Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Use old ISO 27001:2005 format for assessing the risks
2013 revision of ISO 27001 gives you a greater freedom in performing the risk assessment, but you can certainly use the principle from 27001:2005 where risks were identified based on assets, threats and vulnerabilities. The only thing you have to do extra because of 2013 revision is that you need to identify the risk owner for each risk.
You can learn more in this article: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
Competences for business continuity specialists
Answer: ISO 22301 (nor ISO 27001) do not prescribe the level of competencies for business continuity - every company must determine their own level of competencies for their employees, based on the documentation you develop and based on the technology you are using. For instance, if you start using some new method of communication, then you need to train your employees for it.
The person who coordinates the business continuity project (e.g. Business continuity manager) usually goes for the 5-day Lead Auditor or Lead Implementer course for ISO 22301. -
Responsibility for classifying the assets
- PUBLIC
- PRIVATE
- SENSIBLE
- CONFIDENTIAL
the question is, who is the responsible to give this classification to the assets??
Answer: ISO 27001 standard does not prescribe the responsibility for asset classification, but the best practice is that asset owners classify their assets. This is because they are in the best position to assess how confidential or how sensitive each of their assets are.
The asset inventory itself can be compiled by Information security manager, or some other person who coordinates information security in your company. -
Information Systems Audit Control
Control A.15.3.1 you refer to is from the old 2005 revision of ISO 27001 - in new 2013 revision almost the same control exists under A.12.7.1.
This control is not about logging user activities; this control is on how to plan the audits of your information systems in order to minimize the disruption to business processes; in other words, you have to perform your audits carefully, in order not to corrupt your operational systems.
By the way, you'll find the best guidance in the ISO 27002 standard. -
Information security policy - including references to clauses of ISO 27001 stand
Answer: Actually, there is no requirement in ISO 27001 that Information Security Policy should cover all the information security aspects.
What you suggest is quite common - many companies insert references to detailed policies in the top-level Information Security Policy, but I see two potential problems with this approach:
1) You will need to update the Information Security Policy quite often - each time you create a new policy related to information security
2) You should show this Information Security Policy to many interested parties (requirement in ISO 27001 5.2. g) - if it includes a list of all detailed policies, this could cause a potential threat (too many people will know which kind of internal rules you have)
To conclude, Statement of Applicability is the document where you must make such references - I think this is enough, you don't have to do it again in the Information Security Policy. -
What types of evidence is normally obtained for each of the controls
Further question:
> What is vague to me is what operating procedures are in the control A.12.1.1. I work at a very large company and we have many different operating segments and thousands of people that work in operations so that is why I was unsure on how much detail is needed.
The objective of section A.12.1 is "To ensure correct and secure operations of information processing facilities" - therefore, the operating procedures here refer to IT operations. In other words, for control A.12.1.1 you need to check only your IT procedures.
Regarding the question of detail - I would say that each of the controls that you select as applicable from the section A.12 should be covered with some document - they can all be covered in a single document, or each could have a separate document; the documents could be more or less detailed - all this doesn't matter as long as you have all these controls documented.
But if you are a larger organization, chances are that you already do have all of these documents. -
Who writes the Statement of Applicability?
Answer: ISO 27001 does not define who should write the Statement of Applicability, but good practice is that this document is written by a person who is a project manager for the ISO 27001 implementation - in most cases this is the CISO. Project manager/CISO is usually in the best position to collect all the information from other departments and fill them into the SoA.
If you had several people updating the SoA, you would have a problem of integrity of this document.
ISO 27001 does not require you to determine the maturity level of the controls, it only requires you to state whether they are implemented or not (clause 6.1.3 d). -
Glossary of Terms about BCP
You can find a short glossary of business continuity and information security terms here: https://advisera.com/27001academy/knowledgebase/glossary/
You can also find one here: https://www.drj.com/resources/tools/glossary-2.html
There is also a glossary of business continuity terms in my book Becoming Resilient: https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Why does Annex A folder in the Toolkit include A.6-A.16 and not A.1-A.5?
Actually, the reason is very simple - in the standard itself, the sections A.1 to A.5 do not exist (Annex A of ISO 27001). The reason for this is that Annex A is directly related in numbering to ISO 27002, and sections 1 to 5 in ISO 27002 are not very important.
Section A.17 (Business continuity) is covered in our Premium toolkit - see pricing here https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/
Section A.18 (Compliance) is covered in folder 02 Procedure for Identification of Requirements. -
Project Planning - does the calculator results implementation time for all of th
Our Implementation Duration calculator gives you an estimate of the implementation time of the whole project, including the controls.
I agree with you that asset identification and risk assessment goes rather quickly, but the implementation of controls (and their acceptance by all the employees and the top management) is something that takes a long time. Of course, you can do it in shorter time, but in such cases it is a big question whether all controls would really work if needed.