Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001:2013 and KPIs
Answer: ISO 27001:2013 does not require you to use KPIs (Key performance indicators) - it does however require you to set the objectives, define how to measure them, define who and when will report on the results, and who will evaluate these results. And I agree with you this is very similar concept to KPIs.
In our Documentation Toolkit, these principles are outlined in the Information Security Policy, while the control objectives need to be defined through the Statement of Applicability. We didn't describe the objectives into detail because they will differ greatly from company to company; you can also use the suggested objectives that are stated in Annex A of ISO 27001. -
Roles and ResponsibilitiesAssets and risk assessment
You could consider a computer room as an asset, but this is not the control - the controls are air conditioning, secure door with access control, fire extinguishing and other equipment installed in this room. -
Difference between the internal audit and the risk assessment
1) The risk assessment should be done by all asset owners - since the assets are not only software and hardware, but also information, people, infrastructure, etc., it will have to include more people. Risk assessment is about understanding threats and vulnerabilities and how to value the risks - see this webinar for detailed explanation: The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
2) Internal audit is about both doing the interviews and collecting hard evidence (e.g. records, personal insight, etc.) -
Certification body Interview
Before making a decision you should find out if this certification body is the best option for you - in this article you will find what you should find out: How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Asset Management Procedure
Kaoutar,
ISO 27001 does not require you to write an Asset management procedure - it only requires you to build an Asset inventory (control A.8.1.1 in ISO 27001:2013).
Therefore, you should write such a procedure only if you have significant risks that you want to decrease with such a document, or of your company is big and it would be difficult to handle all the assets without a written procedure. You could include the following in such a procedure: how the assets are identified and marked, where are they recorded (Asset inventory) and who is responsible, how are they disposed of, etc.
By a definition in ISO 27001, assets are anything that has value for the organization - it is not only the hardware and software, it is also information (in digital or paper form), people, infrastructure, facilities, etc. -
Setting the scope of ISO 27k certification
ISMS is called a system because it contains several related processes and IT systems; but you are right, it could be confusing. Perhaps you can call your ISMS simply "information security management", just as you probably say "financial management" for y our financial activities.
This leads me to a perhaps larger question that I should know already. When we get ISO 27K certification, is the certification for the company or for one (or more) of our data processing systems? Should we be building the ISMS enterprise wide or are the policies, procedures, etc. that we are assembling specific to our e-commerce application? I think it is the latter, otherwise what would be the purpose of the ISMS scope?
The certification body will certify your ISMS within the scope you specify. You can set your ISMS scope for your whole company, for one or several departments, for a process, or for an IT system. I really wouldn't recommend setting the scope for a process or for a system because that is extremely hard to achieve - it is much easier to set the scope for the whole company, or based on departments. This article may help you: Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Once you set the scope, policies and procedures must not apply only to your IT systems, because you have to cover also other controls from Annex A - human resources management, supplier management, legal controls, etc. -
ISO 27001:2013 standard - student copy
Mukta,
As far as I know, this it not possible if you purchase the standard directly from ISO or from BSI; however, your local standardization body might have some subsidized rates. -
Can the risk be accepted and the control not applied?
Answer: You shouldn't mix the terms here - the ISMS scope refers to which information you are protecting and which information is not protected (it is out of the scope); within the ISMS scope you can decide which controls to apply and which not to apply.
To answer your question - if you have identified a risk which is low and decided to accept it and not to apply the related control, this is something you are allowed to do. The certification auditor shouldn't object to that, but the auditor can object if you didn't take into account all the vulnerabilities and threats, and if you didn't apply the assessment scale systematically. From my own experience, companies very often bend their own risk assessment approach in order to avoid certain controls - this is what the certification auditors are allergic about. -
Setting the ISMS scope for data center
Yes, in this situation (where there is a clear boundary) you could set the developers out of the ISMS scope. -
Which controls to apply?
Answer: None of the controls from Annex A are mandatory - any control can be excluded if there are no risks or other legal or regulatory requirements; however, it is extremely rare to see a company that has excluded control A.11.3.1.
The control 11.3.1 suggests that I have a system that chaise passwords. Once I apply the control, I have to use all suggestions, or can I do it my way, for example I generate passwords instead of a system?
Answer: There is no such requirement in ISO 27001:2005 A.11.3.1 - perhaps you are reading ISO 27002? In any case, any requirement that doesn't exist in ISO 27001 is not mandatory. This means you can apply your rules as long as they are not conflicting with ISO 27001 and that they reflect your risk assessment.
When I apply a control that refers to another, should I use this one too?
Answer: I'm not sure if I understood your question well, but you have to apply all the controls where there are risks or legal or regulatory requirements. Of course, you can implement couple of controls together.