Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Did ISO 27002 have any update between v2013 and v2022?

    Between 2013 and 2022 no updates were published, only some minor corrections.

    For details about these corrections, please, see:

    • Corrigendum 2014 https://www.iso.org/standard/66806.html
    • Corrigendum 2015 https://www.iso.org/standard/69379.html

    • Queries on Risk register

      1 - Another question I have is regarding the server portion of the risk register, which is found, for instance, in IT and communication equipment. How should this part be defined from a general standpoint? We have added several assets that were relevant to our organization; for example, we have added AWS Infrastructure, Google Infrastructure, Office IT Infrastructure, and Microsoft Infrastructure. Would you kindly help us with this? Therefore, do we need to define this as an infrastructure as a whole or do we need to add different assets that are applicable to the organization? 

      Please note that additional assets would be required only if you need more detailed information to manage risks related to specific assets. 

      For smaller companies we suggest not adding additional assets, to keep things simple. 

      If you need more detailed information, please see the examples below. 

      If your Google Infrastructure is used by two different business units, Sales and R&D, then maybe you should add specific assets like “Google Infrastructure – Sales Servers” and “Google Infrastructure – R&D Servers” so you can handle related risks in different ways.

      Laptops are another example. If laptops from Sales and R&D have different risks, then you should consider creating assets like “Sales laptops” and R&D laptops”, so you can handle specific risks for each asset.

      For further information, see:

      2 - Another issue is that third-party off-the-shelf applications are available for software and databases in a Risk Register. Since we use third-party programs like Phabricator, Microsoft Office 365, container hosts, virtual machines, containers, Jenkins, and virtual machines (Windows), we must decide whether to define each one specifically or to categorize them in general terms with a single category as Infrastructure. Could you please explain to me how we should define? 

      Could you kindly let me know if we need to define different categorized products with Assets and then specify with the vulnerabilities associated to that specific asset in the Risk register for internally developed software?

      Please note that the use of one or more categories will depend on the assessed risks. In case the assets are related to the same risks, then they can be combined in a single category. In case there are assets with specific risks, then you should consider grouping them in different categories, so you can treat the different risks as the best fit.

    • Documents monitoring KPIs regarding applicable controls

      In Conformio, performance indicators can be found in the “Reporting Dashboard” link, accessible through the left-side panel on the main screen. The bottom section of the dashboard is “ISO 27001 Performance Dashboard”, and through the button “View more stats”, you can find details about the Fulfillment of objectives. A report with the objectives is exported automatically when you fulfill the tasks “Enter the measurement related to the objective… ”. The pdf file that will be available in the “Documents” >> “ISO 27001” >> “Lists Reports Statements and Plans” link, accessible through the left-side panel on the main screen.

      In our ISO 27001 toolkits, performance indicators can be recorded in the Measurement report, which can be found in folder 12 Management review.

    • Ransomware recovery plan

      You can develop a business continuity plan for a ransomware event by using the Business Continuity Plan template, and related appendices. These templates are included in folder 10 ISO 22301 Core Business Continuity Documents.

      The ransomware recovery plan is basically the same as a recovery plan for some other scenarios and you should use the Disaster Recovery Plan for that purpose.

      Common practices to be considered for a business continuity plan for ransomware are:

      • format and reinstall of affected servers
      • recovering data from backups

      Additionally, some preventive actions should be considered:

      • Training and awareness sessions about ransomware, to be included in the Training and awareness plan, located in folder 10 Training and awareness
      • Event monitoring, to be included in the Secure procedures for IT department, located in folder 9 Annex A Security controls
      • Patch management, to be included in the Secure procedures for IT department, located in folder 9 Annex A Security controls

      For further information, see:

      • How can ISO 27001 help protect your company against ransomware? https://advisera.com/27001academy/blog/2016/11/14/how-can-iso-27001-help-protect-your-company-against-ransomware/
      • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

      • Request for Guidance

        Please note that only organizations denominated “certification bodies” can issue ISO certifications for other organizations. Persons cannot be certified as “certification auditors”, they only can work for certification bodies as certification auditors.

        Considering that, to work as a certification auditor, you should contact a certification body that would have an available position and is and be willing to hire you.

        Here is a list of certification bodies in South Africa:

        Please also note that as part of the process to become a lead auditor for a specific standard, you need to be approved in a lead auditor course for that standard.

        This article will provide you with further explanation about becoming a certification auditor:

        This article is about becoming an ISO 27001 certification auditor, but the same concept applies to other management systems.

      • Losing certification

        Please note that together with the certification information provided by the certification body, it is also provided information about how to maintain it and which situations can cause the loss of the certification, so you need to consult your certification body for detailed information.

        In general terms, these situations can lead to certification loss:
        - failing to pay the audit fees.
        - failing to close major nonconformities within the set time.
        - continuous failure to maintain the management system (e.g., recurrent nonconformities).
        - voluntary request to suspend certification.

        Unfortunately, at this time we do not have any available questionnaires about this topic.

      • Impact correlation between multiple risks

        Since you are considering the situation where both risks materialize at the same time, the best way to record it is as a single risk, considering as the asset the one directly handling the information. Considering your example:

      • New risk

          • o Asset: Printer

          o Vulnerability: Lack of access controls to facilities, rooms, or offices

          o Threat: Unauthorized entry into facilities, rooms, or offices

        Please note that this new risk considers the asset of the printer (which has the information) and the situation related to unauthorized access is used as a threat. Changing risk value according to different scenarios, instead of recording a new risk, will only make your assessment unnecessarily more complex.

        This article will provide you with further explanation about risk assessment:

      • Support re. internal audit section of ISO 27001 2022

        1 - Who exactly needs to be audited

        You need to audit the persons who perform activities included in the ISMS scope (e.g., users, technical staff, and managers). The exact persons and how many of them you need to audit will depend on the size and complexity of the process.

        2 - Who can do the auditing? For example, could I conduct the audit despite being the project manager? Does it need to be someone that is independent from the process of implementation?

        The main rules of internal audit are that no one can audit his own work and that the internal auditor needs to have competence related to the ISO 27001 standard and audit techniques.

        Considering that, the project manager cannot perform an internal audit, and you should look for a person with proper competencies and who is not involved in the audited process, to perform the audit.

        For further information, see:

        This course will provide required knowledge for the audit job.

        3 - Are we auditing our implementation in line with the checklist that's been provided with the toolkit (11.3 Internal Audit Checklist)?

        Your understanding is correct. The checklist provided with the toolkit covers all clauses of the main sections (4 to 10), and all controls from Annex A, but please note that you can add more questions in case you identify such a need.

        4 - If we are using the Internal Audit Checklist to conduct our audit, there are 2 sections to this. Do we need to complete both sections?

        No. Please note that section 1 covers ISO 27001, and section 2 covers ISO 22301, which is related to business continuity. If you are auditing only ISO 27001, then you need to use only the questions from section 1.

        5 - I understand the Measurement Report (12.1) is part of the internal audit process, but I'm a little confused as to what actually needs to be measured here and how it relates to the audit. Is this more a documentation of security objectives we want to achieve?

        Apologies for all the questions, but I'm not an expert in this so wanting to get a good understanding before we kick off.

        Please note that the Measurement Report is an input for the Management Review step, and it summarizes the objectives for your ISMS, the measurement method, the frequency of measurement, and the results. It is not created by the internal auditor and is used by management to conclude how effective information security is in your company.

        For further information about measurements, see:

        This article will provide you with further explanation about internal audit:

        • How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

        • Support regarding ISO 27001:2022

          Your understanding of the sequence of implementation is correct.

          Please note that nonconformities can be identified either by the personnel performing the activities, during daily operations, as well as during internal audits (in fact, in a mature ISMS the majority of identified nonconformities came from operation personnel than from internal audit, because at this level the personnel has already understood the value of nonconformities).

          Regarding how long to operate the ISMS so as to have enough evidence to assess nonconformities, an operation period between 15 days and 1 month is a good starting point. Please note that security process cycles can vary (e.g., some processes are performed on a daily, weekly, or monthly basis).  

          For further information see:

        • Queries related to old client

          I’m assuming you want to know how to handle old customers considering ISO 27001 certification and policies and procedures not implemented yet.

          Considering that, first is important to note that you need to follow all ISO 27001 implementation Steps: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

          According to these steps, you need first to evaluate if these old customers have requirements (i.e., needs and expectations defined in contracts or agreements you have with them) that can impact or be impacted by the information you want to protect with your Information Security Management System (ISMS).

          In case such requirements exist, then you need to consider them in your implementation, by identifying information security risks related to these requirements and, for those risks deemed as relevant, develop and/or adjust policies and procedures accordingly.

          For example, if these customers have requirements for which compromise of availability of information protected by the ISMS can impact them, then you need to identify relevant related risks and develop or update a backup policy.

          In case there are no relevant requirements, these customers do not need to be considered in the ISMS.

          For further information, see:

Page 39-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +