Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • A.12.7.1 Information Systems Audit Controls

    1. Does executing the Penetration Tests on the regular basis serves the purpose to be compliant with this Control or do you suggest any other method?

    Penetration tests can be used to fulfill control A.12.7.1 Information Systems Audit Controls, provided that they are planned and agreed in a way they minimize risks that can disrupt business operations (e.g., by being performed out of business hours, by covering only part of the most critical systems at a time, etc.).

    Another approach would be by performing audits only through the system's logs analysis, system's configurations review, etc.

    For further information, see:

    2. Do we need to Document a Formal Process of the Penetration test and execute it accordingly?

    ISO 27001 does not require the penetration test process to be documented, but the documentation of the process is a good practice to make easier the evaluation of results, and if everything was done as planned.

  • ISMS scope

    Your example scenario (IT assets used within scope, but owned by a Group IT function) is a common situation when the ISMS scope covers only part of the organization, so it does perfect sense.

    In cases like this one, as well as on any other case when an entity outside the ISMS scope (e.g., another department, a contractor, etc.) has a relationship with elements inside the scope, they can be seen and treated as a 3rd party supplier.

    These articles will provide you a further explanation about ISMS scope:

  • Acceptable use policy

    1. When it is ready, can it also be used as information security policy? As a more detailed version?

    Please note that the Information security policy and the Acceptable use policy templates cover different requirements of the standard, so you cannot use the Acceptable use policy as an Information security policy.  You can see the difference between them by comparing section 2 of each template. You can see this section of the Information Security Policy through our free demo at this link: https://advisera.com/27001academy/documentation/information-security-policy/

    For further information, see:

    2. And secondly, is it necessary that employees sign the acceptable use policy? Or is it good enough to communicate the policy within the organization?

    For certification purposes, you have to show evidence that people are aware of the policy content, and signing it is one way to show this evidence. Another way is through attendance lists about training or workshop activities where this policy is presented.

  • Company records

    Please note that the higher the classification level of information, the greater will be the effort and resources required to protect it, and most probably not all your information will have the same level of importance/value to your organization.

    Considering that, if you classify all your information as confidential you will be wasting resources and effort (you should be allocating fewer resources to less important information).

    Additionally, some records are public by default - e.g. an inventory of the products that are sold over the website - so it makes no sense to classify such records as confidential.

    This article will provide you a further explanation about information classification:

  • 27018 controls

    For ISO 27001 certification purposes, unless you have specific requirements to adopt ISO 27018 controls (e.g., laws or contracts), you can apply only ISO 27001 Annex A controls.

    Regarding only mentioning compliance of Google and Microsoft with the ISO standards, this would not be sufficient. You need to ensure that your specific security needs are covered by those providers by either (a) including security clauses in the agreement with them, or (b) making sure their Terms & Conditions specify the security clauses that are satisfactory for you.

     For further information, see:

  • Risk analysis process

    ISO 27001 does not prescribe how long an organization should take to implement the risk management process, so this time is defined by each organization to fit their needs, but from our experience 3 years is far too much for the risk assessment to be performed. For small companies of up to 50 employees it should be finished within a week or two, and for a company of ca 200 employees this generally takes a couple of weeks, and for a company of 500 employees, this is ca 4 weeks' time.

    This is generally achieved by implementing a risk management process with a simple approach. In case you need something more complex, you should consider this more complex implementation later in the process, so people can become used to the concept of risk management, and you can have identified risks faster.

    For example, you can start risk analysis with a qualitative approach (most based in perceptions, easier to understand, quicker to perform, but less accurate), and after that go for your more complex approach.

     These articles will provide you a further explanation about risk identification:

  • Process diagram

    1. I would like to know if there is an excel template to register a new change.

    ISO 27001 does not prescribe the contents of a change register, but to see an example, I suggest you take a look at the free demo of our Request for Change and Change Record at this link: https://advisera.com/20000academy/documentation/request-for-change-and-change-record/

    For further information see:

    2. And the other thing is about the process diagram. I believe it is essential for that document.

    ISO 27001 does not require the documentation of the change process, but these are the general main steps you should consider:

    • Request change: describe what needs to be changed and purpose
    • Analise change: identify the impacts (positives and negatives) related to the change, and potential risks
    • Approve / Deny change: Authorize, or not, the change.
    • Implement change: Plan the details and implement the change
    • Review / Report change: Verify if the change achieved expected results and communicate the change to relevant parts

  • ISMS scope - Networks and IT infrastructure

    Generally, networks are defined in terms of segments (e.g., administrative network, development network, internal network, etc.), and infrastructures are defined in terms of the most relevant assets (e.g., database server, border firewall, etc.).

    These articles will provide you a further explanation about the scope definition:

  • 5.1 Leadership and commitment

    1. What Template in our Toolkit contains this Clause?

    Please note that leadership and commitment requirements are systemic, not limited to a single document, so they are embedded in several documents in the toolkit such as:

    • Information security policy
    • Training and awareness plan
    • Management review

    For further information see:

    2. Can we be compliant with this clause maintaining our Information Security Policy? If yes, what shall we give emphasis on apart from company Policies and guidelines?

    As mentioned in the previous answer, the Information Security Policy is only one of the documents you need to implement to be compliant with ISO 27001 leadership and commitment requirements.

    Other issues you have to consider are:

    • Determine information security objectives
    • Determine the main responsibilities related to ISMS
    • Communicate the ISMS importance
    • Provide all the necessary resources
    • Perform management review

  • A.18.1.3 Protection of Records

    First is important to note that "ISMS documents" do not refer only to documents required by the standard (such as the Information security policy), but also to any other documents and records your organization sees as relevant to the ISMS defined purpose and objectives, like project specifications, contracts, etc.

    Considering that, in case you identify relevant risks or legal requirements (e.g., laws, regulations, or contracts) demanding the implementation of control A.18.1.3 for these other documents, then you must apply the control to them also.

    In case the documents and records are not related to the ISMS, you still can apply the control, as a good practice, but they will not have an impact on any certification process.

    As for ways of protection of such documentation, some examples are:

    • physical cabinets
    • backup copies
    • digital signatures

    The choice of protection will depend on the risks identified during the risk assessment.
Page 403-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +