Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
The best ISO to implement for a Data Center
Answer: Regarding your Data Center, you can take a look at ISO 27031 (a standard for disaster recovery), however I'm always in favor of ISO 27001 because it gives you a clear framework on how to link the business requirements and IT.
Regarding the security certifications for IT personnel, you can go for CISSP, CISM, CISA, ISO 27001 Lead Auditor or ISO 27001 Lead Implementer - read more in this article: How to learn about ISO 27001 and BS 25999-2 -
Should Physical Cable prototypes be considered as information asset
Many Thanks Dejan :) -
ISO 27001 Stage 1 and Stage 2 audit
Answer: ISO 27001 Stage 1 certification audit is also called "Documentation review" - the auditor will evaluate whether you have all the mandatory documentation. You can find the list of mandatory documents in this blog post: List of mandatory documents required by ISO 27001
What is the difference in stage 1 and stage 2?
Answer: The main difference is that Stage 1 is rather theoretical (it is about reading documents), whereas Stage 2 is very practical - this is where the auditor goes around your company, speaks to your employees, looks for logs and other records, observes the effectiveness of your safeguards, etc. Learn more about it in this webinar: ISO 27001/ISO 22301: The certification process -
Third Party Providers vs. ISMS Policy conflictions
Paula,
The point here is not about ISO 27001 or ISO 27002 (or any other framework), but whether your provider really implemented security controls or not. You stated yourself that "Our third party agreement guideline states that third parties shall compy with certain security requirements.", so in this case I would specify what these security requirements are (e.g. they can connect to your network only via VPN, they have to use passwords of certain complexity, etc.), and ask them to sign an agreement where they will be obliged to comply with those requirements.
By the way, from the quote you provided "Because such a framework is subject to extensive governance, both internally as by external auditors and our overseers, security is not an area where we (they) have the liberty to accommodate and apply different security requirements per individual customer" it is obvious your provider has no idea what ISO 27001 really is.
ISO 27001 does allow liberty to accommodate different security requirements per individual customer, and the framework is not subject to extensive gov ernance (unless they write documents they don't really need). Perhaps you could send them links to these articles:
5 greatest myths about ISO 27001
5 ways to avoid overhead with ISO 27001 (and keep the costs down) -
Management Review
Sean,
Here are some examples of new methods you may take into account: new methods of risk assessment, new methods of authentication, new methods of secure payments, etc.
You can find emerging good practices on my ISO 27001 & ISO 22301 Blog :), but also on any online magazine focused on security topics - e.g. Help Net Security. -
How many work hours are needed for ISO 27001 implementation
This really depends on the size of the company and whether a company uses a consultant or not - for example, a smaller company of 30 employees that uses our Toolkit would need ca 6 months for the implementation, and during these 6 months the work breakdown would look something like this:
Project manager would need on average 5 hours per week during this 6-month period
Each department head would need ca 3 man/days during this whole 6-month period
CEO or some other member of top management would need ca 2 man/days during this 6-month period
Here you can find the ISO 27001 Duration Implementation Calculator, so you can find out more precisely how long would it take in your company: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/ -
Project teams and BIA Questionnaire
Answer: In my opinion, they should fill in BIA Questionnaire the same way as employees from regular departments - you'll notice that all sections, including sections e.g. 3 (General impact) and 4 (Financial impact) are applicable to project teams as well. Also the location where they perform their work (in your offices, or in your client's offices) doesn't make much difference - you can still estimate the level of impact in the same way. -
Taking confidential documents away from workplace
On which basis the information owner can give or revoke the right of taking out confidential and top secret documents for work purposes (working at home for example)? is there any controls or guidelines ?
Answer: The decision whether to give this right should depend on the following: (1) is there a real need to take away this information? If not, then it should not be allowed, and (2) are there some unacceptable risks related to taking away this information? If yes, it should not be allowed. -
Mail book in the Document Control Procedure
Answer: No, Mail book is not necessary - you just need to keep track of important external documents (e.g. contracts, correspondence with government agencies, etc.) - where they are, and who is responsible for them.
You can do it through Customer Relationship Management software, or Project Management software, or a simple Excel sheet will do. Or you can define in some document that the responsible person for all correspondence with e.g. government bodies is XYZ, and that this person is responsible for archiving all such correspondence. -
Storage of confidential documents
Sean,
ISO 27001 doesn't specify where you should store your confidential documents, but the key issue here is the right of access: typically, documents classified as "Restricted" can be seen only by certain employees - if only those employees have the code to access the secure rooms, then it could be a good solution.
Dejan