Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Leaving belongings on the entrance

    We've received the following question: "...Company will implement ISO27001 and we must leave mobile phone on a box with a key ...We must also leave jackets , home keys, mobile , documentation and all of this in the box. What told ISO27001 about this? Answer: ISO 27001 does not specify those particular requirements. Your company can implement those procedures as security measures if they think there is a realistic need, but by doing so they must be compliant with your local legislation. Thanks

  • Introducing ISO 22301 to Top Management

    You should present you project in business terms and try emphasize the benefits, like:
    - Compliance
    - Marketing Advantage
    - Reduce Dependence on Individuals
    - Prevent large-scale damage

    ROI (Return on Investment) with your own examples

    You can also use ROSI (Return on Security Investiment Calculator) in https://advisera.com/27001academy/free-tools/free-return-security-investment-calculator/

    Avoid using some words
    - Instead of Backup, use Prevention
    - Instead of Cost use Investment
    - Instead of Probability use Risk
    - Instead of Incident use Damage
    - Instead of Disaster use Loss/Downtime

    Hope it helps

  • Records of training, skills, experience & qualifications

    We've received the following question: "...What do we actually look for in terms of evidence for Records of training, skills, experience & qualifications 7.2 in the ISO 27001:2013? Answer: Regarding trainning and skills, you should look on the trainning certificates, duration, and their content. For experience you should look on customer reference letters from activities provided by employees. Regarding qualifications you should look on the academic qualifications and certifications. Trainning, Skills and qualifications records shall be in accordance with each the role profile. It is common to find those records as part of the employees process in the Human Resources Department.

  • Roles and Responsibilities"

    No, we do not have a separate template for roles and responsibilities because we think it is better to define information security roles and responsibilities in each policy and procedure - e.g. in your IT procedures you should define who is responsible for performing the backup, configuring the firewall, etc. By the way, ISO 27001 does not require you to have a centralized list of security roles and responsibilities - you can document those any way you find appropriate.

    If you had a separate document where you listed the detailed roles and responsibilities in a centralized way, this would be a duplication of the rules - this would mean a much more difficult maintenance of the documentation, and possible conflicting rules.

    We did however list general roles and responsibilities in our Information Security Policy - e.g. responsibilities for the top management level, responsibilities for ISMS coordination, etc.

    These articles will also help you:

    What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://www.iso27001standar************************** -is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
    Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://www.iso27001standard.com/blog/2014/06/09/roles-and-re************************************************************

  • ISO 27001:2006

    To prove this fact to the legal department you have to do the following:
    1) Identify which local standard was used - e.g. if it says "BS ISO/IEC 27001" than "BS" stands for British Standards.
    2) Obtain a copy of that local version of the standard - there you will see a reference that this standard was copied from the original ISO/IEC 27001:2005

  • Controls in Statement of Aplicability

    We've received the following question:
    ".... for the transition to ISO 27001:2013, my plan aims to have all done in one year but my boss is looking for the reduction of the amount of controls selected as applicable, I like to confirm my ideas, all controls selected in the risk assessment are the ones in the SoA. This is true?"
    Answer:
    "It is true that risk assessment and treatment determines which controls will be selected as applicable in the Statement of Applicability, however your top management must decide which is the acceptable level of risk.
    Therefore, if they set the acceptable level of risk lower, this means that you won't have to implement some of the controls because the related risks will be acceptable. This also means your top management will be responsible if these risks materialize, which is usually not a very wise decision.
    Saying that, the SoA shall include at least all the controls from Annex A either applicable or not. Justification must be included to the controls that are not applicable. The justification for not applicable controls is based on risk that your organization is assuming and your top management must be aware of that during the external audit. Auditor needs to be convinced with the justification you provide to each excluded control. Each control in SoA needs to be identified in what risk, or risks is/are applicable.
    If you are interested in learning more on Statement of Applicability, see this article: https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/"
    Thanks

  • Risk Management Methodology 27001:2013

    For developing a methodology for risk assessment ISO 31000 is not very practical because it is very generic - it does not provide detailed guidance.

    Therefore we recommend ISO 27005 because:
    1) It is specific for information security management
    2) It is much more practicable
    3) It is fully compliant with ISO 31000

    For details on risk assessment best practice please have a look on the following webinar for further information on risk assessment: https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • ISO 27031 vs ISO 22301


    Answer: This really depends on what would you like to focus - if you want to develop your disaster recovery infrastructure, ISO 27031 would be better. If you would like to develop resilience capability for your whole organization (including the business part), then ISO 22301 is better.

    These two standards are quite different, because ISO 27031 is much more technically oriented. Further, you can get certified against ISO 22301 but not against ISO 27031.

  • Documented information by organization as being necessary for effectiveness of t

    he ISMSWe've received the following question:
    About clause 7.5.1, what is the meaning of "documented information by organization as being necessary for the effectiveness of the isms".
    Answer:
    ISO 27001 version 2013 reduced the number of mandatory documents in the ISMS, compared with the ISO 27001:2005 version. But, from an experienced ISMS management point of view further documentation is required in order to help the ISMS implementation and management. The required documentation may be different from one organization to other depending on size, type of activity, products, services or processes.
    Here you can find some examples of aditional documentation to the mandatory documentation of the standard: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    As a personal experience I can share that to address A11.1 Secure Areas I usually promote the usage of facilities layouts maps using a color code identifying the different security perimeters, and the definition of policies, processes and procedures in accorda nce with the security perimeters. This is not required but it is very useful for the organization.
    Hope it helps

  • To have or not have a Disaster Recovery Plan


    The example in the question is a result of a recovery strategy for IT. In this case the option was using a mirror site due to the critical business that infrastructure is supporting. So you already implemented an IT Disaster Recovery approach. But you should have a documented Disaster Recovery Plan, because:
    1) Others persons can be aware of the specific subject.
    2) It is part of the Business Continui ty Plan increasing the resilience of the Business Continuity Management System,
    3) IT Disaster Recovery Plan activation may not be just related with IT malfunction that should be covered in the incident response plan
    4) You still need to implement the return to normal operation and this should be planned and documented.
    5) You need to implement a regular test approach in order to evaluate the effectiveness of the solution.
    6) Disaster Recovery Plan would help in case of failure of HA technology.

    You can find a more detailed information on: https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

    Hope this helps
Page 1107-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +