Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Storage of confidential documents
Sean,
ISO 27001 doesn't specify where you should store your confidential documents, but the key issue here is the right of access: typically, documents classified as "Restricted" can be seen only by certain employees - if only those employees have the code to access the secure rooms, then it could be a good solution.
Dejan -
Operating Procedures for information and communication technology
Sean,
The procedure for auditing of suppliers and outsourcing partners is outlined in section 3.2 of "Operating procedures for information and communication technology" - basically, this auditing should be performed only if those suppliers or outsourcing partners create great risks for your company. E.g. if you are a bank, and a software company develops your core transaction application, then certainly you want to make sure they safeguard the security of your information.
To be able to perform the audits, you have to include such a clause in the contract with the supplier/partner - you have an example of such clause in a document called "Security clauses for suppliers and partners". So, once you are authorized to perform an audit, you can do it either on-site (by visiting them) or off-site (they send you the documentation and other evidence by email).
You can perform the audit yourself, or you can hire a professional auditor to perform the job - in any case, the goal of such audit is to determine whether the supplier/partner complies to all the security requirements you have stated in your contract.
The audit is normally performed once a year, or once in three years.
Dejan -
Information labeling; destruction of records
You're welcome :) -
ISO 27001 or COBIT
- COBIT and ISO 27001 have many similarities, however ISO 27001 focuses on information security, while COBIT is more focused on IT governance; further, a company can get certified against ISO 27001, but it cannot certify against COBIT. So, you have to ask yourself - do you want to focus more on IT governance or information security? Is certification important for you or not? -
ISO 27001 and PCI-DSS
- I'm not an expert in PCI-DSS, but from what I know e-commerce merchants of certain size and payment card processors must implement PCI-DSS because this is what Visa and MasterCard require - therefore, it is mandatory in such cases. If you already implemented ISO 27001, and now you are starting to implement PCI-DSS, this doesn't mean you would have to do the same things twice - if the requirements of these two standards are the same, then you just use the controls you implemented for ISO 27001 for PCI-DSS as well. -
Where to get ISO 22301
- You can purchase the ISO 22301 standard here: https://www.iso.org/standard/50038.html - it costs ca 130 USD. You may be able to purchase it for a better price at your local standardization body. -
Construction of Risk Analysis
I do is following the lifting of the risk scenarios failures, there begin
to identify risks for each scenario and also support me as generic risks by
Cobit and ISO 2700X
- I'm not sure if I understood the question well, but ISO 27001 requires to identify 5 elements during the risk assessment: all the assets, for each asset you need to identify threats and vulnerabilities, and then consequence and likelihood for each risk. You can find a detailed explanation in my webinar The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Preparation for ISO 27001 Lead Auditor Course
- The best preparation for Lead Auditor Course is to read the standard itself a couple of times, and try to remember the structure of the standard. You can also take a look at my webinar ISO 27001 Lead Auditor Course preparation training https://advisera.com/training/iso-27001-lead-auditor-course/
i also wanted to know the min exp req to attend the LA course for ISO 27001 and the scope for the same.
- There are no formal requirements, but it is recommended that you have some experience in either IT or other management systems like ISO 9001.
Will it req any prior auditing exp?
- No, prior auditing experience is not required. -
Where can I get new ISO 27001?
Alec,
You can purchase it from the BSI website: https://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/
Dejan -
Appointing an external person to do the pre-assessment
- No, it is not necessary to hire someone to do a pre-assessment before the certification. Our Toolkit contains all the required documents, and there is no requirement by the standard to perform pre-assessment.