Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Pasos para implementar ISO 27001


    Respuesta: Los pasos globales son:

    1.- Obtener el apoyo de la dirección
    2.- Tomar la implementación del estándar como un proyecto
    3.- Definir el alcance
    4.- Redactar la política del SGSI
    5.- Definir la metodología de evaluación de riesgos
    6.- Realizar la evaluación y el tratamiento de riesgos
    7.- Redactar la declaración de aplicabilidad
    8.- Redactar el plan de tratamiento de riesgos
    9.- Determinar cómo medir la eficacia de los controles
    10.- Implementar controles y procedimientos obligatorios
    11.- Implementar programas de capacitación y concienciación
    12.- Hacer funcionar el SGSI
    13.- Supervisar el SGSI
    14.- Realizar la auditoría interna
    15.- Realizar la revisión por dirección
    16.- Llevar a cabo medidas correctivas

    Para más información sobre cada paso, puedes leer este artículo "Lista de apoyo para implementación de ISO 27001" : https://advisera.com/27001academy/es/knowledgebase/lista-de-apoyo-para-implementacion-de-iso-27001/

    Aquí también puedes encontrar recursos gratuitos en español: https://advisera.com/27001academy/es/descargas-gratuitas/

    Y este webinar gratuito sobre el proceso de implementación de la ISO 27001 también te puede interesar “ISO 27001: Resumen del proceso de implementación de SGSI” : https://advisera.com/27001academy/es/webinar/iso-27001-an-overview-of-isms-implementation-process-free-webinar/

  • Internal audit


    Answer: The best moment to perform an internal audit would be after a time two or three times longer than the process you want to audit takes to be executed, because after that time you will have more chances to gather evidences to decide if the process is executed properly or not. For small scopes (or when there are sufficient auditors), the internal audit is done a couple of weeks before the management review.

    2 - And in regards to the training and awareness... is it enough to provide a PowerPoint video that explains to employees the most important documents (access control, security, acceptable use, etc.), where to find them, what is included in them, what relates to each of them, etc.

    Answer: For initial and general training (considering all personnel) this may be a good approach, but you also have to consider specific training and awareness activities considering technical and management personnel, as well as personnel that perform specialized or critical activities.

    3 - Also, how long should the internal audit take? should the internal auditor basically go through the provided checklist? I read that the internal audit should be a 1-year plan? Can you elaborate, please.

    Answer: For small organizations (up to 20 employees) the internal audit will typically last 1 day, whereas in a company of 100 employees it will be 2 days.

    Regarding checklists, they are only one part of the resources an auditor can use. He also should consider documentation review, interviews and process observation to gather information.

    Regarding internal audit plan, a 1-year plan generally is developed when an organization has a big scope and wants to audit only parts of it at a time. Considering that ISO 27001 only requires the audits to be conduct at planned intervals (clause 9.2), an organization is free to decide if it wants to perform a single audit during the year, considering all the scope, or multiple audits considering smaller parts of the scope each time. Additionally, for certified organizations, all scope must be audited between certification body's audits, and generally they are performed annually.

    Included in the toolkit you bought you have access to video tutorials that can help you plan and perform an internal audit.

    These articles will provide you further explanation about internal audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    This material will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

  • Benefits of ISO 27001

    In general, the benefits of ISO 27001 are related to:
    - Enhanced competitive edge
    - Reduction on losses due to security incidents
    - Reduction on fines due to legal or contractual non conformity
    - Improvement of internal organization

    To enhance your proposal, it is interesting to identify for the organization examples that can be related to its context, so it will be easier for the employees and management to figure out the benefits on adopting a management system culture.

    To help you build a presentation, I'd suggest you to take a look at this free downloadable presentation: Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation

    These articles will provide you further explanation about ISO 27001 benefits:
    - Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
    - How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/

    These materials will also help you regarding ISO 27001 benefits:
    - ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Performing risk assessment


    So I guess my question is, if in the risk assessment the risk level is a 1 or a 2 can i still put in a control? and would it be a risk acceptance or selection of control under selection of options? Another example would be if the level of risk is a 1 or a 2 and it is an accepted risk but i want to make the treatment method stronger... would i still put risk acceptance and then select a control or just selection of control?

    Answer: If during the risk assessment you identify that risks are acceptable because there are already implemented controls, you should mention the related controls in the Risk Assessment Table, column J (Existing Controls), and there is no need to transfer those risks to the Risk Treatment Table, unless you decide to include additional controls to treat these risks, or make improvements on the controls already implemented.

    If you decide to include an already acceptable risk in the risk treatment table (because you want to improve a control or add a new one), there is no much sense to choose the option "risk acceptance", because this option means you intend to make changes now.

    Included in the toolkit you bought you have access to a video tutorial that can help you perform the risk assessment and treatment.

    This article will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    This material will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Root cause for identified non-conformities


    Answer: Root cause is the main reason why a non-conformity has happened - for example, if you have an employee who didn't perform backup according to Backup policy, a root cause could be that there was no training that explained to employees how this needs to be done.

    Such root causes should be documented in the Corrective action form.

    These materials will also help you regarding root cause analysis:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
    Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course
    https://advisera.com/training/iso-27001-foundations-course/

  • Standard in selection of partnership


    Answer: Mortage information is sensitive, and its compromise may have great impacts to the interested parties, so you should consider also ISO 27001 standard, so you can evaluate properly how potential providers handle and protect this kind of information.

    This article will provide you further explanation about ISO 27001:
    - WHAT IS ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/

    This material will also help you regarding ISO 27001:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Vendor Management Policy


    Answer: Regarding suppliers, ISO 27001 has a control that requires the definition of requirements for mitigating the risks associated with a supplier’s access to the organization’s assets, which does not require to describe detailed practices. This control is covered by template "Supplier Security Policy" that can be found at folder 08 Annex A A.15 Supplier relationships.

    If you need detailed rules about how a supplier should behave, you can use the "Security Clauses for Suppliers and Partners" template, located at folder 08 Annex A A.15 Supplier relationships to define the rules you want your vendors to follow.

    This article will provide you further explanation about suppliers management:
    - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  • BCP


    Respuesta: Sí, algunos ejemplos son: BCI (Business Continuity Institute) y DRII (Disaster Recovery Institute International). Por cierto, si quieres desarrollar un BCP este artículo puede ser interesante para ti “Business continuity plan: How to structure it according to ISO 22301” : https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

    Y también te puede interesar este webinar "Escribir un plan de continuidad de negocio de acuerdo a la ISO 22301" : https://advisera.com/27001academy/es/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar/

  • ¿Quien revisa y aprueba documentos?

    Sí, estoy de acuerdo contigo Marcelo. Tú podrías ser el propietario, desarrollando/adaptando los documentos, el miembro del consejo de administración los puede revisar, y gerencia puede aprobarlos.

    Finalmente, recuerda que aquí puedes descargar recursos gratuitos, incluyendo documentos: https://advisera.com/27001academy/es/descargas-gratuitas/

  • Parental consent


    Answer:

    Referring to the situation you described, if the parents are the ones filling in the details for their own children then they are actually acting on the children's behalf so no additional consent would be required.
Page 809-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +