Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Question about CIA and asset inventory
You have to assess the impact of risks to confidentiality, integrity and availability of your information - this is part of the risk assessment process. As part of this process you can identify also the assets, but this is not mandatory.
You can find more detailed explanation in this webinar: The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
This article will also help you: What has changed in risk assessment in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/ -
Control A.12.1.1
Answer: In section A.12.1 of ISO 27001 you'll find the following objective: "To ensure correct and secure operations of information processing facilities."; further, when you read each control in A.12 you'll see they are very IT oriented. -
Question about ISO 27002
You don't have to use ISO 27002. ISO 27002 are only the guidelines that are not mandatory; you only have to comply with what is written in ISO 27001. You'll find a more detailed explanation here: ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Which assets to assess during the risk assessment
If all of these 500 applications are within the ISMS scope, they have to assess all of them. However, if you have similar applications then you do not have to perform risk assessment for each of them separately - you can treat all similar applications as a single asset during the risk assessment process.
See also these articles:
- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
- How to organize initial risk assessment according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/04/29/how-to-organize-initial-risk-assessment-according-to-iso-27001-and-iso-22301/ -
How to learn about infosec?
ISO 27001 would be a good choice if you want to focus on management part of information security - this is what you could do for a start:
1) Attend a course - this article will help you: How to learn about ISO 27001 https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
2) See our ISO 27001 free webinars: https://advisera.com/27001academy/webinars/
3) See these free ISO 27001 Free Downloads: https://advisera.com/27001academy/free-downloads/
Alternatively, you can go for certifications like CISSP and CISM - they are not related to ISO 27001.
2. I am due to go on a foundation course and then the Lead Implementer course and then next year do my Lead Auditors course do you think this is the right way to go?
Perhaps foundation course would not be needed if you already have some experience in IT - in such case you can go straight to Lead Implementer course. Read also this article: Lead Auditor Course vs. Lead Implementer Course Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
ISO27001:2013 A.14.1.3 - Protecting application service transactions
It also can apply to financial transactions (between banks, or between an entity with a bank), transactions of database (for example, 2 database that are synchronizing information through Internet), and generally any transaction that involves the interchange of information through a network between 2 applications (think also in a ERP that is connected with an external site where send or receives information). -
If a UK parent company is ISO 22301 certified is the US subordinate company also
Not necessarily - you should read what the scope of the ISO 22301 certification is - the certificate must specify the scope.
In most cases, the certification of the corporate office does not mean that subsidiaries are also certified. -
About ISO 27003 for ISO/IEC 27001:2013
In theory, you could use larger part of ISO 27003:2010 for ISO 27001:2013 implementation because 2005 and 2013 revisions of ISO 27001 are not very different - see the differences here: https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/
However, all this is theoretical because ISO 27003 was written in such an unreadable way that it wasn't much help for the implementation of ISO 27001:2005 either. -
Documents of external origin
In your Procedure for document control you should specify only some general principles for controlling your external documents - e.g. who handles them, who decides whether they are necessary or not, etc. I wouldn't recommend that you specify which external documents are to be controlled in the Procedure because you would have to change your procedure too often. -
Secure Development Policy
Here are the answers:
1) Repository is usually associated with software development and is a tool to archive a code that is developed; secure repository is the one where such code is protected - e.g. with encryption, access control, etc. - try to search Google and you'll find lots of examples.
2) Version control is related to software versions.
3) Security in software development life cycle - from ISO perspective, the best explanation is given in section 14.2 of ISO 27002:2013; for more than this you should get some books or attend a course.