Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Roles and Responsibilities"

    No, we do not have a separate template for roles and responsibilities because we think it is better to define information security roles and responsibilities in each policy and procedure - e.g. in your IT procedures you should define who is responsible for performing the backup, configuring the firewall, etc. By the way, ISO 27001 does not require you to have a centralized list of security roles and responsibilities - you can document those any way you find appropriate.

    If you had a separate document where you listed the detailed roles and responsibilities in a centralized way, this would be a duplication of the rules - this would mean a much more difficult maintenance of the documentation, and possible conflicting rules.

    We did however list general roles and responsibilities in our Information Security Policy - e.g. responsibilities for the top management level, responsibilities for ISMS coordination, etc.

    These articles will also help you:

    What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://www.iso27001standar************************** -is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
    Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://www.iso27001standard.com/blog/2014/06/09/roles-and-re************************************************************

  • ISO 27001:2006

    To prove this fact to the legal department you have to do the following:
    1) Identify which local standard was used - e.g. if it says "BS ISO/IEC 27001" than "BS" stands for British Standards.
    2) Obtain a copy of that local version of the standard - there you will see a reference that this standard was copied from the original ISO/IEC 27001:2005

  • Controls in Statement of Aplicability

    We've received the following question:
    ".... for the transition to ISO 27001:2013, my plan aims to have all done in one year but my boss is looking for the reduction of the amount of controls selected as applicable, I like to confirm my ideas, all controls selected in the risk assessment are the ones in the SoA. This is true?"
    Answer:
    "It is true that risk assessment and treatment determines which controls will be selected as applicable in the Statement of Applicability, however your top management must decide which is the acceptable level of risk.
    Therefore, if they set the acceptable level of risk lower, this means that you won't have to implement some of the controls because the related risks will be acceptable. This also means your top management will be responsible if these risks materialize, which is usually not a very wise decision.
    Saying that, the SoA shall include at least all the controls from Annex A either applicable or not. Justification must be included to the controls that are not applicable. The justification for not applicable controls is based on risk that your organization is assuming and your top management must be aware of that during the external audit. Auditor needs to be convinced with the justification you provide to each excluded control. Each control in SoA needs to be identified in what risk, or risks is/are applicable.
    If you are interested in learning more on Statement of Applicability, see this article: https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/"
    Thanks

  • Risk Management Methodology 27001:2013

    For developing a methodology for risk assessment ISO 31000 is not very practical because it is very generic - it does not provide detailed guidance.

    Therefore we recommend ISO 27005 because:
    1) It is specific for information security management
    2) It is much more practicable
    3) It is fully compliant with ISO 31000

    For details on risk assessment best practice please have a look on the following webinar for further information on risk assessment: https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • ISO 27031 vs ISO 22301


    Answer: This really depends on what would you like to focus - if you want to develop your disaster recovery infrastructure, ISO 27031 would be better. If you would like to develop resilience capability for your whole organization (including the business part), then ISO 22301 is better.

    These two standards are quite different, because ISO 27031 is much more technically oriented. Further, you can get certified against ISO 22301 but not against ISO 27031.

  • Documented information by organization as being necessary for effectiveness of t

    he ISMSWe've received the following question:
    About clause 7.5.1, what is the meaning of "documented information by organization as being necessary for the effectiveness of the isms".
    Answer:
    ISO 27001 version 2013 reduced the number of mandatory documents in the ISMS, compared with the ISO 27001:2005 version. But, from an experienced ISMS management point of view further documentation is required in order to help the ISMS implementation and management. The required documentation may be different from one organization to other depending on size, type of activity, products, services or processes.
    Here you can find some examples of aditional documentation to the mandatory documentation of the standard: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    As a personal experience I can share that to address A11.1 Secure Areas I usually promote the usage of facilities layouts maps using a color code identifying the different security perimeters, and the definition of policies, processes and procedures in accorda nce with the security perimeters. This is not required but it is very useful for the organization.
    Hope it helps

  • To have or not have a Disaster Recovery Plan


    The example in the question is a result of a recovery strategy for IT. In this case the option was using a mirror site due to the critical business that infrastructure is supporting. So you already implemented an IT Disaster Recovery approach. But you should have a documented Disaster Recovery Plan, because:
    1) Others persons can be aware of the specific subject.
    2) It is part of the Business Continui ty Plan increasing the resilience of the Business Continuity Management System,
    3) IT Disaster Recovery Plan activation may not be just related with IT malfunction that should be covered in the incident response plan
    4) You still need to implement the return to normal operation and this should be planned and documented.
    5) You need to implement a regular test approach in order to evaluate the effectiveness of the solution.
    6) Disaster Recovery Plan would help in case of failure of HA technology.

    You can find a more detailed information on: https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

    Hope this helps

  • ISMS Implementation using ISO 27001 version 2005 or 2013


    In my opinion you should start with the 2013 version from the beginning, if you are familiar with the 2005 version, that could help understanding the concepts since the 2013 version is easier than the 2005 for experienced people.

    If you are planning to get certified, please consider that after September 2014 there will be no more new certifications for the 2005 version, and the 2005 versions will be required to make a transition until October 2015. So if you start your ISMS in 2005 version, you will need to make the transition next year. Starting in 2013 version you will save time and money.

    In the infographic you can find some useful information about the differences between 2005 and 2013 versions: https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/

    Also you can find also an overview of the annex-a in ISO 27001 version 2013 in: https://advisera.com/27001academy/iso-27001-controls/

    And if needed you can have also an overview on how to build a project with ISO 27001: https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/

    Thanks

  • Preparation plan as part of Business continuity strategy


    Answer: Since this Preparation plan is a kind of ToDo list which defines who needs to do what, when and with which resources, the method of evaluating the results could be by assessing the following information and comparing it with the plan:
    - Records of implementation
    - Financial accounting systems
    - Reports from responsible persons
    - Audit
    - etc.

  • Quantity and quality of ISO 27001 documentation for certification audit


    The certification process is performed in 2 stages: Stage 1 audit, also called Document review where your documentation is checked against the standard, and Stage 2 audit, also called Main audit which is performed onsite.

    In Stage 1 audit your documentation is checked whether it is compliant with the standard - quantity is not so important as quality because for example smaller companies will have fewer documents but they still need to be compliant with the standard and appropriate for company needs.

    However the most important is Stage 2 audit - this is where the auditor will check whether your company performs all the activities that are written in your documents. This means that you may have high-quality documents, but if you don't act accordingly, you will still fail the audit.

    Read more here: Becoming ISO 27001 certified - How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
Page 1108-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +