Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • How to document System Secure Engineering Principles

    There are code of best practices for each programming language. Java for example has a code of best practices that you can download from the official page of ORACLE. So, depending on the language, you can follow a specific code of best practices.

  • How much of business continuity to implement in ISO 27001

    I've received this question: When implementing ISO 27001, how deep we have to go in Business Continuity (16)?. Is it the same as implementing a hole Business Continuity Project, or something lighter?.
    Answer: When implementing business continuity according to ISO 27001, you could implement a "lighter" version that would focus only on developing a disaster recovery plan (for recovering your IT infrastructure), and a recovery plan for your information security functions. This means you do not have to implement the whole business continuity project according to ISO 22301.
    However, I would argue that it would make much more sense to implement a full business continuity project according to ISO 22301 as part of your ISO 27001 project - this is because of the following:
    1) This would add perhaps only 10% of additional effort to your ISO 27001 project
    2) You would implement two standards (both ISO 27001 and ISO 22301) with only little additional cost
    3) You can ensure the continuity of your business operations only by doing this full business continuity project - complying wi th the minimum that is set in ISO 27001 wouldn't be enough.
    You can find out more in this webinar: ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
    By the way, ISO 27001:2013 defines the controls for business continuity in Annex A, section A.17.

  • ISO 27001 maintenance mode after implementation mode

    We've received the following question: We recently achieved our ISO certification on Friday last - the 28 Feb. However I have been looking on your blog to find out what is the process -if any- to transition from implementation mode to maintenance mode and if there are any critical items that need to be closed off/completed before this can happen? We are still keenly in ‘ISO operational mode’ and are now looking at including the rest of the business in scope (we had a limited scope initially) but at present we want to wind down activity and e.g reduce the frequency and attendance of the ISMS team meetings and suchlike. Are there any guidelines for what should still happen post audit while leaving the implementation phase behind and how to get into that mode? Answer: Regarding your description I can assume that you already sent to the certification body the CAP (Corrective Action Plan) to the non conformities arised during the audit, because this is the most critical item. The actions you mentioned in CAP should be treated in accordance with the scheduled timeframe yo u refered in the document. If you had no nonconformity you shouldn't be required to send a Corrective Action Plan. To get "in maintenance mode after implementation mode" it is just following the policies, processes, procedures and controls you've just included in your system and get the focus in the performance of the indicators you have selected, completing the PDCA cycle. If your team is motivated and you have the management commitment to include the rest of the business in the scope, please proceed in that way and increase the maturity level of the system. Thanks

  • Internal and external issues and interested parties in ISO 27001

    I am sorry, but ISO 31000 does not say specifically that the risk assessment starts with the identification of issues (I suppose that you mean this). In accordance with ISO 31000 (clause 5.4.1 General): "Risk assessment is the overall process of risk identification, risk analysis and risk evaluation". And in the clause 5.4.2 Risk identification, you can read "The organization should identify sources of risk, areas of impacts, events (including changes in circumstances) and their causes and their potential consequences". So, you can start the risk assessment with the risk identification, after you can continue with the risk analysis and finally you can continue with the risk evaluation.

    Anyway, if you are interested in the identification of issues, this article can be interesting for you "Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)" : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

  • Where to start with education and how to prepare

    We've received the following question: "I am considering to complete the exams related to 22301 and 27001 As far as I can see there is lead auditor and lead implementer certifications for both standards. Im not sure what the foundation certification is all about but maybe you can tell me if it is needed and why? I believe my best option is to start reading some course material or books prior to the course and the exam. Could you tell me which books/material you would recommend to give me the best probability to qualify for the exam and if you are able to provide them?" Answer: Regarding certification the Foundation approach is the first step to get inside this subject giving a general overview about the aspects of the standards while the Lead Implementer is a deeper approach for those who want to implement this systems using a systemic approach to all the requirements. Lead Auditor is for those who want to become auditors of the system providing guidance on the standard as well as on how to perform audits. Regarding the materials you should have a look on the following links https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/ https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/ Also you can have a look on the ebook https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ Many thanks

  • ISO 27005 or ISO 31000

    We've received the following question: I did risk assessment/management programs but my approach was identify assets, then threats...so on. I read new version does not recommend this approach of identifying asset n so on but they recommend to find risk in associated with the env environment and so on... Answer: In fact there no specif requirement on that approach but there is still a requirement on assets inventory and in order to control those assets, it is good practice to address threats and vulnerabilities on those assets, so you can follow ISO 27005 approach. The new risk approach alignment sugestion in 2013 version has a wider coverage and give the opportunity to the organization to address the context risks of the business, providing lines of thought for internal and external issues that are relevant for the business. ISO 27005 is more focused in Information Security and ISO 31000 is a framework that can be used to address those internal and external issues as well as Information security. In the new version you can used the approach that may suite better for your needs. As a detailed methodology for Information Security Risk Management, ISO 27005 is more practicable, than ISO 31000, on the other hand, ISO 31000 provides a better guidance on addressing the context analysis. So it is up to your organization on choosing any of the approaches or even both. Hope it helps Thanks

  • identification of applicable legislation

    Hello,

    You should list your country legislation and regulations applied to your activity in regarding the ISO 27001 controls, namely: privacy, data retention, human resources, data protection, personal data, physical security, etc... and collect evidences of compliance with those requirements. We would suggest you to work with your company lawyer and request those applicable laws and regulations.

    You whould like to remind you that the control in ISO 27001 revision 2013 is not any more A.15.1.1 but A.18.1.1
    We can also suggest you to have a look in the following where you can find an example of a procedure for identification of requirements:
    https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/

    Hope it helps
    Thanks

  • MAO

    Maximum Acceptable Outage) classificationsWe've received the following question: Question: "I would like more information on MAO classifications. Does 22301 require the use of "MAO by Activity" including, Marginal Impact, Acceptable Impact, High Impact and Catastrophic Impact?" Answer: Yes, ISO 22301 requires the use of MAO (Maximum Acceptable Outage) for each activity when conducting the Business Impact Analysis. The classifications: Marginal Impact, Acceptable Impact, High Impact and Catastrophic Impact are suggestions, not mandatory, others classifications and different levels can be used. Classifications should be used in conjunction with the duration of the Outage. A possible approach should be: You define a table with time duration eg. (2 hours; 4 hours; 8 hours, 24 hours, 48 hours and 1 week) in columns and lines with some questions than could reflect the impact of the outage for each time duration. Then fill the answers in each intersection with impact classification bellow time duration. Example of questions: How will your clients react to a disruption? Wh at will be the impact to other activities? How difficult will it be to catch up on the backlog of work? etc. So with this approach you can address the MAO requirement in each activity. You can also have a look in the following link: Benefit of perfoming BIA for a single department https://community.epps.eu/forum/iso-27001-iso-22301-suppor********************************************************* Hope it helps. Thanks

  • Scope definition on customer assets

    We've received the following question: "We are running network and operation services (Network Service Desk) for clients. But i want to certify only my Network Service Desk for ISO 27001. Do all information assets including servers, application belongs to clients will come under scope or only those assets which are required to support Network desk service from my office premises. " Answer: The scope shall include assets and facilities you control and/or you need to provide your services. In your particular case, since the customer assets are not in or premisses neither you have complete control on them, you should not include them in the scope. But you include in scope the information you need to access those customer assets. Hope it helps Thanks

  • Risk Owner and Asset Owner

    We've received the following question: "I also would like to ask you about the asset owner and risk owner concepts in 27001:2013. Do you know any cases when the asset owner and risk owner is not the same person? Would you elaborate a bit on this? And can I assign this ownership on a top level ? for example to deputy CEOs only? What is the risk?" Answer: According with the version 2013, you need to identify risk owners for each of your risks, but you still need to identify ownership for your assets as requested in A.8.1.2. Asset ownership is more close to operational control and risk ownership is more in relation with business risk. Answering your question, yes you can have different owners for assets and risks. With the new Risk Owner concept the responsibility is pushed to a higher level, which means that the Deputy CEO is a good candidate. But you should explain the concept and get the approval from top management on the best owner for each risk. Please ha ve a look on the following: https://blog.iso27001standard.com/2013/10/14/how-to-make-a********************************************************** Hope it helps Thanks
Page 1106-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +