Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Question about Annex A and SOA

    First, you should evaluate the risks related to physical security in remote sites (i.e., where your personnel work), and legal requirements (e.g., laws, regulations, and contracts) your organization must fulfill, to evaluate if stated controls are needed or not.

    For example, if your personnel work remotely from coworking spaces, it may be relevant they follow some guidance regarding securing offices, rooms, and facilities (control A.7.3). Additionally, you may have a contract with a customer that requires you to protect the information in remote sites. In most cases, such guidance is defined in Remote Working Policies or is included as clauses in employment contracts.


    In case there are no relevant risks or applicable legal requirements, you do not need to implement such controls regarding remote employees.

    Regarding outsourced data centers, the same logic applies when defining service agreements with suppliers.

    For further information, see:

  • ISO 27001 Vs NIST

    Generally speaking:

    • ISO 27001 provides general requirements for the implementation, operation, control, and improvement of a management system to protect the information, regardless of the environment where it is (e.g., physical reports or digital databases).
    • ISO 27001 provides protection through the selection of security controls described in Annex A, as well as other controls that can be added by the organization.
    • NIST SP-800 series of documents provide detailed information about processes to select and implement controls for computer security.

    Considering that, you can use ISO 27001 to implement the overall approach to protect the information, and after the identification of controls that can be related to NIST documents, you can use the NIST documents to implement the details for each control. For example, you can use information from SP 800-53 control for contingency plan testing to implement the Disaster Recovery Plan template.

    Regarding how to know which one is best for your organization, you should first study information security regulations in the countries you operate in to evaluate whether 27001 or NIST is closer to the requirements you need to fulfill. For example, in most European countries 27001 is more appropriate.

    These articles will provide you with further explanation about ISO 27001 and NIST:

  • Questions about information security risks ISO 27001

    1. How broad, complete and detailed must be an analysis and treatment of information security risks?

    ISO 27001 does not prescribe such details levels, you only need to ensure the risk analysis and treatment process is comprehensive enough to provide confidence that relevant risks are treated properly.

    One tip you can use is to involve in the risk analysis and treatment processes persons which are familiar with processes and information included in the ISMS scope because this increases the chances that no relevant risks will be overlooked.

    In terms of the number of risks, you can consider these good estimates to evaluate your process: for each asset, you could find 3 to 5 threats, and for each threat one or two vulnerabilities. So, for a small company with 60 assets, this would mean you would end up with 180 to 600 risks.

    For further information, see:

    2. The risk analysis and treatment plan must also be carried out at:

    People
    processes
    Physical facilities
    Non-digital Assets

    Or is it only done to digital assets such as servers, applications, services?

    All assets that can interact with the information to be protected by the ISMS need to be considered in the risk analysis and treatment processes. For example, people will have to access information, so they need to be considered in the risk analysis and treatment processes.

    The Risk Assessment Table included in your toolkit (in folder 06 Risk assessment and risk treatment) provide a set of assets you can use, divided into the following categories: People, applications and databases, Documentation (in paper or electronic form), IT, communication and other equipment, Infrastructure, and Outsourced services.

    3. As a risk must be correctly described, in some examples that I have seen on the internet I see that they write threats as risks, I have even seen cases where the risk is written as the security attribute that could be affected.

    ISO 27001 does not prescribe how risks must be described, so organizations are free to describe them as best fitting their needs. The documentation in the toolkit uses the approach asset-threat-vulnerability to describe risks. 

    For further information, see:

    4. In the description of a risk, should the threat and the vulnerability that could be exploited by the threat be explicit?

    In the approach used in the toolkit (asset-threat-vulnerability), you need to describe explicitly the threat and the vulnerability related to the risk. The Risk Assessment Table provides a list of threats and vulnerabilities you can use as a reference.

    Included in the toolkit you bought you have access to a video tutorial that explains how to perform risk assessment, with real examples. In the email you received the toolkit in, you will find the instructions on how to access the video.

    5. What guidelines can I use for the evaluation of existing controls and what methodology can I use to recalculate the risk after qualifying the existing controls and determining how much the probability of occurrence and/or the impact of the risk is affected?

    ISO 27001 does not prescribe how to evaluate existing controls, so organizations are free to define criteria that best fit their needs. You can use as evaluation reference evidence that the control is working (e.g., reports, logs, in loco observation, etc.) and the effective results achieved (e.g., for information backup, how many copies were generated and tested in a given period of time).

    As for a methodology to recalculate the residual risk, you can use a scale on how probability and/or impact of risk were reduced after the application of control (e.g., if the impact was minimal, reduce 1 point from the current level of probability and/or impact, 2 points in case impact was moderate, and 3 points in case-control impact is perceived as high).

    For further information, see:

    A web server was scanned for vulnerabilities with security scanning software and no vulnerabilities were found, does that mean it is risk free? Because for there to be risks there must be vulnerabilities.

    However, despite the fact that the security analyzes did not find vulnerabilities, would you think that risks should be written or how are these cases where there are apparently no vulnerabilities managed?

    Only based on vulnerability scans you cannot state that there aren’t vulnerabilities in a web server, because it only covers some types of technical vulnerabilities, and may there be other types of vulnerabilities, like inappropriate access control, improper physical location, etc., that cannot be identified with scanning software. 

  • Filling document

    Please, we need to know how we should fill out the document "A.14.1Specification of Information System Requirements", should this appendix or file be filled out for each information system that the client has "Plus Consultants"?

    Please note that this template needs to be filled out for each information system you intend to acquire or change. In case there is no intention to change or acquire a system, there is no need to fill in this template for such a system.

  • ISO documents management (Delegation)

    first: during implementation, the iso 22301 the CISO was assigned to be the BCM Manager with R&R under this title and he was the documents owner too. the project finished and after a while the CISO resigned, and we need to delegate someone on behalf of him.Q:---what are the needed changes should be done on these documents? document owner, add new title under rules and responsibilities.or the delegation letter from the top management for will cover this and no need to change the documents?

    In case this new person will come to have the same job title defined in the documents, then only the delegation letter from the top management will be enough.

    In case this new person will come to have a different job title as defined in the documents, then the documents will need to be updated to reflect the new job title of the responsible person.

    Second: during implementation, the iso 27001 there was not an information security manager, the ISM is defined in Company structure with R&R under this title and they are going to hire one next year due to the small size company and he will be officially the A&R person for all documents and project.Q:---what are the needed changes should be done on these documents? ISMS Manager, add new title under rules and responsibilities.or the delegation letter from the top management for until hire the ISM will cover this and no need to change the documents?.

    Thank you very much and I'm looking forward to hear back from you soon

    Considering an ISM will be hired next year, then the best approach will be to temporarily delegate to someone in the company the role of the ISM. For example, in a small company, the CTO or the person responsible for the ISMS implementation can be designated temporarily as the ISM.

  • Mandatory documents or not

    1 - According to my understanding of your answer these are not required to be documented as it does not specifically say so (see red text above). If a policy and an implementation is required as it is advised in A.10.1.1, shall I really understand it not to be required to be documented? 

    Your understanding is correct. Unless the standard explicitly states that something needs to be documented, you do not need to develop a document.

    2 - The documentation that I have purchased does not have templates for all requirements, for instance A.12.4-7. How come? Am I to understand it as A.12.1-3 are supposed to be documented (at least “if applicable) but A.12.4-7 are not?

    Versus controls that has the word “documented” in them, as for instance A.12.1.1 Documented operation procedures – Control – Operating procedures shall be documented and made available to all users who need them.

    shall be documented.

    I am afraid that I am missing something here.

    Please note that from section A.12, only control A.12.1.1 explicitly states that documentation needs to be developed. All other controls do not require policies or procedures to be documented. 

    The toolkit is developed to cover all mandatory documents (e.g., Information Security Policy, ISMS scope, etc.), and the most frequent documents adopted by organizations, to not overwhelm them with the administrative effort to maintain documents. 

    In case you identify any need to document a control for which there is no template available, you can use the blank template included in your tool kit to develop the document, and you can contact us to solve questions about the development or schedule a meeting so one of our experts can provide orientation on how to develop the documents. 

  • Risk and corrective action

    A risk based approach is stated in clauses 7.10 Nonconforming work b) and 8.7.1 Corrective Action, b. In 8.7.1 e, and 8.7.2 the requirement is clearly specified that a laboratory must refer to the risk and opportunities in the register and take the degree of action according to the risk. i.e a high risk requires appropriate resources and action to reduce the risk to a level the laboratory identifies as appropriate.  The low risks could justified as not needing action.

    Practically the laboratory must state your approach. E.g treat assign resources to reduce all high risks to an acceptable level, consider reducing medium risks if solutions and resources are readily available, while accepting any low risks without further action.

    Start off with considering that you are never looking for a singular root cause to take one action to address a nonconforming event. You are seeking the best possible practical, executable solutions to implement, and then monitoring and reassessing the remaining risk.  Certain actions can be complicated, time consuming and expensive to implement while a combination of other actions may be less costly and quicker, while reducing risk of a reoccurring event to a suitable, but not “zero” level.

    For more information have a look at the article Corrective actions principles and root cause analysis in ISO 17025 at https://advisera.com/17025academy/blog/2020/11/04/corrective-actions-principles-and-root-cause-analysis-in-iso-17025/

    And the available toolkit https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  • How to meet the MTBF objective?

    I assume that MTBF means the mean time between failures.

    I'm not an expert in maintenance, however, I will answer considering the MTBF as an indicator that we want to improve by increasing the mean time between failures. Thus, I would apply the classic quality tools. I would start with a Pareto chart with the reasons for failure. Then, for the most frequent reasons, I would perform a cause analysis using, for example, the cause-effect diagram to determine the root causes. Then I would develop actions to eliminate those root causes.

    I recommend consulting the following materials:

Page 32-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +