Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Integrated inventory of assets


    I am looking into the CIS information security top 20 controls, as a place to recommend beginning to shore up our defenses.

    But I am searching for a resource that discusses the information that a team working to build inventories need to identify and register per hardware and software asset.

    And how much effort should go into integrating the need for this information into a technology asset management system? Should the information security data be maintained separate from the ITAM system?

    Where would I find good resources to learn about this topic?

    Answer: First it is important to understand that ISO 27001 only requires the implementation of an inventory of assets if you have unacceptable risks or applicable legal requirements requiring such control (A.8.1.1 - Inventory of Assets).

    Considering that, this control does not require an inventory of assets related to information security to be separated of other inventory systems, like an ITAM system (in fact, if you already have an inventory system implemented, by using the same system you would be optimizing your resources usage). To use the same system you only have to ensure the information is properly protected, and most of today's systems have functionalities to ensure such protection.

    These articles will provide you further explanation about inventory of assets:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
    - Knowing your herd – Service Asset and Configuration Management (SACM) https://advisera.com/20000academy/blog/2013/06/04/knowing-herd-service-asset-configuration-management-sacm/
    - Three main activities to set up ITIL Service Asset and Configuration Management https://advisera.com/20000academy/blog/2015/07/14/three-main-activities-to-set-up-itil-service-asset-and-configuration-management/

  • Risk management process


    1 - Does a company usually has to realize all of the 114 controls (I know you can choose other controls beside the 114 controls of the iso 27001)? Is the main idea behind annex a that these controls should be implemented (if you can’t exclude them)? You said beside the risk treatment table we should check things like legal and contractual requirements when we try to fill out the SoA. I just would like to get a feeling if companies usually have to implement a high percentege of annex a (on average of all companies and industry sectors). If this is the main idea of this annex a. I know that it's different from company to company and that it depends from industry sector to industry sector.)

    Answer: Normally companies implement only part of the controls of Annex A (specially in case of small and mid-sized companies), as result of risk assessment, or identification of legal requirements. The main purpose of Annex A is not to be fully implemented, but to ensure relevant aspects of information security are not forgotten during the risk assessment (sometimes, only by looking at a control, someone can identify a relevant risk related to it).

    2 - I just don’t know how to handle annex a after being done with the risk assessment table and almost with the risk treatment table. If our company can’t explain why this control didn’t touch our company (cause we accept the specific risk for example) we should implement it? If you start reading annex a it says: annex a must be used in the context of 6.1.3 (risk treatment).

    An example: some of our employees got a laptop and a smartphone from the company to work with. In our risk assessment the risk level for these assets are under 3 and 4 and right now these assets are falling in the category „accepted risk“. With this identification and in this specific example we are able to ignore (for example) the control A.6.2.1.

    Another example: our human resources security doesn’t have to be added in the risk treatment plan either. This means, if there should be no other legal or contractual regulations, we can ignore A.7.2.3 in this specific example? I know their might be a few more assets where this control have to be used. Let’s assume we consider just this asset and the others are out of contemplation.

    Answer: If after risk assessment you do not identify unacceptable risks, or legal requirements , to justify implementing some controls you do not need to implement them, as simple as that. Your examples are good ones.

  • Is EU GDPR applicable to Middle East companies

    Answer:

    I am sorry to hear that you are not satisfied with the interpretation of EU GDPR article 3 – Territorial Scope (https://advisera.com/eugdpracademy/gdpr/territorial-scope/). I would suggest you to carefully read through the article and you will find that one condition for the EU GDPR to be applicable is that the individual (data subject) needs to be “in the Union” (Union meaning the EU/EEA). If you have another interpretation please free to share it.

    To make it more clear for you if there is a EU citizen coming to the Middle East and he/she wants to rent a car for example, the car rental company does not need to be compliant with the GDPR because the EU citizen is not physically present in the EU and the processing activity is also carried outside the EU.

  • ISO 27001 and NESA


    Answer: The National Electronic Security Authority Information Assurance Standards (NESA IAS) are primarily based on ISO 27001:2005, with some additional controls taken from ISO 27001:2013 and NIST Special Publications (SP-Series).

    For a detailed understanding of how NESA IAS correlates with ISO 27001, you should contact NESA team at this link: https://www.ebdaa.ae/contact-us/index.php

  • Specifications for server room


    Answer: ISO 27001 does not specify requirements in terms of which physical security and building standards to follow, since for each organization these can vary according to local legal requirements and results of risk assessment. A common reference you can use is the standard EIA TIA 942, which you can find at this link: https://global.ihs.com/doc_detail.cfm?&csf=TIA&item_s_key=00414811&item_key_date=860905&input_doc_number=TIA%2D942&input_doc_title=

  • Implementing ISO 14001 -


    Answer:

    Sorry, I have no such sample. But ISO 14001 is very intuitive, much more than ISO 9001 I would say. Make an environmental assessment, determine if your organization follows conformity requirements, establish priorities for improvement considering the assessment, strategic orientation, context and risk & opportunities. Then, develop plans to meet the improvement objectives and monitor performance.

    ISO 14001 includes the Deming cycle (PDCA). So, change management is very useful for the project.

    The following material will provide you information about assessment of environmental interactions:

    - ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    - List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Identifying quality requirements


    Answer:

    That sentence seems to be taken from a contract or something like that. My understanding is: I as a customer, want you, as my supplier, to establish a process to handle all my quality requirements at product level; at product development level, and at organizational level. Thus this make sense to you?

    The following material will provide you information about customer requirements:

    - ISO 9001 – How Product Requirements work in ISO 9001 - https://advisera.com/9001academy/blog/2014/04/08/product-requirements-work-iso-9001/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Data transfer policies to non-EU country


    Аnswer:
    What I would advise you to do is to use “Data Exporter” instead of data Controller and “Data Importer” instead of Processor. In this scenario your company would be the “Data Exporter” and is irrelevant who the controller is.

    To find out more about data transfers check out our webinar “How to make personal data transfers to other countries compliant with GDPR“ (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

  • Controls documentation

    First it is important to understand that auditors will evaluate documentation not considering how descriptive they are, but if they comply with the standards requirements, applicable legal requirements and needs identified as results of risk assessment.

    Considering that, as guidance for writing the details in your documents you should consider the ISO 27002 standard, a supporting standard that provides the details you are looking for. For example, for control information classification this standard recommends that information classification criteria should be reviewed over time. For anti-malware, you should include guidance for users regarding not accessing malicious content or scanning files before using them.

    Orientations from this standard can be implemented as needed, so you do not need to implement all of them if you do not identify the need.
    This article will provide you more information about ISO 27002:
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

    At this link you can buy ISO 27002: https://www.iso.org/standard/54533.html

  • Information classification template


    "Step name: Entering the information asset in the Inventory of Assets
    Responsibility: Chief Information Security Officer"

    Further down in the document there is mention of “3.2.4 Reclassification” where asset owners are to review the confidentiality level of their assets with a certain time interval. Then “3.3 Information labelling” gives instructions on labelling of e.g. electronic documents and electronic mail etc.

    All this implies that each and every of such documents should be listed in the Inventory of Assets (IoA).

    Our employees produce dozens of e-mails and electronic documents every week. If the CISO has to enter all these documents in the IoA this is a full time job in and organisation with only 15 employees or so!

    Can you please give me a practical way of dealing with this problem.

    General remark: I keep running in to these kind of issues where I am not able to find any examples or practical solutions in your documentation or Secure and S imple.

    Answer: You do not need to identify emails and electronic documents individually in your inventory of assets. You can use a single identification for them (e.g., e-mails and electronic documents) and define only once how all of them will be classified and treated.

    Please note that Information Classification Policy is not a mandatory document nor are the A.8.3 classification controls mandatory. In other words, if there are no risks nor specific requirements for implementing those controls, you can exclude them in your Statement of Applicability and in such case you wouldn’t need to perform classification at all.

    Regarding doubts you may find when filling templates, included in your toolkit you have access to video tutorials that can help you fill some templates (e.g., risk assessment table), using real data. If the tutorials are not enough to clarify your doubts, you can schedule a meeting with one of our experts so he can help you. To schedule a meeting with one of our experts, please access this link: https://advisera.com/27001academy/consultation/

    These articles will help you with information classification and asset register:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Page 696-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +