Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Asset register
If we would come to the asset „server“ on the asset inventory list - we've got over 6.000 of them. How should we list them?
Answer:
ISO 27001 does not prescribe any level of granularity, so you can adopt the levels you understand that will better fulfill your needs. Considering your examples, you should consider to split assets in details when t hey require different levels of protection and different number of applicable controls.
For example, managers will have access to a higher level of access to information than general employees, so you should consider them as a separate category of asset, to avoid implementing controls related only to them to all employees.
For the case of workstations, you can use categories related to their purpose. For example general workstation and development workstation, including as detailed information of the quantity of each type.
It is important to note that you can reference to other system(s) which contains more detailed information about each asset, so you do not need to replicate information unnecessarily.
This article will provide you further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Scope definition
It has been difficult for me to develop that point, since I do not quite understand it. I have investigated but it is not clear to me. I wish you could help me or show me some examples based on your knowledge and experience.)
Answer:
Without detailed information about your scope what we can do is provide general examples:
- In an e-commerce organization its website is considered the interface between the activities carried out by the organization and their customers. The web page of the Supplier Chain management software is the interface between the activities carried out by the organization and their suppliers
- Considering a data center, dependencies that must be considered are electrical and comm unication providers, as well as hardware manufacturers
This article will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
This material can also help you:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/ -
Documentar un SGC
Respuesta:
La información documentada que exige la norma ISO 9001:2015 incluye:
a) La información documentada requerida por la norma ISO 9001
b) La información documentada que la organización determina como necesaria para el correcto funcionamiento del Sistema de Gestión de la Calidad.
Dentro de ISO 9001 hay una serie de información documentada obligatoria, estos son documentos y registros necesarios para cumplir con los requisitos de la norma. Aquí puede encontrar más información - Lista de documentos obligatorios requeridos por la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
Además existen una serie de requisitos en cuanto al control de la información documentada que incluyen:
a) Acceso, distribución, recuperación y utilización.
b) Almacenamiento y preservación.
c) Control de cambios.
d) Conservación y disposición.
Para más información puede consultar los siguientes materiales:
- Artículo - New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Artículo - Cómo estructurar la documentción en el sistema de gestión de calidad: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-estructurar-la-documentacion-del-sistema-de-gestion-de-calidad/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Controls measurement
Especially what is in the Access Policy with level of confusion responsibility for the implementation of this document
meant?
Acceptable Use Policy:
Validity and document management
This document is valid as of [date].
The owner of this document is [job title], who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
of incidents related to unacceptable or unauthorized use of information assets
number of incidents related to inappropriate employee training or awareness programs
Access Control Policy:
Validity and document management
This document is valid as of [date].
The owner of this document is [job title], who must check and, if necessary, update the document at least once every six months.
When evaluating the effectiveness and adequacy of this document, the following must be considered:
number of incidents related to unauthorized access to information
delayed change of access rights in case of change or termination of employment / contract
number of systems not included in this document
level of confusion responsibility for the implementation of this document
Answer:
Examples of how to measure these items are:
- Number of incidents related to unacceptable or unauthorized use of information assets: this information you must gather from evaluation of recorded incidents (filled in the Incident Log).
- Number of incidents related to inappropriate employee training or awareness programs: this information you must gather from evaluation of recorded incidents (filled in the Incident Log), compared to attendance lists from training and performed awareness activities (this way you can verify if people involved in incident have participate or not in training and awareness).
- number of incidents related to unauthorized access to information: this information you must gather from evaluation of recorded incidents (filled in the Incident Log).
- delayed change of access rights in case of change or termination of employment / contract: for evaluating this situation you must identify changes or termination of employment / contract performed by the HR team and track if access changes were raised, and when they where implemented (this second information will be normally found on IT area and the area responsible for physical access.
- number of systems not included in this document: In this case you must compare the information in the inventory of access with the content of the access control policy.
- level of confusion regarding responsibilities for the implementation of this document: In this case you must meet with personnel involved with the implementation of this policy and ask for their feedback regarding the policy implementation (e.g., if users requiring access know who to contact to ask for access to specific systems). -
ITSCM and BCM
Answer:
IT Service Continuity Management (ITSCM) relates its activities to the inputs from Business Continuity Management (BCM). That also means that if have implemented ITSCM - you did not cover BCM.
This article can help you further: "IT Service Continuity Management – waiting for the big one" https://advisera.com/20000academy/blog/2013/09/24/service-continuity-management-waiting-big-one/
and, here you can learn more about ISO standard related to the BCM "What is ISO 22301?" https://advisera.com/27001academy/what-is-iso-22301/ -
GDPR Controllers and Processors of personal data records
Answer:
Yes, where necessary there are different documents. For example, there are two versions of Data Processing Agreements, one which is more Controller oriented and the other which is more Processor friendly. However, consider that very seldom an organization acts exclusively as a Processor. -
EU GDPR and Data Processing
Answer:
The email communication would not be a problem. The question is if the software application you are providing support for processed any personal data and if while provi ding support you may access such data? If the answer is yes then you need to comply with some GDPR provisions.
If you want to find out more about the EU GDPR and what constitutes personal data check out the EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
Toolkit content
Answer:
This "Information Security Risk Treatment Plan" is covered by template Risk Treatment Plan, located in folder 07 Risk Treatment Plan -
Managing information security incidents
Answer:
First it is important to note that if an information security occurrence has no impact on business n or in information security it is an information security event, not an information security incident.
This slightly difference makes a big difference on how to approach the situation, because handling events requires less effort than treating incidents.
In your situation, you must consider historical data (e.g., previous incidents) or market data (industry reports) to validate your idea that 3-4 events per day is a too high value of irregular email that your anti-spam does not block, leading to a greater risk of malware infection or data loss.
In case this quantity of events is in fact too high, then you must consider reviewing the rules of your anti-spam filter, or raise the awareness of your personnel. If not you can keep only recording and monitoring these events to see if they increase or not.
For raising awareness of your personnel I suggest you to take a look at our Security Awareness Training at this link: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security. -
Template content
Where is my question inside the document: 3.3 period of time
Question: What is meant by final report? The management review?
Answer:
Section 3.3 of the Risk assessment report says 'Final reports were prepared during [specify period].' - by these final reports it is meant the Risk assessment table and Risk treatment table that need to be presented as appendix (the best would be in PDF format) to the Risk assessment report.