Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Operating Procedures for information and communication technology

    Sean,

    The procedure for auditing of suppliers and outsourcing partners is outlined in section 3.2 of "Operating procedures for information and communication technology" - basically, this auditing should be performed only if those suppliers or outsourcing partners create great risks for your company. E.g. if you are a bank, and a software company develops your core transaction application, then certainly you want to make sure they safeguard the security of your information.

    To be able to perform the audits, you have to include such a clause in the contract with the supplier/partner - you have an example of such clause in a document called "Security clauses for suppliers and partners". So, once you are authorized to perform an audit, you can do it either on-site (by visiting them) or off-site (they send you the documentation and other evidence by email).

    You can perform the audit yourself, or you can hire a professional auditor to perform the job - in any case, the goal of such audit is to determine whether the supplier/partner complies to all the security requirements you have stated in your contract.

    The audit is normally performed once a year, or once in three years. 

    Dejan

  • Information labeling; destruction of records

    You're welcome :)

  • ISO 27001 or COBIT


    - COBIT and ISO 27001 have many similarities, however ISO 27001 focuses on information security, while COBIT is more focused on IT governance; further, a company can get certified against ISO 27001, but it cannot certify against COBIT. So, you have to ask yourself - do you want to focus more on IT governance or information security? Is certification important for you or not?

  • ISO 27001 and PCI-DSS


    - I'm not an expert in PCI-DSS, but from what I know e-commerce merchants of certain size and payment card processors must implement PCI-DSS because this is what Visa and MasterCard require - therefore, it is mandatory in such cases. If you already implemented ISO 27001, and now you are starting to implement PCI-DSS, this doesn't mean you would have to do the same things twice - if the requirements of these two standards are the same, then you just use the controls you implemented for ISO 27001 for PCI-DSS as well.

  • Where to get ISO 22301


    - You can purchase the ISO 22301 standard here: https://www.iso.org/standard/50038.html - it costs ca 130 USD. You may be able to purchase it for a better price at your local standardization body.

  • Construction of Risk Analysis

    I do is following the lifting of the risk scenarios failures, there begin
    to identify risks for each scenario and also support me as generic risks by
    Cobit and ISO 2700X

    - I'm not sure if I understood the question well, but ISO 27001 requires to identify 5 elements during the risk assessment: all the assets, for each asset you need to identify threats and vulnerabilities, and then consequence and likelihood for each risk. You can find a detailed explanation in my webinar The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Preparation for ISO 27001 Lead Auditor Course


    - The best preparation for Lead Auditor Course is to read the standard itself a couple of times, and try to remember the structure of the standard. You can also take a look at my webinar ISO 27001 Lead Auditor Course preparation training https://advisera.com/training/iso-27001-lead-auditor-course/

    i also wanted to know the min exp req to attend the LA course for ISO 27001 and the scope for the same.

    - There are no formal requirements, but it is recommended that you have some experience in either IT or other management systems like ISO 9001.

    Will it req any prior auditing exp?

    - No, prior auditing experience is not required.

  • Where can I get new ISO 27001?

    Alec,

    You can purchase it from the BSI website: https://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/

    Dejan

  • Appointing an external person to do the pre-assessment


    - No, it is not necessary to hire someone to do a pre-assessment before the certification. Our Toolkit contains all the required documents, and there is no requirement by the standard to perform pre-assessment.

  • Policy vs. standard

    - There is no absolute difference since there is no absolute definition of these two. Generally, the policy defines certain intention and gives direction, whereas a standard specifies a standardized way of doing something.

    Would an organization have a standard and policy co-existing?
    - Yes, although a standard is not very often - more often you would see a policy and procedures co-existing.

    For example, would there be an Asset Management standard and an Asset Management policy coexisting? Or as another example, an Access Control Standard and a Password Policy?
    - Yes, this is possible, although more often you would have Asset Management Policy and then Asset Management Procedure.

    Another dilemma question I have is – is it a good idea for an organization to have fairly complex ICT Security Policy (with sub-policies within in, for example, this single document would have acceptable us e, intranet, shared drive, email usage etc covered in it).
    - I don't think this is a good idea because it will be very difficult to maintain such a document, and even more difficult for users to read and understand this policy. Much better solution is to have separate policies which describe certain areas - read this article for more explanation: https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
    Because some subparts of this policy may not be relevant to the end user and hence we should take into consideration the question – do we publish this to an incumbent user to read it and sign it, when we some sub-parts do not apply to the user.
    - When you have separate policies, you send only relevant policies to users, not all policies; further, it is not mandatory for them to sign them - it is enough you have some kind of a proof they have received them (e.g. through Document Management System)

    That brings another question up, is it good practice to have two versions of a policy – one for general user use (used @ induction and to which the user signs to abide by during the employment period) and another one for high-level use?
    - No, redundancy in documentation brings only problems - again, you should create separate documents for certain areas.
Page 1119-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +