Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Processing of sensitive personal data

    Assessing the legality of the processing activity as regards to sensitive personal data is something that the controller needs to do. What you need to ensure is that in the contract with the your customer you state that he is fully liable for ensuring that the personal data is collected and processed in a lawful manner.

  • ISO 27001 versions


    Whats the difference between the previous version and new version of ISO 27001.

    Answer: This kind of question is not common on interviews (specially considering the previous version of ISO 27001:2013 is from 2005), but the main differences are related to:
    - the structure
    - Interested parties
    - Documented information
    - Risk assessment and treatment
    - Objectives, monitoring and measurement
    - Corrective & preventive actions
    - Communication
    - the number of controls on Annex A.

    These articles will provide you further explanation about ISO 27001 2013 and 2005 versions:
    - A first look at the new ISO 27001 https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/
    - Infographic: New ISO 27001 2013 revision – What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/

  • Knowledge and certifications for the Information security Officer


    Answer: Competences that can improve your performance as an Information security Officer are related to risk management, information security and audit. In terms of certification, you should consider the Lead Auditor or the Lead Implementer certification.

    These articles will provide you further explanation about competencies for an Information security Officer:
    - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    - What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    - How personal certificates can help yo ur company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/

    These materials will also help you regarding ISO 27001:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Audit and certification


    Answer: For certification purposes, only auditors related to certification bodies can perform such audits, and the choice regarding which certification body will lead the process is up to the organization itself.

    These articles will provide you further explanation about ISO 27001 certification process:
    - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
    - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

    These materials will also help you regarding ISO 27001 certification process:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 270 01 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
    This page can help you find a certification body: https://advisera.com/

  • Internal audit results


    Answer: Recurrent nonconformities may indicate a rupture in the management system (a failure in the maintenance of the system), and for certificated systems if such situation is not corrected until the next external audit, this may lead to a major nonconformity, which can compromise the management system certification.

    2 - Management has not taken corrective actions. Where in the standard can I find a reference to this.

    Answer: If you have evidence that recurrent nonconformities can be related to inaction of management, you can relate this situation as a failure to comply with one of the following clauses:
    - 10.1 c): implement any action needed (either to control and correct the nonconformity or, if necessary, prevent that it does not recur or occur elsewhere); or
    - 10.1 d): review the effectiveness of any corrective action taken

    This article will provide you further explanation about non conformities:
    - Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

    These materials will also help you regarding non conformities:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

  • Information security resources

    Even for my master's work, I read and learned a lot from your texts that I found online.
    Recently, I started to learn a bit more seriously about CyberSecurity, because it has always been a very interesting topic and I want to change my career and deal with the security of information.
    So I'm trying to get in touch with people who are experienced and from whom I can learn something.
    If you can give me any advice about learning, certification or the most important things that I should focus on, I would be very grateful to you.

    Answer: Besides our site, I suggest you to look for contacts and training opportunities in the websites of organizations such as ISACA (www.isaca.org), ISC2 (https://www.isc2.org/), SANS (https://www.sans.org/) and NIST (https://www.nist.gov/). Linkedin (https://www.linkedin.com/) is also a good source of contacts.

    Regarding what you should focus on, this will dep end on what type of career you want to pursuit (e.g., technical controls, risk management, audit, etc.)
    These articles will help also you with queries:
    - How to learn about ISO 27001 and BS 25999-2 https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
    - Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

  • Qualifications to perform ISMS internal audits


    We generally employee 2 persons, one Audit Lead and one Auditor. What trainings opportunities and certifications are available for these professionals?

    Answer: To perform audits a person should consider mastering competencies regarding risk management, information security and audit techniques. These competencies can be acquired by means of education, training or practice, so certifications are only one of the alternatives you should consider.

    Regarding ISO 27001, you should consider the ISO 27001 Internal auditor training or the ISO 27001n Lead auditor training.

    These articles will provide you further explanation about certifications and training:
    - Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
    - ISO 27001 Internal Auditor training – Is it good for my car eer? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

    These materials will also help you regarding certifications and training:
    - ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/
    - ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Patch management

    I would like to know where does patch management fit into the ISO27001. If for example a new critical security update was released by a vendor or a vulnerability management system discovered a missing critical update on an asset would I carry out a
    1. Risk assessment against the asset to determine the risk, then do the treatment options and treatment plan
    or
    2. Would missing patches come under defect management and go through some type of SDLC testing and change management before been applied and only do a risk assessment if the patch couldn't be applied because of either a system stability issue or because the patch won't be applied within the time-frame required in a patch management policy?

    The handling of a new critical security update that was released/discovered should go through change management (control A.12.1.2), and according to this control planning and testing changes should come before the assessment of the potential impacts of such changes (first you have to understand the change and verify if it is feasible, in a non-operational environment, so you can asses the involved risks). The scenarios you mentioned are only part of the possible alternatives (you can identify that the change is possible, but involves risks that can be managed by means of a roll back procedure for example).

    If a risk assessment should be carried out, does this also mean that after the treatment options are decided for every patch that requires a treatment option the Statement of Applicability must be updated with whatever potential control?

    If during the risk assessment you identify the need for a new control, then the Statement of applicability should be updated accordingly.

    If I had to carry out a risk assessment for every patch that came out it would create so much overhead that it just wouldn't get done. Would have you found as best practice for this?

    When defining your change management process, you can define which kind of patch and situations would require the performing of risks assessments, so you can balance the effort to perform risk assessments and the level of risk involving the change. For example, you can define that patches that do not require high level of skill, or are applied to non critical system do not require a risk assessment.
    These articles will provide you further explanation about change management:
    - How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/
    These materials will also help you regarding change management:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Supporting services


    Answer:
    If supporting services are provided by the same (part of the ) organization as customer facing services, then there is no point in looking for the customer of the supporting services.
    But, if supporting services are provided by external organization or some other department inside the same organization - then there is a customer of the supporting services.
    Read the article "
    ITIL Customer-facing vs. supporting services" https://advisera.com/20000academy/blog/2014/05/27/itil-customer-facing-vs-supporting-services/ to learn more.

  • Process approach


    Answer:

    The process approach is a management strategy. When managers use a process approach, it means that they manage and control the processes that make up their organizations, the interactions between these processes, and
    the inputs and outputs that tie these processes together. It also means that they manage these process interactions as a system. The process approach considers the interaction between these processes, and the inputs and outputs that tie these processes together. The output of one process becomes the input of another.

    For example, the production or manufacturing can be considered as a process. You can define what are the inputs for the process, e.g. raw materials, energy, people, work instructions, etc. and then you define the set of activities within the process. At the end you define the outputs, such as the product, scrap, waste, etc. This should be defined for every process in the organization, as well as the interaction and sequence of the processes, for example, the output of the design is the input for the purchasing and production process, the outputs of the production process is input for warehousing or distribution process.

    For more information, see: The importance of the process approach https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
Page 741-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +