Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How I can build my career in ISO 27k implementation and auditing
Is there a way i can join as a trainee in your reputed organization?
Here are some articles that will help you:
- How to learn about ISO 27001 https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
We are providing only online services, so for classroom training and to become a trainee you should look for some organizations in the UK - e.g. certification bodies like BSI, SGS, BV, DNV, but also organizations like IT Governance. -
Applicable legislation control in ISO 27001
You need to identify only the laws, regulations and contractual obligations that could influence the security of your information.
See also this article: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
How will we evaluate the deliverables of the consultant?
I have been asked by the top management how will we evaluate the deliverables of the consultant? my answer to them was that the consultant will be applying an international standard but I think this is not sufficient am wondering if there is a way other than real testing (since testing will not be carried out by the consultant) to evaluate the BIA or the RA or the BCP developed by the consultant specially that I will have to sign after each phase that consultant deliverable are acceptable.
To summarize: how can I evaluate the consultant work regarding BIA,RA,BCP & strategy without real testing for the plan? in another way is there is clear KPI to mention in the SLA?
Answer: This is a tough question. Frankly, I'm not aware of some KPIs with which you would be able to measure the quality of consultant's work. If you would be going for the certification, this would be one way to verify if what he has done was satisfactory.
But, to ensure that the consultant does a good you can do this:
1) When selecting a consultant, use this List of questions to ask your ISO 27001/ISO 22301 consultant - you can download it here: https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-iso-22301-consultant/
2) In the agreement write that you have to approve every document before you pay him
3) If you won't go for the certification, hire someone to review all the documents the consultant has written.
However, the alternative could be that you implement BIA, RA, BC strategy, and BCP yourself, since the implementation, training and testing will be done by yourselves anyway. You can get all the know-how here: https://www.iso27001standard.com/en/se************************************* -
Use old ISO 27001:2005 format for assessing the risks
2013 revision of ISO 27001 gives you a greater freedom in performing the risk assessment, but you can certainly use the principle from 27001:2005 where risks were identified based on assets, threats and vulnerabilities. The only thing you have to do extra because of 2013 revision is that you need to identify the risk owner for each risk.
You can learn more in this article: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
Competences for business continuity specialists
Answer: ISO 22301 (nor ISO 27001) do not prescribe the level of competencies for business continuity - every company must determine their own level of competencies for their employees, based on the documentation you develop and based on the technology you are using. For instance, if you start using some new method of communication, then you need to train your employees for it.
The person who coordinates the business continuity project (e.g. Business continuity manager) usually goes for the 5-day Lead Auditor or Lead Implementer course for ISO 22301. -
Responsibility for classifying the assets
- PUBLIC
- PRIVATE
- SENSIBLE
- CONFIDENTIAL
the question is, who is the responsible to give this classification to the assets??
Answer: ISO 27001 standard does not prescribe the responsibility for asset classification, but the best practice is that asset owners classify their assets. This is because they are in the best position to assess how confidential or how sensitive each of their assets are.
The asset inventory itself can be compiled by Information security manager, or some other person who coordinates information security in your company. -
Information Systems Audit Control
Control A.15.3.1 you refer to is from the old 2005 revision of ISO 27001 - in new 2013 revision almost the same control exists under A.12.7.1.
This control is not about logging user activities; this control is on how to plan the audits of your information systems in order to minimize the disruption to business processes; in other words, you have to perform your audits carefully, in order not to corrupt your operational systems.
By the way, you'll find the best guidance in the ISO 27002 standard. -
Information security policy - including references to clauses of ISO 27001 stand
Answer: Actually, there is no requirement in ISO 27001 that Information Security Policy should cover all the information security aspects.
What you suggest is quite common - many companies insert references to detailed policies in the top-level Information Security Policy, but I see two potential problems with this approach:
1) You will need to update the Information Security Policy quite often - each time you create a new policy related to information security
2) You should show this Information Security Policy to many interested parties (requirement in ISO 27001 5.2. g) - if it includes a list of all detailed policies, this could cause a potential threat (too many people will know which kind of internal rules you have)
To conclude, Statement of Applicability is the document where you must make such references - I think this is enough, you don't have to do it again in the Information Security Policy. -
What types of evidence is normally obtained for each of the controls
Further question:
> What is vague to me is what operating procedures are in the control A.12.1.1. I work at a very large company and we have many different operating segments and thousands of people that work in operations so that is why I was unsure on how much detail is needed.
The objective of section A.12.1 is "To ensure correct and secure operations of information processing facilities" - therefore, the operating procedures here refer to IT operations. In other words, for control A.12.1.1 you need to check only your IT procedures.
Regarding the question of detail - I would say that each of the controls that you select as applicable from the section A.12 should be covered with some document - they can all be covered in a single document, or each could have a separate document; the documents could be more or less detailed - all this doesn't matter as long as you have all these controls documented.
But if you are a larger organization, chances are that you already do have all of these documents. -
Who writes the Statement of Applicability?
Answer: ISO 27001 does not define who should write the Statement of Applicability, but good practice is that this document is written by a person who is a project manager for the ISO 27001 implementation - in most cases this is the CISO. Project manager/CISO is usually in the best position to collect all the information from other departments and fill them into the SoA.
If you had several people updating the SoA, you would have a problem of integrity of this document.
ISO 27001 does not require you to determine the maturity level of the controls, it only requires you to state whether they are implemented or not (clause 6.1.3 d).