Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Third Party Providers vs. ISMS Policy conflictions
Paula,
The point here is not about ISO 27001 or ISO 27002 (or any other framework), but whether your provider really implemented security controls or not. You stated yourself that "Our third party agreement guideline states that third parties shall compy with certain security requirements.", so in this case I would specify what these security requirements are (e.g. they can connect to your network only via VPN, they have to use passwords of certain complexity, etc.), and ask them to sign an agreement where they will be obliged to comply with those requirements.
By the way, from the quote you provided "Because such a framework is subject to extensive governance, both internally as by external auditors and our overseers, security is not an area where we (they) have the liberty to accommodate and apply different security requirements per individual customer" it is obvious your provider has no idea what ISO 27001 really is.
ISO 27001 does allow liberty to accommodate different security requirements per individual customer, and the framework is not subject to extensive gov ernance (unless they write documents they don't really need). Perhaps you could send them links to these articles:
5 greatest myths about ISO 27001
5 ways to avoid overhead with ISO 27001 (and keep the costs down) -
Management Review
Sean,
Here are some examples of new methods you may take into account: new methods of risk assessment, new methods of authentication, new methods of secure payments, etc.
You can find emerging good practices on my ISO 27001 & ISO 22301 Blog :), but also on any online magazine focused on security topics - e.g. Help Net Security. -
How many work hours are needed for ISO 27001 implementation
This really depends on the size of the company and whether a company uses a consultant or not - for example, a smaller company of 30 employees that uses our Toolkit would need ca 6 months for the implementation, and during these 6 months the work breakdown would look something like this:
Project manager would need on average 5 hours per week during this 6-month period
Each department head would need ca 3 man/days during this whole 6-month period
CEO or some other member of top management would need ca 2 man/days during this 6-month period
Here you can find the ISO 27001 Duration Implementation Calculator, so you can find out more precisely how long would it take in your company: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/ -
Project teams and BIA Questionnaire
Answer: In my opinion, they should fill in BIA Questionnaire the same way as employees from regular departments - you'll notice that all sections, including sections e.g. 3 (General impact) and 4 (Financial impact) are applicable to project teams as well. Also the location where they perform their work (in your offices, or in your client's offices) doesn't make much difference - you can still estimate the level of impact in the same way. -
Taking confidential documents away from workplace
On which basis the information owner can give or revoke the right of taking out confidential and top secret documents for work purposes (working at home for example)? is there any controls or guidelines ?
Answer: The decision whether to give this right should depend on the following: (1) is there a real need to take away this information? If not, then it should not be allowed, and (2) are there some unacceptable risks related to taking away this information? If yes, it should not be allowed. -
Mail book in the Document Control Procedure
Answer: No, Mail book is not necessary - you just need to keep track of important external documents (e.g. contracts, correspondence with government agencies, etc.) - where they are, and who is responsible for them.
You can do it through Customer Relationship Management software, or Project Management software, or a simple Excel sheet will do. Or you can define in some document that the responsible person for all correspondence with e.g. government bodies is XYZ, and that this person is responsible for archiving all such correspondence. -
Storage of confidential documents
Sean,
ISO 27001 doesn't specify where you should store your confidential documents, but the key issue here is the right of access: typically, documents classified as "Restricted" can be seen only by certain employees - if only those employees have the code to access the secure rooms, then it could be a good solution.
Dejan -
Operating Procedures for information and communication technology
Sean,
The procedure for auditing of suppliers and outsourcing partners is outlined in section 3.2 of "Operating procedures for information and communication technology" - basically, this auditing should be performed only if those suppliers or outsourcing partners create great risks for your company. E.g. if you are a bank, and a software company develops your core transaction application, then certainly you want to make sure they safeguard the security of your information.
To be able to perform the audits, you have to include such a clause in the contract with the supplier/partner - you have an example of such clause in a document called "Security clauses for suppliers and partners". So, once you are authorized to perform an audit, you can do it either on-site (by visiting them) or off-site (they send you the documentation and other evidence by email).
You can perform the audit yourself, or you can hire a professional auditor to perform the job - in any case, the goal of such audit is to determine whether the supplier/partner complies to all the security requirements you have stated in your contract.
The audit is normally performed once a year, or once in three years.
Dejan -
Information labeling; destruction of records
You're welcome :) -
ISO 27001 or COBIT
- COBIT and ISO 27001 have many similarities, however ISO 27001 focuses on information security, while COBIT is more focused on IT governance; further, a company can get certified against ISO 27001, but it cannot certify against COBIT. So, you have to ask yourself - do you want to focus more on IT governance or information security? Is certification important for you or not?