Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Questions about vulnerability analysis

    1. The analysis of technical vulnerabilities of information assets can be done by the own organization or should they contract with an external provider specialized in security?

    ISO 27001 does not prescribe who should perform the assessment of technical vulnerabilities, so organizations are free to choose the approach that best fits their needs.

    2. The company has bought an appliance for the analysis of technical vulnerabilities of digital assets, the device will be managed by the systems area staff, and could this generate a non-compliance in the event of a third-party audit?

    Provided that the staff managing the technical vulnerabilities’ appliance devices do not own the digital assets being assessed, there will be no problem regarding compliance with ISO 27001.

    For example, systems’ owners cannot run the technical vulnerabilities' appliance over the systems they manage.

    This is so to provide assurance of independent evaluation.

    3. What are the recommendations for the management of vulnerability analysis and tests of intrusion to digital assets?

    The main recommendations for vulnerability management take into account:

    • Definition of an asset inventory, so you have the knowledge about what you need to protect
    • Definition of roles and responsibilities, so it is clear what needs to be done by whom
    • Definition of reference sources (e.g., suppliers, manufacturers, expert groups, etc.), so you can have trustful information about vulnerabilities
    • Handle identified vulnerabilities in a systematic way
    • Make records of performed analysis

    Regarding penetration tests, they should be performed considering at least these phases:

    • Planning: identification of the information systems and targets involved
    • Information gathering: collect all available information possible about the targets
    • Threat modeling: develop strategies to attack the systems
    • Vulnerability analysis: identify all vulnerabilities related to the target
    • Exploitation: effectively apply devised threats against potential vulnerabilities to try to breach the targets
    • Post-exploitation: Check what can be done once the target is breached (e.g., download files, access other systems, etc.)
    • Reporting: Document and present findings and recommendations

    For further information, see:

  • Set of ISO 27001 questions

    1. What is the data label? what assets does the data label apply to?
    What are the best practices for data labeling?
    Can you give me examples of data labeling?

    A data label is any mean you can use to attribute information to an information asset. In the context of ISO 27001, a data label is generally applied to show the information classification.

    The assets to which the data label applies to will depend on how you treat classified information. For example, all information classified as secret may require assets that contain them to be labeled. 

    ISO 27001 does not prescribe practices for data labeling, but some examples you may consider are:

    • adopt physical and logical data labels (e.g., adhesive labels, electronic logos, etc.)
    • place the data label in the locality of easy visualization (e.g., top of the page, top corner of a screen, etc.)
    • place the data label in an asset container (e.g., an electronic folder, a box file, etc.), so people do not need to access the asset to see the label

    For further information, see:

    2. What is the relationship between the classification of assets and/or identifying the level of importance of the asset with the risk analysis? Finally, what is the asset classification for me?

    The risk analysis, along with the identification of legal requirements (e.g., laws, regulations, and contracts), is the main source of information for asset classification. The higher the risks related to an asset, the higher would be the asset classification.

    The asset classification will help you to know how to treat information. Normally, the higher the classification, the more controls you will need to implement to protect the information.

    3. The level of importance of assets calculated in the assessment of assets based on the analysis of confidentiality, integrity and availability of the assets is what is used to estimate the impact on the business if it materializes a risk?

    Please note that the thinking process is the other way around. The impact of materialized risks over confidentiality, integrity, and availability of information is that will be used to estimate the classification level of an asset.

    4. What are the information security processes that must be documented?

    ISO 27001 does not require information security processes related to information classification to be documented, but in general, organizations document an Information Security Policy as a way to make the rules on how to classify, label, and treat information, clear to all personnel that handles information that needs to be protected.

    5. How can you monitor information security risks, and the risk treatment plan?

    Monitoring of risks will depend on their nature, so here are some examples:

    • Monitoring of recorded incidents
    • Monitoring of anomalous behaviors of information systems and networks
    • Monitoring of KPIs (Key Performance Indicators) of processes related to relevant risks

    Regarding the Risk Treatment Plan, since it defines resources and deadlines for each action, you can use this information to track the implementation progress.

    For further information, see:

    6. Which templates can I use to monitor the risks and the risk treatment plan?

    To monitor risks you can use the Risk Assessment Table, located in folder 05 Risk Assessment and Risk Treatment. In this table, you can include new risks or update the status of currently recorded risks.

    To monitor the actions related to Risk Treatment Plan you can use the Risk Treatment Plan itself. Like in the Risk Assessment Table, you can include new actions or update the status of current actions to implement risk treatments.

    7. When I receive the toolkit update with the new version of iso 27001:2022

    All customers which bought their toolkits within 12 months from October 31st, 2022 are entitled to receive an updated toolkit. If this is your case you will receive your updated toolkit as soon as the Spanish version is released.

  • Documents missing in toolkit

    I understand that but exception management and vulnerability management are the basic controls which we need to have a policy created.
    Please help me with this.

  • Completing implementation

    Are you asking if it is acceptable to keep the laboratory QMS based on ISO 17025, Option A, in other words as if there was no ISO 9001 certification, even if at the same time the organization is applying for ISO 9001?
    The answer is for accreditation purposes there is no problem,  you do not have to integrate the laboratory QMS into the ISO 9001 certification. This would be in order, even from an operational perspective, if the approach to management requirements is consistent. Otherwise, it will create confusion and gaps in the systems. For example, it would not make sense if the way you address nonconformances and risks in the laboratory as part of ISO 17025 compliance, is different from how it is done for ISO 9001 QMS. My recommendation would be to keep the laboratory registers separate, but the organisations' activities just falling under ISO 9001, (for example finance) should follow a process adapted from the laboratory processes and templates.  

    Lastly, if the laboratory is seeking accreditation to ISO 17025, there is no need to include the laboratory in the ISO 9001 certification scope as the laboratory is considered to operate in accordance with ISO 9001 principles. Refer to Annex B of the ISO 70125 standard.

  • Question about Annex A and SOA

    First, you should evaluate the risks related to physical security in remote sites (i.e., where your personnel work), and legal requirements (e.g., laws, regulations, and contracts) your organization must fulfill, to evaluate if stated controls are needed or not.

    For example, if your personnel work remotely from coworking spaces, it may be relevant they follow some guidance regarding securing offices, rooms, and facilities (control A.7.3). Additionally, you may have a contract with a customer that requires you to protect the information in remote sites. In most cases, such guidance is defined in Remote Working Policies or is included as clauses in employment contracts.


    In case there are no relevant risks or applicable legal requirements, you do not need to implement such controls regarding remote employees.

    Regarding outsourced data centers, the same logic applies when defining service agreements with suppliers.

    For further information, see:

  • ISO 27001 Vs NIST

    Generally speaking:

    • ISO 27001 provides general requirements for the implementation, operation, control, and improvement of a management system to protect the information, regardless of the environment where it is (e.g., physical reports or digital databases).
    • ISO 27001 provides protection through the selection of security controls described in Annex A, as well as other controls that can be added by the organization.
    • NIST SP-800 series of documents provide detailed information about processes to select and implement controls for computer security.

    Considering that, you can use ISO 27001 to implement the overall approach to protect the information, and after the identification of controls that can be related to NIST documents, you can use the NIST documents to implement the details for each control. For example, you can use information from SP 800-53 control for contingency plan testing to implement the Disaster Recovery Plan template.

    Regarding how to know which one is best for your organization, you should first study information security regulations in the countries you operate in to evaluate whether 27001 or NIST is closer to the requirements you need to fulfill. For example, in most European countries 27001 is more appropriate.

    These articles will provide you with further explanation about ISO 27001 and NIST:

  • Questions about information security risks ISO 27001

    1. How broad, complete and detailed must be an analysis and treatment of information security risks?

    ISO 27001 does not prescribe such details levels, you only need to ensure the risk analysis and treatment process is comprehensive enough to provide confidence that relevant risks are treated properly.

    One tip you can use is to involve in the risk analysis and treatment processes persons which are familiar with processes and information included in the ISMS scope because this increases the chances that no relevant risks will be overlooked.

    In terms of the number of risks, you can consider these good estimates to evaluate your process: for each asset, you could find 3 to 5 threats, and for each threat one or two vulnerabilities. So, for a small company with 60 assets, this would mean you would end up with 180 to 600 risks.

    For further information, see:

    2. The risk analysis and treatment plan must also be carried out at:

    People
    processes
    Physical facilities
    Non-digital Assets

    Or is it only done to digital assets such as servers, applications, services?

    All assets that can interact with the information to be protected by the ISMS need to be considered in the risk analysis and treatment processes. For example, people will have to access information, so they need to be considered in the risk analysis and treatment processes.

    The Risk Assessment Table included in your toolkit (in folder 06 Risk assessment and risk treatment) provide a set of assets you can use, divided into the following categories: People, applications and databases, Documentation (in paper or electronic form), IT, communication and other equipment, Infrastructure, and Outsourced services.

    3. As a risk must be correctly described, in some examples that I have seen on the internet I see that they write threats as risks, I have even seen cases where the risk is written as the security attribute that could be affected.

    ISO 27001 does not prescribe how risks must be described, so organizations are free to describe them as best fitting their needs. The documentation in the toolkit uses the approach asset-threat-vulnerability to describe risks. 

    For further information, see:

    4. In the description of a risk, should the threat and the vulnerability that could be exploited by the threat be explicit?

    In the approach used in the toolkit (asset-threat-vulnerability), you need to describe explicitly the threat and the vulnerability related to the risk. The Risk Assessment Table provides a list of threats and vulnerabilities you can use as a reference.

    Included in the toolkit you bought you have access to a video tutorial that explains how to perform risk assessment, with real examples. In the email you received the toolkit in, you will find the instructions on how to access the video.

    5. What guidelines can I use for the evaluation of existing controls and what methodology can I use to recalculate the risk after qualifying the existing controls and determining how much the probability of occurrence and/or the impact of the risk is affected?

    ISO 27001 does not prescribe how to evaluate existing controls, so organizations are free to define criteria that best fit their needs. You can use as evaluation reference evidence that the control is working (e.g., reports, logs, in loco observation, etc.) and the effective results achieved (e.g., for information backup, how many copies were generated and tested in a given period of time).

    As for a methodology to recalculate the residual risk, you can use a scale on how probability and/or impact of risk were reduced after the application of control (e.g., if the impact was minimal, reduce 1 point from the current level of probability and/or impact, 2 points in case impact was moderate, and 3 points in case-control impact is perceived as high).

    For further information, see:

    A web server was scanned for vulnerabilities with security scanning software and no vulnerabilities were found, does that mean it is risk free? Because for there to be risks there must be vulnerabilities.

    However, despite the fact that the security analyzes did not find vulnerabilities, would you think that risks should be written or how are these cases where there are apparently no vulnerabilities managed?

    Only based on vulnerability scans you cannot state that there aren’t vulnerabilities in a web server, because it only covers some types of technical vulnerabilities, and may there be other types of vulnerabilities, like inappropriate access control, improper physical location, etc., that cannot be identified with scanning software. 

  • Filling document

    Please, we need to know how we should fill out the document "A.14.1Specification of Information System Requirements", should this appendix or file be filled out for each information system that the client has "Plus Consultants"?

    Please note that this template needs to be filled out for each information system you intend to acquire or change. In case there is no intention to change or acquire a system, there is no need to fill in this template for such a system.

  • ISO documents management (Delegation)

    first: during implementation, the iso 22301 the CISO was assigned to be the BCM Manager with R&R under this title and he was the documents owner too. the project finished and after a while the CISO resigned, and we need to delegate someone on behalf of him.Q:---what are the needed changes should be done on these documents? document owner, add new title under rules and responsibilities.or the delegation letter from the top management for will cover this and no need to change the documents?

    In case this new person will come to have the same job title defined in the documents, then only the delegation letter from the top management will be enough.

    In case this new person will come to have a different job title as defined in the documents, then the documents will need to be updated to reflect the new job title of the responsible person.

    Second: during implementation, the iso 27001 there was not an information security manager, the ISM is defined in Company structure with R&R under this title and they are going to hire one next year due to the small size company and he will be officially the A&R person for all documents and project.Q:---what are the needed changes should be done on these documents? ISMS Manager, add new title under rules and responsibilities.or the delegation letter from the top management for until hire the ISM will cover this and no need to change the documents?.

    Thank you very much and I'm looking forward to hear back from you soon

    Considering an ISM will be hired next year, then the best approach will be to temporarily delegate to someone in the company the role of the ISM. For example, in a small company, the CTO or the person responsible for the ISMS implementation can be designated temporarily as the ISM.

  • Mandatory documents or not

    1 - According to my understanding of your answer these are not required to be documented as it does not specifically say so (see red text above). If a policy and an implementation is required as it is advised in A.10.1.1, shall I really understand it not to be required to be documented? 

    Your understanding is correct. Unless the standard explicitly states that something needs to be documented, you do not need to develop a document.

    2 - The documentation that I have purchased does not have templates for all requirements, for instance A.12.4-7. How come? Am I to understand it as A.12.1-3 are supposed to be documented (at least “if applicable) but A.12.4-7 are not?

    Versus controls that has the word “documented” in them, as for instance A.12.1.1 Documented operation procedures – Control – Operating procedures shall be documented and made available to all users who need them.

    shall be documented.

    I am afraid that I am missing something here.

    Please note that from section A.12, only control A.12.1.1 explicitly states that documentation needs to be developed. All other controls do not require policies or procedures to be documented. 

    The toolkit is developed to cover all mandatory documents (e.g., Information Security Policy, ISMS scope, etc.), and the most frequent documents adopted by organizations, to not overwhelm them with the administrative effort to maintain documents. 

    In case you identify any need to document a control for which there is no template available, you can use the blank template included in your tool kit to develop the document, and you can contact us to solve questions about the development or schedule a meeting so one of our experts can provide orientation on how to develop the documents. 
Page 31-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +