Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO27001 Risk Register

    We have received this Question : "I’m preparing the risk register.Let take asset as "firewall" Threat as Hackers and there would be lot of vulnerabilities associated with this threat (Improper access rights, Misconfiguration, lack of rule base audit...etc) But i have seen risk registers with one threat and they write only one vulnerability. Please provide your inputs regarding this query." Answer: Risks are better expressed in terms of scenarios « this happens to that element under these circumstances and causes this level of damage ».    Each asset can have several threats that in their turn have several vulnerabilities. So we recommand, for a comprehensive risk registry to have one line per vulnerability and one group of vulnerabilities per threat. If a register only shows one threat or vulnerability for each asset, it’s probably because the risk manager has, after analysis, only kept ‘the worst case’. An auditor should accept all what you included in your risk registry, but you will have to explain what you did to come to this registry and how you di dit. It’ s ‘your’ security that counts, not the way how the auditor thinks it is. Note : The ‘Asset-Threat-Vulnerability’ method is only one possible approach for risk analysis.

  • Access control


    Answer: The system owner, be it business or IT, has to define the access rights fo users and approve how this will be implemented. There is however no team needed for this task.

    The person defining and assigning the access rights should make sure segregation of duties is achieved between 1) the person(s) who performs the activity and 2) the person who verifies if the rules were complied with.

  • Question regarding the procedure for document and record control


    I'll have to answer in 3 parts:
    1) There are a couple of mandatory documents and records which must be controlled within your ISMS - you can see this list of documents in this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    2) The documents from your customer projects do not have to be controlled as ISMS documents - you can define your own rules, which can be different from ISMS document control rules.
    3) Classification and labeling is not a mandatory control (although in practice it is highly recommendable), you have to perform it only if you have contractual or regulatory requirements and/or if you have unacceptable risks. You can perform classification and labeling to both the documents that must be controlled, and to documents that are not controlled within your ISMS - the scope of classification and labeling is something you have to define on your own. This article can also help you: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  • ISO 22301 and ISO 31000


    Answer: ISO 22301 and ISO 31000 are not very similar. ISO 31000 gives you the guidelines to develop risk management system for any type of risk on a corporate level. ISO 22301 defines the requirements for developing business continuity, including Business continuity policy, business impact analysis, business continuity strategy, planning, and much more. However, these two standards are very compatible - ISO 31000 provides guidelines for risk assessment which is required in ISO 22301, but not covered into detail.

    2. What are the pitfalls of developing a basic BCMP first (incl identifying the biggest risks and associated action plans & crisis recovery process & procedures), and then developing a full blown BCMS & pursue certification second?  Background: our company is ISO9001 and RC14001 certified already.

    Answer: I'm not sure what you mean by "BCMP", but I assume you refer to BCP (Business Continuity Plan). The pitfall of develop ing the BCP without the BCMS is that you won't have the management part of your business continuity: management support, defining requirements, setting the objectives, providing resources, controlling documents, measuring success, etc. In other words, you would have business continuity that would probably set completely out of context, with no understanding from the business part and no way to control it.

    So if you develop your BCP first, and then the rest of the BCMS, chances are you would have to redo the whole BCP again.

  • Question on clause 9


    As far as I understand is we have to select few areas (of our choice and appropriate to bank's business) like BCP, Incident Management, Document review, etc. Then we need to assign some statistical parameters to evaluate the efficiency (in terms of success/failure %). Finally periodically analyze the results to get a trend or efficiency of implementation.

    However, I wanted an expert's advice on all points of "Clause 9.1 Monitoring, measurement, analysis and evaluation" so that nothing is missed during external audit. If you can explain me in detail and help me with any working paper, I would be grateful to you.

    Answer: If you are certified, all the ISMS processes should be monitored and measured (and continually improved), along with the most important controls (the ones that counters the highest risks) or that are ‘required’ by your national ‘bank) regulatory entity. The ones you propose are possible candidates, if they meet these conditions. If not, you’re wasting your time and money.
    Until now, ISO hasn’t provided much usable input for this. It is expected that it will rapidly change. The objective of (future) ISO27004 will be to help organisations to a) monitor and measure information security, b) to monitor and measure the effectiveness of the management system and its processes, c) analysing and evaluating the results. Current draft could become CD in October and be published by end of 2015 or begin 2016.
     
    You should find more input in this seminar: ISO 27001 and ISO 27004: How to measure the effectiveness of information security?
    https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/

  • Risks of external email service provider


    I'm not sure what this external email service provider is doing for you, but I assume they are sending emails to certain email lists on your behalf.

    The risks I see are the following:
    1) They could sell your email list to someone else
    2) They could send your emails to wrong people
    3) They could delay sending emails or not send emails at all

    I'm not sure what would be the impact of these risks for your company, this is something you would have to assess on your own.

    This might also help you: A catalogue of threats and vulnerabilities: https://www.infosecpedia.in**************************

  • Should all applicable controls from Annex A to be fully implemented by the time


    Answer: Ideal situation would be to implement all the controls marked as applicable in the Statement of Applicability prior to certification audit.

    You could leave less significant controls to be implemented after the certification, under the following conditions: (1) to plan their implementation in the Risk treatment plan, and (2) to accept all the residual risks that were not decreased. There is no magic number on the proportion of how many controls must be implemented, and it is in the certification auditor's discretion to raise a non-conformity in su ch cases. Therefore, to be safe you should implement majority of controls prior to certification audit and make sure you implement all the most important ones.

  • ISO 27001:2013


    The process you have set in place seems pretty systematic, but the auditor will look at the results, not the process itself. So for example, the auditor will check if risk owners are nominated for each risk (this is something that is new in 2013 revision), he won't care how you made this transition.

    These articles will also help you:

    How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
    What has changed in risk assessment in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/

  • 2005 revision deadline


    To be honest, I'm not sure how the certification body will react in this case, but basically I agree with your consultant - certification bodies should not issue certificates according to 2005 revision after September 2014. The best course of action here would be to contact your certification body and ask them about their approach.

    Since you will eventually need to transition to 2013 revision, here are the steps you'll need to take: https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/

  • Minimum of three months for records for certification audit


    It is true that ISO 27001 does not require the minimum period of records (i.e. minimum period of the ISMS operation before the certification), however some certification bodies do have such requirements and some don't. Therefore, you should speak to the certification body you have chosen and see what criteria do they have.

    This article may also help you: How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
Page 1099-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +