Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Scope definition on customer assets
We've received the following question: "We are running network and operation services (Network Service Desk) for clients. But i want to certify only my Network Service Desk for ISO 27001. Do all information assets including servers, application belongs to clients will come under scope or only those assets which are required to support Network desk service from my office premises. " Answer: The scope shall include assets and facilities you control and/or you need to provide your services. In your particular case, since the customer assets are not in or premisses neither you have complete control on them, you should not include them in the scope. But you include in scope the information you need to access those customer assets. Hope it helps Thanks -
Risk Owner and Asset Owner
We've received the following question: "I also would like to ask you about the asset owner and risk owner concepts in 27001:2013. Do you know any cases when the asset owner and risk owner is not the same person? Would you elaborate a bit on this? And can I assign this ownership on a top level ? for example to deputy CEOs only? What is the risk?" Answer: According with the version 2013, you need to identify risk owners for each of your risks, but you still need to identify ownership for your assets as requested in A.8.1.2. Asset ownership is more close to operational control and risk ownership is more in relation with business risk. Answering your question, yes you can have different owners for assets and risks. With the new Risk Owner concept the responsibility is pushed to a higher level, which means that the Deputy CEO is a good candidate. But you should explain the concept and get the approval from top management on the best owner for each risk. Please ha ve a look on the following: https://blog.iso27001standard.com/2013/10/14/how-to-make-a********************************************************** Hope it helps Thanks -
Leaving belongings on the entrance
We've received the following question: "...Company will implement ISO27001 and we must leave mobile phone on a box with a key ...We must also leave jackets , home keys, mobile , documentation and all of this in the box. What told ISO27001 about this? Answer: ISO 27001 does not specify those particular requirements. Your company can implement those procedures as security measures if they think there is a realistic need, but by doing so they must be compliant with your local legislation. Thanks -
Introducing ISO 22301 to Top Management
You should present you project in business terms and try emphasize the benefits, like:
- Compliance
- Marketing Advantage
- Reduce Dependence on Individuals
- Prevent large-scale damage
ROI (Return on Investment) with your own examples
You can also use ROSI (Return on Security Investiment Calculator) in https://advisera.com/27001academy/free-tools/free-return-security-investment-calculator/
Avoid using some words
- Instead of Backup, use Prevention
- Instead of Cost use Investment
- Instead of Probability use Risk
- Instead of Incident use Damage
- Instead of Disaster use Loss/Downtime
Hope it helps -
Records of training, skills, experience & qualifications
We've received the following question: "...What do we actually look for in terms of evidence for Records of training, skills, experience & qualifications 7.2 in the ISO 27001:2013? Answer: Regarding trainning and skills, you should look on the trainning certificates, duration, and their content. For experience you should look on customer reference letters from activities provided by employees. Regarding qualifications you should look on the academic qualifications and certifications. Trainning, Skills and qualifications records shall be in accordance with each the role profile. It is common to find those records as part of the employees process in the Human Resources Department. -
Roles and Responsibilities"
No, we do not have a separate template for roles and responsibilities because we think it is better to define information security roles and responsibilities in each policy and procedure - e.g. in your IT procedures you should define who is responsible for performing the backup, configuring the firewall, etc. By the way, ISO 27001 does not require you to have a centralized list of security roles and responsibilities - you can document those any way you find appropriate.
If you had a separate document where you listed the detailed roles and responsibilities in a centralized way, this would be a duplication of the rules - this would mean a much more difficult maintenance of the documentation, and possible conflicting rules.
We did however list general roles and responsibilities in our Information Security Policy - e.g. responsibilities for the top management level, responsibilities for ISMS coordination, etc.
These articles will also help you:
What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://www.iso27001standar************************** -is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://www.iso27001standard.com/blog/2014/06/09/roles-and-re************************************************************ -
ISO 27001:2006
To prove this fact to the legal department you have to do the following:
1) Identify which local standard was used - e.g. if it says "BS ISO/IEC 27001" than "BS" stands for British Standards.
2) Obtain a copy of that local version of the standard - there you will see a reference that this standard was copied from the original ISO/IEC 27001:2005 -
Controls in Statement of Aplicability
We've received the following question:
".... for the transition to ISO 27001:2013, my plan aims to have all done in one year but my boss is looking for the reduction of the amount of controls selected as applicable, I like to confirm my ideas, all controls selected in the risk assessment are the ones in the SoA. This is true?"
Answer:
"It is true that risk assessment and treatment determines which controls will be selected as applicable in the Statement of Applicability, however your top management must decide which is the acceptable level of risk.
Therefore, if they set the acceptable level of risk lower, this means that you won't have to implement some of the controls because the related risks will be acceptable. This also means your top management will be responsible if these risks materialize, which is usually not a very wise decision.
Saying that, the SoA shall include at least all the controls from Annex A either applicable or not. Justification must be included to the controls that are not applicable. The justification for not applicable controls is based on risk that your organization is assuming and your top management must be aware of that during the external audit. Auditor needs to be convinced with the justification you provide to each excluded control. Each control in SoA needs to be identified in what risk, or risks is/are applicable.
If you are interested in learning more on Statement of Applicability, see this article: https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/"
Thanks -
Risk Management Methodology 27001:2013
For developing a methodology for risk assessment ISO 31000 is not very practical because it is very generic - it does not provide detailed guidance.
Therefore we recommend ISO 27005 because:
1) It is specific for information security management
2) It is much more practicable
3) It is fully compliant with ISO 31000
For details on risk assessment best practice please have a look on the following webinar for further information on risk assessment: https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISO 27031 vs ISO 22301
Answer: This really depends on what would you like to focus - if you want to develop your disaster recovery infrastructure, ISO 27031 would be better. If you would like to develop resilience capability for your whole organization (including the business part), then ISO 22301 is better.
These two standards are quite different, because ISO 27031 is much more technically oriented. Further, you can get certified against ISO 22301 but not against ISO 27031.