connections with other entities (be they from the same company or ‘external’) you should identify and describe the interfaces with the associated risks of information coming in and going out. Identifying the communic ation channels and the associated risks is also important, depending on the responsibility for protection the ISMS scope has. In your case, you have to use both directions.

    In any case, it is easier to have all the 4 locations within the scope.

     This post on the blog can also help you: Problems with defining the scope in ISO 27001:
     https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  • ISO 27001 / Planned intervals

    Management review must be performed at least once a year.

    By the way, if your top management doesn't care at all about your information security, then you have a serious problem - therefore, a management review shouldn't be just another compliance job, but a serious consideration from the management point of view on how your security is performing.

    This article can also help you: Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

  • Context and scope of the ISMS / ISO 27001 v 2013

    So we would suggest you avoid the risk analysis or any deep consideration of what if at this stage and concentrate on identifying the issues. Personal data, sensitive customer ideas and IPR, financial information, brand, codebases etc? Therefore consider any existing issues of: recruitment e.g.

  • On-line transactions


    Answer:

    1. Transactions (e.g. financial) are one of the types of services, but the standards does not focus on them. One may of course only think about that, but why narrowing the scope of application services and forgetting issues? I don’t think any list will be exhaustive.
    Other transactions can be any ‘direct exchange of data’, such as credentials for requesting access to a distant system, answers to an line o a poll or survey, uploading files to a cloud server, etc.

    2. However, ISO27001:2013 (and ISO 27002:2013 that provides the details of Annex A) doesn’t speak about this anymore and widens largely the scope of this control. It relates with all kinds of applications and services that pass over the public service.

    Please remember that the title of the clause is ‘System acquisition, development and maintenance’.
    Some examples of application services: Games, Streaming videos, E-learning, On- line registration and acquisitions, Telephony services, Establishing and managing a radio communication between a control tower and an aircraft.

    Best regards

    Jean-Luc

  • Managing records


    Answer: I'm not sure what exactly would you like to specify in this procedure, but ISO 27001 requires you to specify how the records are stored and protected, how the changes are controlled, how long they are kept, how are they disposed of, etc. - our Procedure for Document and Record Control suggests that all these requirements are described in other policies and procedures which require the creation of certain records.

  • ISO 27001 Controls Effectivenes Measurement

    Hi Kaoutar

    You only have to implement the controls that are required by the risk assessment/treatment. (ISO27001:2013 only list 114 controls).
    However, ISO 27001 doesn’t require to measure and monitor all controls. You have to decide which are important to you to achieve your business objectives and control your risks (your security objectives).

    2. The selected controls should

    - be activated

    - reach the objective they are aiming to (perform and action, reduce a risk, etc.)

    - the objectives you set should always be measurable otherwise you never know they are effective.

    The metrics depend on the control. Would you provide us with a pair of examples we can give a closer answer.

     

    Refer to our post: https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

    Best regards

  • Physical security Policy

    Hi Vijay

    - CCTV is not a requirement in ISO 27001. You should implement this cotnrol when the risk assessment pushes you to it.

    - The two issues you present is not an incident, but a non conformity. An incident is 'en event that prevents you from reaching your objectives'.

    - I do not really understand what you mean by 'compensating controls' in this case. if you provide more details I'll be able to answer.

    Regards

    Jaan-Luc
Page 1097-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +