Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
RTO for IT System
Thank you so much Dejan.
Best Regards,
Juliano -
ISO training evidence
Answer: There are no particular templates - you can show the auditor training certificates, or some other records showing that your employees have attended trainings.
Could you also please let me know a part from implementation question, are they going to interviewed individually?
Answer: I'm not sure if you refer here to employees in your company, but the certification auditor can speak to anyone in your company, and he can ask them any question to find out if they comply with the security rules. -
Query pertinent to mapping controls of the revised standard to the old standard
Vinay,
ISO 27001 does not mention "implementation guidance" - are you perhaps referring to ISO 27002?
In any case, ISO 27002 is irrelevant to certification auditors. For ISO 27001, you have to select only those controls where there are risks or where there are some other requirements (like legal or regulatory) which require you to implement particular control.
To learn more about the risk assessment process and selecting the controls read this article: ISO 27001 risk assessment & treatment 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
Will ISO22301 become more important with the transistion to ISO27001:2013 ?
Biffa,
Yes, ISO 22301 has greater importance now because the scope of business continuity in ISO 27001 is narrower in new 2013 revision. ISO 27001 focuses only on continuity of information security operations, not on the whole company.
Although, new control A.17.2.1 called "Availability of information processing facilities" basically requires disaster recovery to be established, and this is something that didn't exist in ISO 27001:2005. Therefore, 2013 revision is actually closer to disaster recovery than to business continuity. -
Disruption or Disaster?
Juliano,
Disruption and a disaster are not two mutually excluding terms - disruption is any kind of interruption of your activities, whereas a disaster is a longer disruption with large impacts.
The main criteria to activate your Disaster Recovery Plan (or Business Continuity Plan) is a length of a disruption - if the expected length of a disruption is longer then your RTO (Recovery Time Objective), then you need to activate your plan. You should determine your RTO through the business impact analysis.
To learn more about RTO read this article: https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/ -
Definition of Physical and Tehnical security and responsibilities
"Technical security" is a term usually not used in English; for physical security, ISO 27001 defines as objective the following: "To prevent unauthorized physical access, damage and interference to the organizations information and information processing facilities." and "To prevent loss, damage, theft or compromise of assets and interruption to the organizations operations."
You should perform risk assessment and based on the results define your secure areas and protect them accordingly. The responsibility for physical security can vary from company to company - in traditional companies this is usually the responsibility of Security manager (who has no relationship with information security), while more modern approach would be to have Corporate security function which covers both information security and physical security, but also e.g. health & safety. -
Difference between plans
Juliano,
The difference is the following:
- Business continuity plan is a top-level plan with some general guidelines and responsibilities
- Incident response plan describes how to initially respond to various incidents - e.g. earthquake, fire, bomb threat, etc.
- Recovery plans are used to describe how individual activities/departments will be recovered if their operations have been disrupted. This plan can be used for both business side of your organization, but also for IT department - for Disaster Recovery Plan.
This article may also help you: Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/ -
Matching threats and vulnerabilities
Answer: Unfortunately, our Risk assessment table does not offer this kind of automation. However, you should use your common sense when doing this matching - e.g. if a threat is a virus, then the vulnerability can be lack of anti-virus software. If a threat is fire then the vulnerability can be lack of procedures (incident response procedures) or lack of fire suppression systems.
As a general rule, each asset sh ould have 2 to 5 threats, and each threat 2 to 3 vulnerabilities. You really don't have to do more than that in your initial risk assessment. -
How can I approach the certification body to gain audit experience
Basically, you have to find a certification body which is looking for new auditors. I'm not sure about the situation in your country, but this could be difficult. I'm not sure if this is an option for you, but perhaps you can offer them to go through their trainee program for free? Normally, if they have a regular employee they would have to pay his salary.
You can read more about the whole process here: How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Where to start from as a new CISO
First, I would start looking for the benefits that information security can bring to your company, especially how can it support the strategic objectives of your company - this way you will be able to get your top management commitment to support your information security efforts. Learn more here: https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Secondly, I would start doing the risk assessment in order to identify which safeguards/controls must be implemented. Learn more here: https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/