Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Additions to Conformio

    First of all, we are sorry for this situation.

    At this moment it is not possible to include other sources of controls besides ISO 27001 Annex A in the risk register.

    ISO 27001 Annex A is a comprehensive set of controls, and if we know which control you are planning to use, we may be able to link to an equivalent control from ISO 27001 Annex A.

    In case there is no possible relation to Annex A controls, a workaround would be for you to upload to Conformio document information which risk (i.e., asset, vulnerability, threat, risk value) will be treated by controls not related to ISO 27001 Annex A, also stating the residual risk.

  • Information security policies

    1- ISMS Security Objectives can be the same Control Objectives of ISO 27001:2013 or are they two different types of objectives?

    Answer: ISMS Security Objectives and Control Objectives are different. The ISMS Security Objectives are top-level objectives related to the business strategy, while the Control Objectives are operational objectives related to what is expected from the controls.

    Examples you can consider for the ISMS Security objectives are:
    - decrease the impact and/or number of information security incidents
    - increase revenue
    - win a new customer
    - increase market share

    When using our Documentation Toolkit, you can document the general ISMS objectives in the Information Security Policy, and specific objectives for controls (or groups of controls) in the Statement of Applicability.

    These articles will provide you a further explanation about Objectives in ISO 27001:
    - ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
    - Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

    2 - What is the difference between an information security policy and a recommended control or can they be the same?

    Answer: Information Security Policy is a top-level document that does not specify any security controls. You can write a specific policy for a particular control, e.g. "Backup policy" for the control A.12.3.1 "Information backup", and in such case, the Backup policy is the implementation method for the control A.12.3.1.

    For further information, see:
    - What is ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-iso-27001/

    3 - For the establishment of the ISMS Security Policies, can the textual requirements of ISO 27001:2013 be taken?

    Answer: You can use the requirements of the standard as guidance to write your own rules. You must not copy the requirement literally, because this would be a violation of ISO’s intellectual property. The templates in your toolkit are already written to be fully compliant with the standard.

    4 - For the establishment of the ISMS Security Policies, can the same statements of the Control Objectives of ISO 27001:2013 be taken?

    Answer: Like the previous answer, you must not copy the Controls Objectives’ statements literally, because this would be a violation of ISO’s intellectual property. With just small changes you can adapt the standard’s text to your needs.

    5 - For the establishment of the ISMS Security Policies, can the same 114 statements of the ISO 27001:2013 Controls be taken?

    Answer: You need to adjust the text to avoid violating intellectual property rights. Something like:

    “Employment agreements, including those established with contractors, must define information security responsibilities for both the employee and the organization.”

    However, the Statement of Applicability that you will find in your toolkit already specifies the activities you need to perform to comply with each control from ISO 27001. There is no additional text needed.

    For further information, see:
    - What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

  • Doubts about ODPR or GDPR

    The scenario you are describing can be analysed from an IT Security perspective, and through a privacy-compliance perspective. From an IT Security perspective, the company might ask each employee to use a specific combination of username/password to make sure that it has a better control on company’s assets. There are modern technologies that allow recovery of lost passwords or account elevation, but certain companies might chose this approach. So from an IT Security perspective, if a company employs certain controls related to how these usernames/passwords can be used (in order to avoid impersonation of users), the scenario might be OK. From a privacy-compliance perspective, article 25 GDPR - Data protection by design and by default –mentions that: “the controller shall […] implement appropriate technical and organizational measures […] which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” and that “The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”, so in order to be GDPR-compliant, the company should deploy a thorough IT Security Policy describing all the controls implemented to protect the private lives of employees, an Access Control Policy to establish who can access what resource and when, a BYOD (Bring Your Own Device) Policy if employees use their own devices, and a Mobile Device and Teleworking Policy if the employees work from home. These policies should be amended with the necessary controls to make sure that impersonation of users is avoided. You can find templates for these documents in our EU GDPR Premium Documentation Toolkit.

    Also, in Article 5 GDPR - Principles relating to the processing of personal data – the third principle, at para 1. c is called the principle of minimization: the personal data must be adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed. The second principle which is called purpose limitation, at para 1. b states that personal data must be collected for specified, explicit, and legitimate purposes. In this case, the purpose would require one of the legal grounds for processing personal data, as mentioned in Article 6 GDPR - Lawfulness of processing. Consent wouldn’t work because it wouldn’t be freely given, according to European Data Protection Board’s Guidelines 05/2020 on consent under Regulation 2016/679. If the company would like to use Legitimate Interest for this processing, the legitimate interest must pass a balancing test between the company’s interests and the interests or fundamental rights and freedoms of the employees which require protection of personal data. So my recommendation would be to perform a Data Protection Impact Assessment for this processing. Part of our EU GDPR Premium Documentation Toolkit, we have a Data Protection Impact Assessment methodology that can be used.

     Please consult these links as well:

  • ISO 27001 templates

    Please note that all information you need to develop these records are in the template itself:

    • [Security features and level of expected service for network services] – electronic and paper form: in section 3.4 is defined that you can use the service agreement established with the provider to document such requirements.
    • [Security features and level of expected service for cloud services] – electronic and paper form: in section 3.5.1 you can find which features need to be documented, and with whom, in this case, the cloud providers.
    • [Erasure/destruction records] – in paper form: in section 3.6.5 is defined which information needs to be recorded: : information about the media, date of erasure/destruction, method of erasure/destruction, and person who carried out the process.
    • [Decisions about the communication channels used for specific types of information, restrictions, forbidden activities] – electronic form: in section 3.7 are defined information that must be included in the record: type of communication channel, type of information, applicable restrictions, etc.

    In the comments of each section, you will find examples that you can use to fill in the records.

    Regarding templates for these records, ISO 27001 does not prescribe the layout for these records, so organizations can develop them as they see fit.

    For example, for the record about “Decisions about the communication channels…” you can use the current way your organization records decisions (there is no need to develop a specific document for the ISMS).

    This article will provide you with a further explanation of record management:

    This material will also help you regarding record management:

  • Scope Document

    Please note that each template is already fully compliant with the standard, so you won’t have problems with the audit if you only customize the templates where indicated by the comments included in each template.

    The comments in the templates inform where you need to customize the document according to your needs (i.e., include, alter, or exclude information).

    Please avoid altering parts of the document where there are no comments available because this can cause the document to become non-compliant with the standard.

  • Validation of the ISO certification

    The validity of an internal auditor certification is related to the version of the standard, i.e., as long as the version of the standard related to the certification is valid, the internal auditor certification is valid.

    In your example, since the ISO 27001:2013 was confirmed in 2019, an internal auditor certification issued in 2015 is still valid, but please note that after the release of the new version of ISO 27001 expected for this year, this certification will become outdated.

  • ISO 27001 Contact with Authorities

    First is important to note that this answer greatly depends on the information about your organization’s industry.

    For example, organizations’ from the critical infrastructure industry (e.g., chemical, communication, emergency services, energy, etc.) the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) would be examples.

    We suggest you seek legal expert advice to identify authorities related to your organization’s industry.

  • Split between EU GDPR and UK GDPR

    The scenario you are describing can be analysed from an IT Security perspective, and through a privacy-compliance perspective. From an IT Security perspective, the company might ask each employee to use a specific combination of username/password to make sure that it has a better control on company’s assets. There are modern technologies that allow recovery of lost passwords or account elevation, but certain companies might chose this approach. So from an IT Security perspective, if a company employs certain controls related to how these usernames/passwords can be used (in order to avoid impersonation of users), the scenario might be OK. From a privacy-compliance perspective, article 25 GDPR - Data protection by design and by default –mentions that: “the controller shall […] implement appropriate technical and organizational measures […] which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” and that “The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”, so in order to be GDPR-compliant, the company should deploy a thorough IT Security Policy describing all the controls implemented to protect the private lives of employees, an Access Control Policy to establish who can access what resource and when, a BYOD (Bring Your Own Device) Policy if employees use their own devices, and a Mobile Device and Teleworking Policy if the employees work from home. These policies should be amended with the necessary controls to make sure that impersonation of users is avoided. You can find templates for these documents in our EU GDPR Premium Documentation Toolkit.

    Also, in Article 5 GDPR - Principles relating to the processing of personal data – the third principle, at para 1. c is called the principle of minimization: the personal data must be adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed. The second principle which is called purpose limitation, at para 1. b states that personal data must be collected for specified, explicit, and legitimate purposes. In this case, the purpose would require one of the legal grounds for processing personal data, as mentioned in Article 6 GDPR - Lawfulness of processing. Consent wouldn’t work because it wouldn’t be freely given, according to European Data Protection Board’s Guidelines 05/2020 on consent under Regulation 2016/679. If the company would like to use Legitimate Interest for this processing, the legitimate interest must pass a balancing test between the company’s interests and the interests or fundamental rights and freedoms of the employees which require protection of personal data. So my recommendation would be to perform a Data Protection Impact Assessment for this processing. Part of our EU GDPR Premium Documentation Toolkit, we have a Data Protection Impact Assessment methodology that can be used.

     Please consult these links as well:

  • Asset management

    ISO 27001 does not prescribe any level of granularity, so you can organize the assets the way you understand that will better fulfill your needs. Considering your example, you can split assets into categories that require different levels of protection and a different number of applicable controls.

    For example, you can use categories related to the laptop's purpose (e.g., "general laptops" and "development laptops").

    This article will provide you a further explanation about asset register:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    This material can also be useful:
    - Asset List for ISO 27001 Risk Assessment https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/

  • Non-conformities

    1. For the Clause 4.2, our external auditor requires us to have a document containing all needs and expectation of interested parties.My understanding is that there’s no standard requirement to have this information gathered in one document. We have evidence of those requirements recorded in various other documents.Would you consider this a major nonconformity?

    Answer: The lack of this single document would not be considered a nonconformity for ISO 27001, because clause 4.2 of this standard does not require the needs and expectations of interested parties to be documented.


    2. For the Clause 4.4., our external auditor requires us to have a documented ISMS Manual that includes references and implementation details for all Clauses 4 to 10.
    My understanding is that there’s no standard requirement for an ISMS Manual document.

    Would you consider this a major nonconformity?

    Answer:  The lack of an ISMS manual would not be considered a nonconformity for ISO 27001, because clause 4.4 of this standard does not require such a manual to be documented.

    Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:  
    - Scope of the ISMS (clause 4.3)
    - Information security policy and objectives (clauses 5.2 and 6.2)
    - Risk assessment and risk treatment methodology (clause 6.1.2)
    - Statement of Applicability (clause 6.1.3 d)
    - Risk treatment plan (clauses 6.1.3 e and 6.2)
    - Risk assessment report (clause 8.2)
    - Records of training, skills, experience and qualifications (clause 7.2)
    - Monitoring and measurement results (clause 9.1)
    - Internal audit program (clause 9.2)
    - Results of internal audits (clause 9.2)
    - Results of the management review (clause 9.3)
    - Results of corrective actions (clause 10.1)

    For further information, see:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Page 82-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +