Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Managing records
Answer: I'm not sure what exactly would you like to specify in this procedure, but ISO 27001 requires you to specify how the records are stored and protected, how the changes are controlled, how long they are kept, how are they disposed of, etc. - our Procedure for Document and Record Control suggests that all these requirements are described in other policies and procedures which require the creation of certain records. -
ISO 27001 Controls Effectivenes Measurement
Hi Kaoutar
You only have to implement the controls that are required by the risk assessment/treatment. (ISO27001:2013 only list 114 controls).
However, ISO 27001 doesnt require to measure and monitor all controls. You have to decide which are important to you to achieve your business objectives and control your risks (your security objectives).
2. The selected controls should
- be activated
- reach the objective they are aiming to (perform and action, reduce a risk, etc.)
- the objectives you set should always be measurable otherwise you never know they are effective.
The metrics depend on the control. Would you provide us with a pair of examples we can give a closer answer.
Refer to our post: https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Best regards -
Physical security Policy
Hi Vijay
- CCTV is not a requirement in ISO 27001. You should implement this cotnrol when the risk assessment pushes you to it.
- The two issues you present is not an incident, but a non conformity. An incident is 'en event that prevents you from reaching your objectives'.
- I do not really understand what you mean by 'compensating controls' in this case. if you provide more details I'll be able to answer.
Regards
Jaan-Luc -
Access controlAlign IT services continuity with ISO 22301
ISO 24762:2008 is withdrawn (see here: https://www.iso.org/standard/41532.html so ISO 27031 is the most relevant standard now for technology aspect of business continuity. -
Vocalbulary
ESPAÑOL: evaluación de riesgos
What is the difference?
but we have another terms for : ENGLISH accountability, responsible
ESPAÑOL : responsabilidad
What is the difference? Please, can you help me explain how this use it?"
Answer:
I refer here to the ISO definitions (we gathered all risk related definitions from 31000, 27000 and old 27005 in the 2WD 27005).
1a risk evaluation
"process of comparing the results of risk analysis (3.10) with risk criteria (3.13) to determine whether the risk and/or its magnitude is acceptable or tolerable"
NOTE to entry 3.14 Risk evaluation assists in the decision about risk treatment.
[ISO Guide 73:2009, definition 3.7.1] »
1b risk assessment
"overall process of risk identification (3.15), risk analysis (3.10) and risk evaluation (3.14)"
[ISO Guide 73:2009, definition 3.4.1]
So, risk assessment is a meta-process and risk evaluation is an activity/process part of risk assessment.
2. The term Accountability isnt much liked and we find it scarcely in the WG1 documents. It has a much wider meaning than Responsibility.
Responsibility is a generic term associated with a role, like telling which objectives should be reached. Accountability has a financial and legal aspect; if the objectives are not met, the responsible person my be asked to pay in money or with a legal suite. -
Asset owner and risk owner - how exactly are the two differentiated?
I've received this question:
"Regarding the asset owner and risk owner when it comes to people. How exactly are the two differentiated? For example a Network Administrator. Would the asset owner be self and risk owner be department manager?
Answer: I assume you are asking a question related to people as assets in terms of ISO 27001. For Network Administrator, the asset owner would be his direct boss - e.g. the Head of IT department; risk owners should be people who can resolve particular risks - e.g.:
risk of performing wrong activities because of non-existing rules - risk owner could be Head of IT department risk of performing wrong activities because of lack of training - risk owner could be Head of HR department
This article can also help you: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
Involving the management in the BCP process
The main issue was involve all the management in the process. In addition, the turn over and the time management were challenges that need attention.
Can you tell me how you manage those issues?"
Answer: If you want the management to be involved in your process, they must see clear benefits - otherwise, they won't go along. This article can help you: ISO 22301 benefits: How to get your managements approval for a business continuity project https://advisera.com/27001academy/knowledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/
Regarding time management, it is crucial that you set your project properly - this article can help you (it is applicable to ISO 22301 as well): ISO 27001 project How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/ -
ISO27001 Risk Register
We have received this Question : "Im preparing the risk register.Let take asset as "firewall" Threat as Hackers and there would be lot of vulnerabilities associated with this threat (Improper access rights, Misconfiguration, lack of rule base audit...etc) But i have seen risk registers with one threat and they write only one vulnerability. Please provide your inputs regarding this query." Answer: Risks are better expressed in terms of scenarios « this happens to that element under these circumstances and causes this level of damage ». Each asset can have several threats that in their turn have several vulnerabilities. So we recommand, for a comprehensive risk registry to have one line per vulnerability and one group of vulnerabilities per threat. If a register only shows one threat or vulnerability for each asset, its probably because the risk manager has, after analysis, only kept the worst case. An auditor should accept all what you included in your risk registry, but you will have to explain what you did to come to this registry and how you di dit. It s your security that counts, not the way how the auditor thinks it is. Note : The Asset-Threat-Vulnerability method is only one possible approach for risk analysis. -
Access control
Answer: The system owner, be it business or IT, has to define the access rights fo users and approve how this will be implemented. There is however no team needed for this task.
The person defining and assigning the access rights should make sure segregation of duties is achieved between 1) the person(s) who performs the activity and 2) the person who verifies if the rules were complied with. -
Question regarding the procedure for document and record control
I'll have to answer in 3 parts:
1) There are a couple of mandatory documents and records which must be controlled within your ISMS - you can see this list of documents in this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
2) The documents from your customer projects do not have to be controlled as ISMS documents - you can define your own rules, which can be different from ISMS document control rules.
3) Classification and labeling is not a mandatory control (although in practice it is highly recommendable), you have to perform it only if you have contractual or regulatory requirements and/or if you have unacceptable risks. You can perform classification and labeling to both the documents that must be controlled, and to documents that are not controlled within your ISMS - the scope of classification and labeling is something you have to define on your own. This article can also help you: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/