Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Preparation plan as part of Business continuity strategy


    Answer: Since this Preparation plan is a kind of ToDo list which defines who needs to do what, when and with which resources, the method of evaluating the results could be by assessing the following information and comparing it with the plan:
    - Records of implementation
    - Financial accounting systems
    - Reports from responsible persons
    - Audit
    - etc.

  • Quantity and quality of ISO 27001 documentation for certification audit


    The certification process is performed in 2 stages: Stage 1 audit, also called Document review where your documentation is checked against the standard, and Stage 2 audit, also called Main audit which is performed onsite.

    In Stage 1 audit your documentation is checked whether it is compliant with the standard - quantity is not so important as quality because for example smaller companies will have fewer documents but they still need to be compliant with the standard and appropriate for company needs.

    However the most important is Stage 2 audit - this is where the auditor will check whether your company performs all the activities that are written in your documents. This means that you may have high-quality documents, but if you don't act accordingly, you will still fail the audit.

    Read more here: Becoming ISO 27001 certified - How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

  • Query regarding Server access and related Risks

    Hello,

    Opening Port 22 allows secure shell login to the server, using SSH protocol, which is a good option for remote access, using encryption between server and client.

    Regarding the risks of source code access, we can identify the following:
    - Lack of change management control
    - Property rights violations
    - Lack of control on Code security
    - Server availability
    - Software Development Lifecyle practices not accomplished
    - Difficults in Service Level Agreement between service provider and customer.

    Providing access to source code is a good practice or not depends on the business relation between parties and also the purpose of the server/code.

    As a service provider it is a good practice to have an AUP (Acceptable Use Policy) signed by your customers regarding the services you are providing, where this point should be covered for server and code access. Also the AUP should include the RACI matrix identifying who is Responsible, Accountable, Consulted and Informed, defining the ownership of the asset.

    If there is a need for shared administrator priviledges in th e server, you should use different user accounts and an external log system recording user activity in the server.

    Thanks

  • Is clause 7.2 Competences of personnel mandatory in ISO 22301?


    Answer: Clause 7.2 of ISO 22301 says "retain appropriate documented information as evidence of competence and any actions taken" - therefore, you must maintain records of all trainings and competences of your employees, and this is why we have listed that clause as mandatory in our List of documents.

    However, I think that making a Training and awareness plan is useful although it is not mandatory according to ISO 22301, so this is why we have suggested that document in our List of documents under the section "Commonly used non-mandatory documents".

  • ISMS scope in Quality Manual


    Neither ISO 9001 nor ISO 27001 prescribe how you should structure your documentation. So basically, you have the following options:
    a) ISMS Scope document is a separate document - this is the most common option
    b) ISMS scope is defined within the Information Security Policy document - this is option that is sometimes used by smaller companies
    c) ISMS scope is defined within the Quality Manual - this is very rare, but theoretically possible.

    See also this article about the ISMS scope: https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  • Assessment of processes

    Here you'll find a catalogue of threats and vulnerabilities: https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
    This catalogue is made for assessing threats and vulnerabilities of assets, but it can be used for processes as well. By the way, when speaking about ISO 27001, it is much better to do asset-based risk assessment because it gives much more precise results.

    You can also read about the process of risk assessment here: https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • Information security incident managment Categories

    For me, the items you mentioned are not categories, but examples of individual IT incidents.

    In any case, since incidents are nothing else but materialized risks, here you'll see examples of threats and vulnerabilities that create information security risks: https://wiki.iso27001standard.com/inde*************************************

  • Secure system engineering principles

    If this application that you're testing (together with its data) is within the scope of your ISMS, then yes - you should apply the Secure system engineering principles policy on this application.

    See also this article: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  • connection between BCP and security

    Yes, information security and business continuity are very related - the most recent trend in most banks is that the functions of BCP and CISO are merged in one department or one person.

    Arguments are these: you can do risk assessment at the same time for both information security and business continuity; incident management is very much related; training and awareness is almost the same, etc.

    These materials can also help you:
    - ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
    - Chief Information Security Officer (CISO) - where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

  • Statement of Applicability & auditor's comments on effectiveness of controls

    Statement of Applicability (as well as other ISMS documents) are internal documents that the company develops for managing their security - they should not be produced to serve the certification audit, neither should certification auditor use them as their records.

    Certification auditors should use their own forms for noting conclusions and reporting them to you.

    The certification body won't issue the certificate if they find major nonconformities (when you lack some important part of the ISMS or when you do not comply at all with some of your documents); if they find Minor nonconformities they will issue the certificate.

    There articles can also help you:
    - Becoming ISO 27001 certified - How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
    - How to get certified against ISO 27001? https://advisera.com/27001academy/blog/2010/02/15/how-to-get-certified-against-iso-27001/
    - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
    - How to approach an auditor in a certification audit https://advisera.com/articles/how-to-approach-an-auditor-in-a-certification-audit/
Page 1109-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +