Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Assets dependence
Cesar,
If you follow our Risk Assessment Table, then you need to identify all the assets, and then threats and vulnerabilities for each asset. This basically means that if you think an incident can impact several assets, then you should mention adequate threats and vulnerabilities for each of those assets.
In other words, you don't have to show direct dependencies between assets because that would only complicate the risk assessment; the dependency will be implicit by identifying the same threats for a group of assets. -
Using risks instead of threats
Risk is different from threat: risk is "an uncertain event or condition that, if it occurs, has an effect on at least one objective", while threat is "potential cause of an unwanted incident, which may result in harm to a system or organization". So for instance, the threat is a computer virus, and the risk is the loss of all the information on your computer.
It is true that ISO 27001:2013 does not require the identification of threats any more, but this is in my opinion still the best methodology - read more here: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
Security Compromised because of Cost to Company
Skype and Dropbox is mainly to reduce the cost to company. Being a small sized IT firm the management is not in a position to buy licensed communication softwares. This may be one such instance but I feel we are compromising on security on many aspects.
How should I handle this situation ? The management is planning to go for external ISO 27001 certification. How should my controls be supporting both security and cost aspect.
Many companies use exactly the same tools, and yet they pass the ISO 27001 certification.
The selection of controls must be based on the assessment of your risks, so basically you can use less costly controls if they cover the risks - see also this article: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Skype is generally considered to be pretty secure for communication; Dropbox is probably fine if you upload less confidential documents while if you have highly confidential documents it would be probably better to use some other service which encrypts the files before sending them to the cloud. So the point is - you should select your controls based on the assessed risks.
Of course, all the software you are using must be licensed. -
SoA
Cesar,
You are free to decide whether the controls from Statement of Applicability will apply to your whole organization or only to the ISMS scope.
However, in case you go for the ISO 27001 certification, then in SoA you should use only the controls that apply to your ISMS scope because otherwise you will have problems with the certification auditor. -
must I finish the project that implements the controls selected for getting ISO
The implementation of controls must be planned through the Risk Treatment Plan - yes, you can plan to implement some of the controls after the certification audit, however you must make sure that you implement all the major controls before the certification audit.
This means that you can implement after the certification audit only the less important controls (those that decrease less significant risks); in such case the management must accept those risks because at the time of the certification those risks will be unacceptable.
See also this article: Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/ -
Information Security Objectives and management support
Cesar,
Clause 5.2 of ISO 27001 requires you to include the things you mentioned in the top-level Information Security Policy:
- the management commitment to information security, and
- specify the information security objectives, or provide a framework for setting objectives (in this case, the objectives are documented separately) -
Difference between Risk Treatment Plan and Risk Assessment Report
Risk Assessment Report simply reports the results of the risk assessment and risk treatment - therefore, it is reporting something from the past. On the other hand, the Risk Treatment Plan defines who will implement each control, with which resources, what are the deadlines, etc. - therefore, it is planning something for the future.
This article will also help you: ISO 27001 risk assessment & treatment 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
10.8.5 Business Information systems
Kaoutar,
Control A.10.8.5 "Business Information Systems" existed in the old 2005 revision of ISO 27001 / ISO 27002, it does not exist any more in the 2013 revision of ISO 27001/27002.
All the requirements for transfer of information are now covered in the section A.13.2 called "Information transfer". To cover these requirements, you should prepare a policy which defines basic rules for exchanging the information with third parties, and then sign agreements with them which are compliant with your policy.
For example, see this Information Transfer Policy template: https://advisera.com/27001academy/documentation/information-transfer-policy/ -
Questions about ISO 27001 & ISO 22301 Premium Documentation Toolkit
The templates for ISO 27001 and ISO 22301 are integrated into a single package because in my opinion it is very easy to implement these 2 standards together - see also this webinar: ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
However, if you want to implement those standards separately, you can very easily separate the templates as well:
1) For implementation of any of the standards you need to use folders 0, 1, 2, 5, 9, 10, 11, 12
2) For implementation of ISO 27001 only, you need to use folders 3, 4, 6, 7 and 08 Annex A (A.6 to A.16)
3) For implementation of ISO 22301 only, you need to use folders 08 Annex A - A.17
Also I am wondering why the total templates is now 63 for the combo (ISO 22701 + 22301) while if I buy individuall y the ISO 27001 documentation templates would have been 43 and ISO 22301 templates are 33 making total of 76.
Answer: This is because some of the documents are the same for both standards - e.g. Procedure for Document and Record Control, Procedure for Internal Audit, etc. -
ISO 27001 - must you implement all the 133 controls?
When implementing ISO 27001 you must implement only the controls that are applicable, that is - only those controls that are required per your risk assessment or per some other legal or contractual requirements. See also this article: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
By the way, new 2013 revision of ISO 27001 has 114 controls - see also this article:
Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/