Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 22301 and NIST 800-34
Answer: Our templates are based on ISO standards, and although NIST 800-34 share high level aspects with ISO 22301, the ISO standard for business continuity management, our templates were not designed considering specificities of NIST 800-34.
I suggest you to take a look at the free demo of our ISO 22301 Documentation Toolkit at this link: https://advisera.com/27001academy/iso22301-bs25999-documentation-toolkit/ to see if our templates can fulfill your needs.
These materials will also help you regarding ISO 22301:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- ISO 22301: An overview of the BCM implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/ -
Main control activity
So, my question was- in each procedure documentation, is it an ISO27001 requirement to identify the key control activity along with the key records?
Answer: ISO 27001 does not require the identification in procedure documentation of such thing as main or key control activity as you described it. As a good practice, you may consider to include in policies and procedures references to the controls these documents are fulfilling. For example, in a access control policy you may include reference to control A..9.1.1 - Access control policy. -
Is ISO 27002 acquisition necessary?
Answer: ISO 27002 provides detailed guidance and recommendations on how to implement controls of ISO 27001 Annex A (which only presents objectives to be achieved and what controls should do), and although its acquisition is not mandatory to implement ISO 27001, it can provide a significant help in the implementation process
These articles will provide you further explanation about ISO 27001 and ISO 27002:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Change management
Answer: Change management is a process focused to ensure changes are formalized, evaluated, authorized and implemented in such way to minimize risks of unsuccessful changes or unplanned downtimes.
This article will provide you further explanation about change management in ISO 27001:
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/ -
Integrated toolkits
In all, I am happy. We have certified 9 branches in Europe and the only 'pain' I have is that information is not structured. In fact it is everywhere on the server.
My next project will be the GDPR compliance procedures. I noticed that you have a combined toolkit on GDPR and ISO27001.
Why do you combine these 2 toolkits? I mean with the ISO HLS, isn't it more logical to combine ISO 9001, 14001, 45001 and 27001 in one toolkit?
Can my QHSE representatives 'approach' these toolkits?
Answer: Both GDPR and ISO 27001 focus on protection of information, so it is a natural move to combine them to provide a more cost-effective structure.
Regarding an integrated toolkit combining ISO 9001, 14001, 45001 and 27001, we didn’t have much interest in such product so this is the reason why we don’t have it. -
Risk assessment approach
Threat - Vulnerabilities (mapping)
Vulnerabilities - Threat (Mapping)
I've seen both types of Risk Register
Answer: Both approaches are good, but personally speaking, I like to use the Vulnerability-Threat approach. Generally it is more easier to identify and take action over vulnerabilities (that are linked to the assets you own or have control over) than identify and handle threats, that are mostly linked to a factor you have little or no control over at all, so the approach of mapping first vulnerabilities and then possible threats that can be associate do them is more efficient.
These articles will provide you further explanation about Risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match as sets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding Risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Positive and negative risks
Answer: ISO 27005 approach toward negative risks was a decision from the standard's responsible committee for the release of the current version (2011), based on the world's context at the time. For a risk management approach considering positive and negative risks, I suggest you to take a look at ISO 31000, ISO standard for risk management in general.
This article will provide you further explanation about ISO 31000:
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Mitigar el riesgo
Respuesta: No estoy seguro si he entendido bien tu pregunta, pero el riesgo puede ser cualitativo o cuantitativo, y lo puedes mitigar en ambos casos (y demostrarlo a un auditor, implementando controles de seguridad), porque con ambos estás usando una escala de riesgo, y puedes decidir cuál es el nivel de riesgo aceptable. Así que, por ejemplo, si tu nivel de riesgo aceptable es Medio, e identificas un riesgo Alto, tienes que tratarlo (implementando controles de seguridad). Y el auditor podrá preguntarte: ¿Cuál es tu nivel de riesgo aceptable? o ¿Por qué estás tratando el riesgo alto?
Este artículo puede ser interesante para ti “Qualitative vs. quantitative risk assessments in information security: Differences and similarities” : https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/
Por último, recuerda que tienes 4 opciones de mitigación, para más información, por favor, lee este artíc ulo “4 mitigation options in risk treatment according to ISO 27001” : https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/ -
ISMS: Controls and measures
Controls are procedures, equipments or technologies used to handle a risk, while measurements are the action to assign values to a characteristic of an object or event, which can be compared with other objects or events. Broadly speaking, control is what you do to handle a risk, and measurement is what you to to obtain a value representing the result you get by the application of a control.
But you have to take care with the word "measure / measures", because they either can mean the value you attribute to something (the result of a measurement) or control (the meaning will depend of the context where the word is considered).
As for the question, if all servers have these hardening guide applied – is this the control or is it just an audit - it is important to understand that an audit is some kind of control (a management control), used to ensure the controls used to handle the risks are being properly performed.
This article will provide you further explanati on about measurements:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/ -
Gap Analysis
Answer:
You can perform a GAP Analysis or perform an internal audit. Either to check if ISO 9001 requirements are followed, either to check if what the paperwork says is followed.
The following material will provide you information about the GAP analysis:
- ISO 9001 – Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
- Gap analysis vs. internal audit in ISO 9001 - https://advisera.com/9001academy/blog/2015/02/17/gap-analysis-vs-internal-audit-iso-9001/
- Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/