Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions about scope
Answer: First it is important to note that the objective of ISO 27001 is to protect information, so the main question is to identify which information you want to protect. Where this information is, is a secondary question.
Considering that, if your scope is the information stored and processed in the datacenter, and the information used by WHMCS is not stored in, or processed by, the datacenter, then you do not have to ensure its confidentiality, integrity and availability. Please note that there is a difference between where a system is used (e.g., by WHMCS operators in the main office) and where are the data used by the system(e.g., in the datacenter, or other place different from the main office).
2. Since we do have to limit access to the assets in the datacenter, is it enough that we cannot access them physically (since they are in another physical protected location) ?
Answer: You also have to consider the risks related to remote access (e.g., admin administrators remotely accessing services for maintenance, or users and systems remotely accessing the data). If an unauthorized user has remote access to servers or data he can make almost as damage as if he had physical access to assets.
3. You agreed on the fact that laptops do not "have to" be encrypted in case that the datacenter is the only location which is included. Does this mean that we also do not have to document these in the 'Inventory of assets'?
Answer: If no laptop is used inside the datacenter (e.g., some datacenter configurations rely on laptops as central maintenance hub, so you do not have to access servers individually, and these may need to be taken of for maintenance or other purpose), nor none of them have access to information inside the datacenter (by means of remote access as described in answer 2), then there is no need to include them in an 'Inventory of assets'.
4. We have the CTO, Technical Director and 2 Support Engineers who are doing the webhosting services. However the other two owners of the company besides the CTO do have access to some of the systems (just because they are the owners of the company). They do only have access to the WHMCS tool (which is being used for support tickets and sales), so they cannot take servers down or such. Is it relevant to keep these in mind if we are limiting our scope to the datacenter?
Answer: As mentioned in answer 1, if information handled by the WHMCS is inside the datancenter, then you have to consider these two owners when planning the security of your scope. For example, if their access to WHMCS is not ready only, if their accounts are compromised, an attacker can use them to delete, or tamper with, sensitive data.
5. Customer data that is involved in sales and for business purposes (such as name, address, etc..) is this something that we have to keep in mind (as for controls A.13.2.1. A.13.2.2, A.13.2.3 as an example) if we are only including the datacenter in the scope?
Answer: Please consider where this information is stored or processed. If it is stored or processed in the datacenter then you have to consider them when planning the security of your scope.
6. (This last question is not directly related to the scope) Records of log reviews: In a webhosting company which is doing customer support on a daily basis 8 hours per day minimum this is not achievable, it would cause too much disruptions to the business. We are reviewing logs for (nearly) each customer that has a problem.
Answer: First it is important to note that ISO 27001 does not prescribe how to perform log review, so you can perform it every time you have an entry, generating a review record for each entry, or you can define a verification period, when you verify all entries made during that period, generating only a single review record covering all entries reviewed. If this control is applicable to your organization, then you should consider if this second option can be implemented for your business. If this is not possible, maybe the cost of the control is higher then the impact if the risk occurs, and the organization should accept the related risks.
6. I'm aware that the scope is the primary document that I have to fill in, but the problem is that each expert that I talk to (I also speak with experts outside Advisera) are telling me something different, it is very hard for me as a student to sort this out in that case. I have to sort this out in the upcoming week, since there is a pre-audit on Friday.
Answer: Information is primarily built upon understanding of the organizational context and perceived risks, and since we and other experts have not the same point of view, experience, and knowledge of your business, it is natural that divergences will arise. That's why it is important for the person responsible for the implementation to have some understanding of basic concepts of information security (and for that we always suggest users our ISO 27001 foundations course - https://advisera.com/training/iso-27001-foundations-course/), so this person can filter and adjust the answers provided by the experts considering his view of the business. This way, each time he interacts with the experts he can better guide them to provide answers to help him. -
Reference documents
How can we estimate which documents are connected to the information security guideline? The ones I would guess (document about the scope; methodology for risk assessment and risk treatment; SoA; list of legal, official, contractual and other requirements etc.) are already named above.
Would you mind giving me some key documents we have to add (beside the already named ones); only for ISO 27001; ISO 22301 excluded. I got the feeling the comment (I talked about before) described it for ISO 27001 and ISO 22301.
Answer:
The best way is to ask to the heads of each unit, and the key users of the processes, included in the ISMS scope. After you brief them on the purpose of ISMS, and show them which documents you already had identified, they would be able to tell you if any necessary document that can be used to define requirements for information security is missing (most probably, all necessary documents will be already on your list of legal and other requirements).
Without knowing details of your ISMS scope, the established security objectives, and the list of documents you already have, we cannot provide insights on what you have to add without the risk to induce you in an error, but as an example, you may consider a methodology for project management (if there is one different to the used for implementing the ISMS).
And you are right in the assumption that the comment applies both to ISO 27001 and ISO 22301. -
Developing documents
Answer:
ISO 27001 does not prescribe how documents should be developed, so you can chose the approach that best fits your needs.
The main criteria to decide to merge documents or not are if they have similar purposes and if by merging them they would not become a document too big to understand and read. So, in this particular case, if your single document does not become to big to use and manage it may be best to merge them, so you have one less document to manage in your ISMS.
These articles will provide you further explanation about developing policies:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/ -
Implementing BIA
Answer: The Business Impact Analysis related to ISO 22301 focuses not only on IT aspects that may affect a business during disruption, but on every organizational aspect that may impact business (e.g., a disaster hitting most of the staff of a critical process, supplier failure, etc.). Considering that, you should fill one questionnaire for each activity you consider critical to business, and after that you will have identified all IT services that are essential f or those activities, and proceed with proper treatment.
2. Besides, I had try to access https://www.iso27001standard.com/how-to-implement-business-impact-analysis-according-to-iso-22301-bs-25999 but fail.
Answer: First of all, sorry for this inconvenience. Here is the right links:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
3. Would you mind share with me a sample filled enclosed questionnaire for reference? Meanwhile, I had study your “Becoming resilient – The definitive guide to ISO 22301 implementation” as well. Refer to the P.123 Figure 10 mention an example of BIA Questionnaire – determining the Maximum Data Loss/RPO. This sample is quite suit for me looking for. Is it can fit in to the enclosed questionnaire or it have another simply version of questionnaire?
Answer: Unfortunately we do not have such detailed document samples to offer. But included in your toolkit you have access to a tutorial that can help you fill your BIA, using real data as example.
Also, the blog post on previous corrected link has an example on how fill in the BIA. -
Mock recall exercises as a requirement
We've received another question:
> Clause 8.6 reads, “…documented information shall include evidence of conformity with acceptance criteria”. We have several items (width, length, outer diameter, flatness, visuals) that are inspected at one point in our operation. These items have defined specifications; however, the results of the checks are not recorded anywhere. Operations says the record is the ‘G’ grade in the system. I am interpreting that clause (and in consultation to my well-worn ISO 9001:2015 in Plain English) to mean we have to record evidence of both the check and its associated result. What are your thoughts?
Answer:
If your acceptance criteria are a variable, then the associated results should be recorded as evidence. If your acceptance criteria are an attribute, then the result is OK or NOK. I have another issue to mention here: your organization inspects 5 items, imagine that 4 are OK and one is NOK, what is the final decision, is the product as a whole OK or NOK? As auditor I find that some organizations left cases like this in a limbo. That is not ac ceptable, there should be a clear final decision about the conformity or not conformity of the product.
The following material will provide you information about quality control:
- ISO 9001 – ISO 9001: Requirements for the release of the product or service - https://advisera.com/9001academy/blog/2017/03/28/iso-9001-requirements-for-the-release-of-the-product-or-service/
- Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- free course - ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/ -
Sharing information
Answer:
Common documents required by customers are the Information Security Policy, Statement of Applicability, and Audit Report. Other documents can be asked depending upon what customers need.
To share such documents (some of them may have sensible information about your organization) you first should evaluate if the risks are worthy (e.g., the audit report has very sensitive information about your ISMS status, but the requester is your biggest customer or a potential customer you want to include in your portfolio). If you consider that the risk of sharing this information is acceptable , them you should provide a Non Disclosure Agreement with these customers to formalize the required conditions for protection of this information -
Questions about toolkit documents
Answer: Special interest groups covered by A.6.1.4 refer to manufacturers, specialized forums, professional associations and other groups that can help you with information security issues, while a Data Protection Authority is more related to A.6.1.4 Contact with authorities. So, to fulfill GDPR regarding Data Protection Authority control A.6.1.4 would be more appropriated.
For further information see:
- Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
2. Is it okay to write the same name in "Author" and "Approved by" in the Document Control Table at the start of the document?
Answer: For small companies the author and the approver of a document may be the same person, but normally these roles are performed by different persons, so the approver can verify if the document was properly written and does not rise unacceptable risks.
For further information see:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
3. A.9.2.5 Review of user access rights Records: ISO 27001 probably does not describe which records must be included, is it okay to have 4 fields: Name of system / network / service / physical area & Type & Date & Results with the following records as an example:
Datacenter & Physical area & 24 April 2019 & Only the appropriate personnel have access rights.
Answer: To be effective, an access review record must contain at least these information: the asset (system / network / service / physical area, etc.), the asset owner, the list of people who can have access to the asset, the activities authorized to be performed by them, by the asset owner, the actual activities these people can perform, any decision made regarding found discrepancies, and the date the review was performed. Of course you can include more information, but these are the minimum to ensure the review process was properly performed.
4. Let us say that Control A and Control B both have an unacceptable risk, but this unacceptable risk is already reduced to acceptable by Control A. Does this mean that control B does not have any unacceptable risks (anymore) ?
Answer: Your understanding is correct (if the risk is reduced to acceptable level only by implementing one control (A or B), there is no need to implement the other), but you have to think in terms of risks that may be treated by several controls, not controls that have risks in common.
5. If the unacceptable risks for a particular control are being transferred to a third party, what do we write for this control in the "Implementation method" if we do not have enough information about how they have implemented this control?
Answer: In the implementation method column you can either write a brief description of how the control is being implemented by the third-party or refer to a document which contains this information (e.g., a service agreement or a contract). It is important to understand that you have to have minimal information about how the third party implements the control, because on the contrary you cannot manage the risk.
6. Do values after treatment have to be filled in, in case of other risk treatment options than "1. Selection of controls ?"
Answer: For any risk option selected for risk treatment you have to fill in the values after treatment, because these are used to define residual risk.
By the way, included in your toolkit you have access to a video tutorial that can help you fill in the Risk Assessment and Risk Treatment tables, using real data as examples.
For further information about residual risks see:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/ -
Documentation and audit
Answer: For certification purposes, you should wait until all mandatory policies and procedures have been implemented, and at least a couple of mandatory records had been generated, so you can have enough evidences to verify if the ISMS is properly implemented and working. The precise time frame will depend on the duration of the cycles of the process included in the ISMS scope.
2. I have documented the policy. Am I eligible to perform internal audit? I am pursuing my mba in information security.
Answer: The main criteria to perform internal audit is compete, by means of knowledge (e.g., certificates), education (e.g., training) or experience (e.g., records of previous performed audits), and impartiality (an auditor cannot audit his own work). Considering that, if you can demonstrate that you have the necessary competence, and you do not audit your own work, you can perform internal audit.
This article will provide further information:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
3. Do I need to document Access control policy separately from ISMS policy(A.9.1.1) or do I just need to mention it in ISMS itself? What are the mandatory operating procedure apart from incident management, change management?
Answer: Although ISO 27001 allows merging documents, the ISMS Policy is a high level document (to be used for all organization), while the remaining policies, like Access Control Policy, are considered operational policies (to be used by specific areas or processes), so we do not recommend to merge them in a single document, because this document would become unnecessarily big and difficult to read and manage.
The same applies for procedures which have different purposes (if they will become to big they should be created as separated documents).
These articles will provide you further explanation about developing policies:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/ -
Certification body
Answer:
The main certification bodies for ISO 27001 are:
- BSI: https://www.bsigroup.com
- Bureau Veritas: https://www.dnvgl.com/
- DNV: https://www.dnvgl.com/services?ServiceTypes=136423
- SGS: www.sgs.com/
- TUV: www.tuv.com
You also can find a proper certification body from this link: https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
You can use this link to enter your profile, and we will find the certification body that best fits your needs.
Regarding QAS, it is our policy not to issue opinions about specific organizations.
This article will provide you further explanation about selecting a certification body:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Subcontractor evaluation, selection or termination
Answer:
There is no universal formal process for dealing with subcontractor evaluation, selection or termination. Each organization has to design its own process as long as it is useful and effective.
I like to start my conversation with organizations with this drawing:
Can your organization work will all subcontractors? Does your organization have some basic requirements? For example, Subcontractors must:
Be ISO 9001 certified;
Have certain kind of machines;
Have certain kind of experienced workers;
Have a production capacity above a certain level.
After that evaluation, subcontractors that passed belong to a pool of approved subcontractors.
When your organization has a specific order that must be fulfilled, checks the pool of approved subcontractors and request quotation to two or three. As approved subcontractors they have enough quality. Now, what is relevant is knowing who ha s the best price, who is available, who can deliver on time.
Subcontractors worked for your organization. It is important, from time to time, to evaluate actual performance to check if the initial evaluation was a good predictor of performance, to find if any of the subcontractors should invest more in improving performance, and if any of the subcontractors due to bad performance is really not a good partner for your organization.
The following material will provide you information about treating subcontractors:
- ISO 9001 – How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
- How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- Free course – ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/