Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 query

    1. Can I seek your advise on the how much is the RTO usually set for a company offering SaaS based solutions? Does the ISO 22301 define any times? I understand that it depends on various org-specific factors, but want to get a idea on industry best practices.

    ISO 22301 does not prescribe RTO values. Instead, it provides a framework for organizations to understand their business continuity needs and define the proper RTO values according to the criticality of their services and risk tolerance. Normally RTOs are measured in terms of hours, minutes, or seconds, with lower numbers representing less downtime but greater costs in investments.

    You should avoid taking as reference values from other organizations because RTOs need to be based on the specificities of your own business.

    For further information, see:

    2. We also had the below queries relating to BYOD, in case we want to implement a BYOD policy:

    Should the organisation ensure an anti-malware / anti-virus solution has been installed on all personal devices?

    Please note that security controls to be implemented need to be based on the results of risk assessment and applicable legal requirements.

    In case you do not have any relevant risk, or laws, regulations, or contracts demanding an anti-malware / anti-virus solution, you do not need to implement it. However, in most cases, we see companies implementing anti-malware on all laptops.

    For further information, see:

    3. What are the minimum device management controls that the org should have control over?

    I understand that these are not specifically defined in the ISO 27001 standard, and therefore need your advise on what controls are considered bare minimum, and as per industry best practices, to help us pass the certification.

    The same answer from the previous question applies here. You need to perform a risk assessment and evaluate applicable legal requirements to identify relevant controls to be implemented for device management.

    Please note that simply applying best practices will not help you with the certification process, because the certification auditor will look for if you have implemented controls based on risk assessment and evaluation of legal requirements properly performed. Further, there are no "industry best practices" that would be universally accepted.

    This material may help you:

    • Checklist of Cyber Threats & Safeguards When Working From Home https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home

    • Documentation requirements for the HR department according to ISO 9001

      Regarding the Human Resources department, one can think about:

      • Clear responsibilities and authorities for each job function (clause 5.3)
      • Clear competence requirements regarding each job function (clause 7.1.6)
      • Competence gaps determination and actions to close those gaps (clause 7.2)
      • Monitoring human resources department performance (clauses 9.1.1 and 9.1.3) 

      Based on this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ mandatory documentation requirements are:

      • Records of training, skills, experience, and qualifications (clause 7.2)
      • Monitoring and measurement results (clause 9.1.1) 

      Regarding the Controlling department one can think about:

      • Preparing information for the top management (clause 9.3)
      • Supplying information for decision-making processes (clauses 9.1.1 and 9.1.3)
      • Maintaining IT systems (?) (clause 7.1.3)
      • Relevant communication (clause 7.4) 

      Based on the same article mandatory documentation requirements are:

      • Results of the management review (clause 9.3
      • Monitoring and measurement results (clause 9.1.1)
         

    • Secure coding

      I’m assuming this text is from the Secure development policy.

      Considering that, please note that the comments included in this section provide some examples of practices and principles for secure coding.

      Regarding a second layer of the document (i.e., specific procedures), please note that since each organization has its own specific set of procedures and principles for coding development and maintenance (based on the programing language used, development framework, etc.), it is unfeasible to provide a set of templates that covers existent possibilities.

      What you can do is refer to your already written procedures principles in this Policy. In case you still need to develop such documents, then you can use the blank template that is included in your toolkit to develop them.

      In case you need additional support, you can schedule an online meeting where one of our experts will help you develop these documents. To schedule a meeting, please click here: https://advisera.com/consultations/

    • Information Security Plan

      In the context of ISO 27001, the “Information Security Plan” is the Risk Treatment Plan, where you define all actions necessary to treat the relevant risks.

      Before developing the Risk Treatment Plan, you need to several steps. For detailed information, see:

      To develop the Risk Treatment Plan itself you should consider these steps:

      • definition of security controls to be implemented
      • who is responsible for implementing them
      • what are the deadlines for the implementation
      • which resources are needed (i.e. financial and human)
      • how the results will be evaluated

      This article will provide you with further explanation about implementing the Risk Treatment Plan:

      These materials will also help you:

      • Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
      • ISO 27001 Free online training ISO 27001 Foundations Course http://advisera.com/training/iso-27001-foundations-course/

      • How to make company auditor?

        To become an organization that can certify other organizations against an ISO standard, like ISO 27001, the organization needs to undergo an accreditation process performed by an accreditation body against ISO/IEC 17065. In general, each country has one accreditation body (e.g., UKAS for the UK, or ANAB for the USA).

        Considering that, you need to contact the accreditation body from the country you want to become a certification body and ask for the details of its accreditation process.

        You can have an overview of ISO/IEC 17065standard here: https://www.iso.org/obp/ui/#iso:std:iso-iec:17065:ed-1:v1:en

      • ISO 27001:2022 mandatory documents and records

        1 - I have read your webpage article on: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-revision
        and the content of “List_of_documents_ISO_27001_2022_Documentation_Toolkit_EN.pdf”.  If I understand it correctly they both relate to ISO 27001 2022. Correct?

        Your understanding is correct. Both the article and the file are related to the current ISO 27001:2022.

        2 - Can you explain to me why i.e information classification policy, confidentiality statement, training and awareness are mentioned as mandatory in the PDF file and is NOT listed as mandatory on the webpage?

        First is important to note that the article focuses on controls that require documentation, and the List of documents focuses on which documents cover which controls.

        Considering that, no control requires an Information Classification Policy to be documented (that’s why it is not mentioned in the article), but since the Information Classification Policy in the toolkit covers control A.5.10 (Acceptable use of information and other associated assets), and this control requires documentation, then the Information Classification Policy needs to be documented in case the control A.5.10 is applicable.  

        Regarding the Confidentiality Statement, it is one example of a document related to the “Definition of security roles and responsibilities”, which in the article is implemented by means of “Agreements, NDAs, and specifying responsibilities in each security policy and procedure”.

        As for the Training and Awareness Plan, it is one example of a record related to “Training, skills, experience, and qualifications”.

      • Work from home auditing

        Organisations can audit their employees while they work from home, but the auditing should take into consideration a balance between employees’ right to privacy and the organisations’ legitimate needs to protect their digital assets from unauthorized exposure. On one hand, companies should evaluate the risks that are coming with a work-from-home or hybrid work environment: data theft, data losses, data unauthorized exposure, lack of efficient control mechanisms, and access from unsecured hardware. On the other hand, companies should evaluate whether the level of employee monitoring at home – logon/logoff times, navigation history, activity time, etc are justified in order to address the abovementioned risks. Companies must demonstrate adherence to the principle of data minimization, from Article 5 GDPR - Principles relating to the processing of personal data - that requires data controllers to make sure that the minimum amount of personal data is processed in order to achieve a processing purpose.

        We highly recommend performing a Data Protection Impact Assessment (DPIA) before implementing technologies and policies/procedures to monitor employees that work from home.

        Please find more details at these links:

      • Data privacy question

        According to Article 38 GDPR - Position of the data protection officer, para 6, “The data protection officer may fulfill other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests”. In smaller companies, the CISO just performs security audits without taking critical decisions, so the CISO position would not be in a conflict of interest with the DPO position. This is what the Belgium DPA states, that a case-by-case analysis should be done, on whether, actually, the DPO position would be in conflict with the CISO position. In bigger companies, the CISO's position might be in a conflict of interest if he/she is responsible for setting up and monitoring security controls in the organization, including security controls that might intrude on the privacy of employees. Such situations should be avoided.

        Please also consult these links:

      • Clarification about controls of ISO 27001:2022

        Please note that the prefix “A” before the control ID is used to relate a control to ISO/IEC 27001 Annex A. Any control identified without the prefix “A” refers to ISO/IEC ISO 27002:2022.

        ISO/IEC 27001:2022 defines requirements for the implementation of an Information Security Management System (ISMS).

        ISO/IEC 27002:2022 provides guidelines for the implementation of controls from ISO/IEC 27001 Annex A. ISO/IEC 27002 is not mandatory for the implementation of ISO/IEC 27001.

        For further information, see:

        This material can also help you:
Page 37-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +