Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDPR compliance for possible new start up business
how much will a short consultation be with you? -
GDPR Article 27
Answer:
There is no such document in the Toolkit because setting up a company to act as your representative in the EU is subject to national Member State law.
Same if you want to have a representation/mandate contract with an existing company established in the EU, the contract will be subject to the rigours of the Member State law. -
Lead implementer exam
The foundation course is very very short and I I will take the exam next week.
After that I would like to attend a classroom course for the Lead Implementer certification.
1- The question is: If I read your book, Am I able to pass the Lead Implementer exam without attending the course? I am a Security Architect, CISSP, CASP and Security+ certified with more than 5 years of Security Experience.
Answer: Our book provides you a good basis for the implementation process, but it is not possible to take a Lead Implementer exam without attending the Lead Implementer course (rule followed by accredited providers, the ones that can issue certifications world-wide recognized.)
2 - If not, do you advise any another book?
Answer: The material provided by accredited Lead Implementer courses are designed to be sufficient to take the exam, so there is no need for add itional material.
3 - Do you also advice me to attend the Internal Auditor course first? I am not happy at all that the book exists only in electronic format. I am trying to printing it somewhere.
Answer: Regarding our book, unfortunately we do not have a printed version at this time, but you can read the eBook on his computer, smart phone or tablet.
About the course, the internal auditor course is not needed for the Lead implementer course, but it might be useful if you intend to perform internal audits for your clients.
These articles will provide you further explanation about lead auditor and lead implementer courses:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like?
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
This material will also help you regarding lead auditor course:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Performing risk assessment
I am not sure if I should be defining in terms of HOW LIKELY each supplier may be to let us down in some way , or THE IMPACT of a supplier letting us down.
For example. FIRE; Likely hood of our fire alarm supplier letting us down is very low as they are a reputable supplier who do regular maintenance visits, but the IMPACT should a fire destroy our office would be very HIGH.
Similarly, With Firewall provider; likely hood of issue is low but impact would be very high. Which way do I need to look at each supplier in order to define risk?
Answer: The definition of risk is a combination of likelihood and probability, so you must consider both aspects in your risk assessment.
Since you stated you are using the scale low-medium-high, then possible combinations for likelihood vs. impact are low-low, high-high, low-high, high low.
Considering these combinations you may defined that for a result low-low the risk is acceptable and do nothing. For combination high-high the risk is unacceptable and security controls must be defined and implemented. As for combinations low-high and high-low you should check then in a case by case basis considering the identified impact to make a decision to treat or not the risk.
These articles will provide you further explanation about performing risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
These materials will also help you regarding performing risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Project plan content
Answer: You can have both plans in a single document. In fact, because both systems, when based on ISO 27001 and ISO 22301, have a lot of common requirements, it is best to use a single document to coordinate the implementation.
These articles will provide you further explanation about ISO 27001 and ISO 22301 implementation:
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
These materials will also help you regarding ISO 27001 and ISO 22301 implementation:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-t he-iso-implementation-project-a-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
ISMS boundaries definition
Answer: You should consider for your ISMS all employees that have access to the information you want your ISMS to protect, so if all of your employees that work remotely in different states have access to these information, then all of them must be considered in the boundaries of your ISMS.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Threat, risk and assessment examples
Answer: To see some example of vulnerabilities, threats an asset assessment, plesase take a look at the following material:
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Non financial impact rationale
Answer: The point here is to explain about feelings and perceptions. If the persons involved in the analysis do not reach a consensus about the impact value for a specific situation, but they agree that the situation is significant enough to be taken into account together with situations for which they can determine the value, then you may have a situation where a non financial impact may be greater than any financial impacts they found related to other situations considered.
For example, in a plane crash situation, the value of the airplane can be determined, but what about the value of human lives? Someone may argue that he has a formula to calculate the value of a life, but the value may be questioned by relatives (which feelings may not be measurable), or employers (that may argue about the potential deli veries the professional would deliver to the company), making impossible to reach a consensus, but all of them would agree at certain point that the value of life is high. -
Access control policy template content
A.9.2.5 Security of equipment off premises
Control
Security shall be applied to off-site equipment taking into account the different risks of working outside the organization’s premises.
I am not seeing the relationship there. Perhaps I'm missing an important point here. Can you lend me some guidance?
Answer: Sorry, but you are making a mistake here. ISO 27001:2013 control A.9.2.5 refers to "Review of user access rights" (Asset owners shall review users’ access rights at regular intervals). The control about "Security of e quipment and assets off-premises" is the A.11.2.6, which is not covered by this template (this control was A.9.2.5 in the ISO 27001:2005, which was withdraw when version 2013 was released). Here you can find the current version of the standard: https://www.iso.org/standard/54534.html
This article will provide you further explanation about Access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
This material will also help you regarding access control:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
ISMS statement
Answer: From your question I'll assume you are referring to the Statement of Applicability (SoA). Considering that, you have to evaluate if the SoA must be updated when there is a significant change in the ISMS scope or risk scenario, or at least during the management review, which normally is performed at least once a year. For controlling the SOA version you have to verify what is defined in your procedure for control of documents and records, because the SoA is a mandatory record for ISO 27001 certification.
This article will provide you further explanation about SoA:
-The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding SoA:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/