Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Asset inventory

    ISO 27001 does not prescribe the information to be included in an inventory of assets, so organizations can define them as best they fit their needs.

    Both alternatives have disadvantages and advantages:

    • by using the owner’s name, it is easier to identify who to contact, but the inventory will need to be updated every time the asset’s owner changes.
    • by using the owner’s role changes in the inventory, you won’t need to update the inventory if a new person is in charge, but the inventory will become less personal, and you will need additional information to identify the person.

    You also can use both information to write your inventory. The turnover rate in your organization will help you assess which approach is better for your organization

    For further information, see:

    • Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    • Do we need separate Cloud Security Policy?

      Unless you have a legal requirement (e.g., law, regulation, or contract) demanding a Cloud Security Policy, you do not have to implement one. The Information Security Policy is enough to provide guidelines for the protection of information in cloud environments

      For further information, see:

    • Revision to 27002 question

      Please note that the elements (Attribute, Control, Purpose, Guidance, and Other information) are part of each control and that each control is referred to at least one element in the five control attributes. So, by electing one attribute to sort the controls, you can group them according to each element they cover.

      For example, control 5.1 Policies for Information Security, in its attribute Control type is classified as preventive, while control 7.4 Physical Security Monitoring in its attribute Control type is classified as preventive and detective.

      Considering that, you can work these controls together considering that you can develop a Physical Security Monitoring Policy (a preventive measure), which can define rules for implementing CCTV monitoring and motion sensors for detection of unauthorized access (a detective measure).

      For more detailed information about the ISO 27002 revision, please download this free white paper: 

    • A.5.1.1 Policies for Information Security

      Please note that ‘Setting top-level information security objectives and intentions’ is related to the Information Security Policy, which is a mandatory document for ISO 27001, so it needs to be implemented regardless of whether the controls from sections A.5 and A.7 are applicable or not, so then they are not linked to these controls.

    • Register of legal, contractual and other requirements

      1 - For Register of legal, contractual and other requirements Step: what exactly should we do in this step?

      In this step, you need to record all laws, regulations, standards, and contracts that put information security requirements for your company.

      This step will help you identify which security controls you need to consider in your ISMS implementation.

      For further information, see:

      2 - For ISMS Scope: we’re not sure what to include and what to exclude! do we have to include all our 14 subsidiaries? Do we need to exclude something or some departments?

      To help you define your ISMS scope, please access this free tool:

      3 - For Asset inventory: do we need to identify all assets we have? Or assets we provide? Or assets we’re using/purchased?

      ISO 27001 does not require to have a separate Asset inventory, so in Conformio the Risk Register is used for listing the assets.

      In Conformio assets are identified as part of the information risk assessment and treatment, in the Risk Register module, so you only need to identify assets that are relevant to the information you want the ISMS to protect. You should include all assets that you control - those could be the assets you are using (e.g., your people), that you purchased (e.g., laptops), or that you provide to third parties (e.g., Software-as-a-Service).

      4 - For IT Security policy: is it only 1 global policy? Or we need to add related policies like: backup policy, cloud policy, data destruction policy ...).

      ISO 27001 does not prescribe the content of an IT Security policy, so you can develop it as a single document or as multiple documents covering specific areas.

      In Conformio you can either use a single document for the IT Security policy or use some documents separately. You can define that after performing the risk assessment step and Conformio suggests the documents you need to develop within the Statement of Applicability step, considering the applicability of controls.

      For further information, see:

    • Clause 8.2.6 ISO 13485

      Yes, you are right, we did not put it in the first version of the toolkit. We are aware of this omission and it will be in the second version of the toolkit that will be released in September.

    • Is antivirus software requirement for companies seeking ISO 27001 certification?

      Antivirus, like other antimalware solutions, is a requirement only if you have relevant risks or legal requirements (i.e., laws, regulations, or contracts) that demand its implementation. In case you have no risks or legal requirements demanding the implementation of antivirus, you do not need to implement it to be compliant with ISO 27001.

      This article will provide you with further explanation about the selection of controls:

    • Requirements in Document Wizard

      1. Why can I select only one person to approve my documents. We have more people so I am not sure how to handle this in our organization? 

      Answer: When you need input from several roles to define a document, you can use the functionality of reviewers, so you can invite specific people to evaluate the document before it is sent to approval.


      2. How are the risks and requirements listed in each step addressed in each policy. Do I need to do something on my side or reference them in specific paragraphs? How do I know which paragraph in the document covers which risk or which requirement so that when I am asked how we are treating those risks or requirements, I can show them?"

      Answer: The relation between risks and documents is that risks define which controls are applicable in the Statement of Applicability, and in the SoA it is defined which documents are used.

      The recommended documents will automatically show the texts that need to be present to cover the controls used to treat the risks, and the specific risks can be seen in the left-hand side of each document for the highlighted text. In your example the risks in the left-hand side panel refers to the firs paragraph of section 4.1.

      This way you can decide how to adapt the text of a document for specific risks.

      Requirements from Register of Requirements will be displayed in similar manner in the left-hand side of a document.

    • Equipment

      The Registry of Records for Retention / Central Archive is used to document and record status changes to all retained records, including when they are made obsolete. 

      For more information on the use, see the associated procedure, Document and Record Control, available for preview at https://advisera.com/17025academy/iso-17025-documentation-toolkit/
Page 74-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +