Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Legal requirements


    Answer: To meet this control objective, you must include not only legal requirements that are specifically related to information security, but also those that may affect or be affected by the compromise of information that the Information Security Management System is intended to protect. For example, service level agreements for a delivery service may be affected if information delivery address is compromised.

    This article will provide you further explanation about requirements identification:
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

    These materials will also help you regarding requirements identification:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Financial Management


    Answer:
    ITIL. as well as ISO 20000, uses Financial Management for IT Services (Budgeting and accounting for service in ISO 20000) process to manage financial aspect of IT services . For these activities, help from someone with financial experience (e.g. from controlling) would be of great help. Close cooperation with corporate finance department is required.
    Additionally, Continual Service Improvement is strongly related to finances (related to IT services) and their improvements. Improvements activities should be performed in scope of your usual improvement activities.

    These articles can help you further:
    "ITIL Financial Management – Charging as a moment of truth" https://advisera.com/20000academy/blog/2015/09/15/itil-financial-management-charging-as-a-moment-of-truth/
    "Financial Management for IT services – the ory and practice" https://advisera.com/20000academy/knowledgebase/financial-management-services-theory-practice/

  • Alcance ISO 27001


    Mi respuesta: Nuestra recomendación, si la empresa es pequeña, es que la participación, o el alcance, sea toda la compañía, aunque también puedes implementar el estándar en áreas específicas del negocio: IT, o Recursos Humanos, etc. Por tanto, la decisión es tuya, pero nuestra recomendación es para todo el negocio (siempre que se cumpla la condición de que la empresa es pequeña). Creo que este artículo te puede resultar interesante: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  • Prospective questionnaires

    These questionnaires can contain hundreds of questions and be quite intrusive, e. g. CAIQ (Consensus Assessments Initiative Questionnaire), or a questionnaire reviewing all ISO 27002 clauses.

    This raises a confidentiality issue, since the request comes from a prospect and not from an existing client who can legitimately request an audit from us, the subcontractor. Not to mention the significant investment of time required to complete these questionnaires.

    Of course, one solution would be to certify us to ISO 27001, but this is not yet on the agenda. We currently have ISAE 3402 for our hosting processes.

    My question is what is your position on the above-mentioned issue, particularly with regard to the confidentiality of security information.

    Answer: Indeed the confidentiality issue is a relevant one when considering filling or not such questionnaires, and considering ISO 27001 certification would represent a great option to treat such situa tions. But since ISO 27001 certification is not on your organization's agenda, then I'd recommend you to use some cost-benefit method or criteria to identify for which prospective customers filling these questionnaires would be worthy, considering the risks to the business regarding the confidentiality of the information provided, and then provide such assessments only in theses situations, asking to these prospective customers to sign a non disclosure agreement (NDA) before you send such confidential information.

  • Non permitted technology strategy


    Develop a non-permitted technology strategy that includes identification of hardware and software that is highly vulnerable or will no longer be supported by the manufacturer/developer. An effective strategy should include a migration plan that identifies timelines for removal, replacement, or updating of affected systems.

    Answer: For this draft you should consider the Secure Development Policy and the Operating Procedures for Information and Communication Technology templates, since they will provide the bases for identification and handling of non-permitted technologies as required by your customer.

  • ISMS scope on cloud environments

    We received this question:

    >I have tried to understand why in a SaaS ISMS scope only data shall be included (reference to answer below - https://community.advisera.com/topic/isms-scope-on-cloud-environments/) when SaaS as provider has control over Application, Platform, Virtual infrastructure, Physical infrastructure (https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/)
    >
    >To me it seems logical that the provider has control over the assets he provides.
    >
    >Where do I think wrong?

    Answer: The SaaS ISMS scope considering only the data included refers to the customer's point of view (generally described in the customer's ISMS scope like "data associated to application XYZ provided as SaaS by provider ABC)."

    When you are the SaaS provider the scope is indeed as you thought, including Application, Platform, Virtual infrastructure, and Physical infrastructure, and the provider's ISMS scope statement would be something like "Platform, Virtual infrastructure, and Physical infrastructure related to the XYZ Application, provided as SaaS to our customers."

  • Cryptography controls


    A.18.1.5 Regulation of cryptographic controls
    Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.
    [List of Legal, Regulatory, Contractual and Other Requirements], [Policy on the Use of Cryptographic Controls]

    What is meant by Cryptographic controls?

    Answer: These cryptographic controls refer to the solutions adopted to protect confidentiality (e.g., encryption of information stored or transmitted), integrity/authenticity (e.g., digital signatures and message authentication codes to verify the authenticity or integrity of information), and provide non-repudiation or authentication. This control is closely related to controls from section A.10.1 - Cryptographic controls

    This article will provide you further explanation about cryptography:
    - How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

    This material will also help you regarding cryptography:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Filling SoA template


    Answer: Sure. If you want to justify the application of a control because of risk assessment results, then you should include in the justification the risks that that control will treat (or the identification of those risks, e.g, ID number, and the document where they can be found, e.g., Risk Assessment Report). To justify a non-selection you can state that "No unacceptable risk which would require the implementation of this control was identified in the risks assessment, according the

  • Filling Risk Treatment Table


    No. Name of asset Asset owner Threat Vulnerability New impact New probability Residual risk

    Answer: In columns A to I from the Risk Treatment Table you have to fill in the values you have identified in the Risk Assessment process considering the risks identified as unacceptable. Then after the identification of proper risk treatment options and means of implementation you have to identify the new values for impact, probability and residual risks, considering the effects of the proposed control will have on them.

    These articles will provide you further explanation about Risk assessment and treatment process:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - Why is residual risk so important? https://adviser a.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
    - How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
    - 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

    These materials will also help you regarding Risk assessment and treatment process:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Page 827-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +