Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Scope definition


    We have yet to start on anything yet.

    Let describe the situation.

    - Our company was awarded a concession contract by the government to build a system (operate and maintain for 10 years).
    - A subsidiary was set-up to design and built this system for the government.
    - The Info security and IT business continuity design must comply to ISO 27001/27002 and 22301 requirements.
    - It is a greenfield project (it will replaced all together the old system and infrastructure)

    Questions:

    1 - We would like to start in defining the scope of ISMS – As it involve the customer sites (the government agency and its branches), and also development (at new subsidiary) and the operations (a command center, DC & DR) at customer sites – how do we scope this ISMS implementation?

    Answer: An ISO 27001 ISMS scope can be defined in terms of locations, processes or business units, so, considering the information you provided, you may define the ISMS scope in terms of customer and subsidiary locations, and the business and supporting processes and infrastructure related to the information system you have to operate and maintain, as well as the related development and maintenance processes. For example:

    "The ISMS scope comprises the process XYZ performed by the information system ABC, and its related infrastructure, which is operated and accessed from the following locations: customer site address 01, ..., customer site address n.

    Also comprises the ISMS scope the information system development and maintenance processes performed at subsidiary site address."

    These articles will provide you further explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    2 - How do we conduct the risk assessment – there is no (infrastructure) assets (it is a greenfield project) for us to identify. Asset based risk assessment will be a bit difficult to implement. Can you advise and point to the right resources for scenario based RA or other risk assessment methodology that is suitable. The context of risk assessment should cover the company (who develop the system) and also the government agency (where the system will be in operation).

    Answer: Since you are working with a greenfield project, first you should identify the requirements, assumptions and constrains for this system, its related IT infrastructure, and the locations where the system will operate, so you can devise how this implementation should be performed (as in all project, you have to identify the deliverables in order to know what you have to build and how).

    After that you can create a scenario on which the system will operate and then you can identify the elements you should consider in your risk assessment. For example, in one site you can identify that you may have an average of 1000 simultaneous accesses and that it is in a highly populated area subject to storms and floods. This information will give you an idea about the systems requirements (either for software and infrastructure).

    You also should consider information from the current system (e.g., configurations, schemes, incident history) so you can have an idea of what this new system should have and what it should avoid.

    Considering this approach, you can use the asset based methodology to perform your risk assessment.

    This article will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • ISO 27001 Lead Auditor or CISA?


    Which one should I choose?

    Answer: This will depend of the type and depth of the activities you desire to perform. If your want to focus on information security management, you should consider ISO 27001 LA. If you want to go beyond the scope of information security, and also consider the strategic relationships between information security and the information systems and business objectives you should consider CISA. Please note that these courses do not exclude each other, they only offer different perspectives about how information interacts with business.

    This article will provide you further explanation about CISA and ISO 27001:
    - CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/

    This material will also help you regarding ISO 27001 Lead Auditor:
    - ISO 27001 Lead Auditor Course preparation train ing [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/

  • Cloud environment and information security scope/boundaries


    Additionally, where does the responsibility and accountability fall in this type of model.

    Answer: The main concern regarding information security in cloud environments when it is provided by cloud service providers is the level of access the providers will have to the organization's information and systems, because this will have a direct impact in the controls that will have to be implemented to each party, and in the contractual clauses that will have to be included in the service agreement with the providers.

    For example, a IaaS provider will not have access to the organization's systems, only to the physical infrastructure. On the other hand, a SaaS provider will have access to systems and data. So these two scenarios will require completely different security requirements to be fulfilled.

    This article will provide you further explanation about scope considering cloud environments:
    - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

  • Internal Audit performed using Annex A

    I'm assuming you are referring to plan specific dates to audit each control of the Annex A. Considering that, there is no problem with this approach. My only suggestion to you is, if you have many controls to audit, you should consider grouping them in a way that in a single audit you can cover as many controls as possible, reducing the quantity of audits you have to perform. As criteria to group controls you can consider controls related to the same process, or implemented in the same location or business unit you are going to audit.

    This article will provide you further explanation about internal audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

    These materials will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • Lack of statement of applicability

    First of all you should understand that if this organization is planning to be certified against ISO 27001, the lack of the statement of applicability is a major non conformity that can prevent the certification audit to proceed until an approved statement is available. So, if this internal audit you mentioned is related to an ISMS implementation aiming for certification, you should solve this question as soon as possible to ensure this issue will not compromise the certification audit. For more information about the Statement of Applicability, please read this article: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    Regarding internal audits, an organization can decide to proceed with the audit even with the lack of the statement. In practical terms, the lack of the statement of applicability only will make your audit work harder. You should look for the approved risk assessment report and risk treatment plan to identify which risks are to be treated a nd how the organization proposes to treat them. These information will not be sufficient to cover the requirements of the statement of applicability (this lack of documentation will be your first non conformity), but you at least will have some information to audit the controls the organization has decided to implement. In the case you do not have either the approved risk assessment report nor the risk treatment plan then you cannot proceed with the audit, because you will not have enough information to know which controls to audit.

    These articles will provide you further explanation about internal audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

    These materials will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

  • Documentation


    Answer:
    Most of the ISO standards, including ISO 20000 in section, contains requirements for the documents. Additionally, you have to be careful while creating document templates and documents related to processes and procedures in order to avoid overhead.
    Our toolkit contains "Procedure for Document and Record Control" (https://advisera.com//wp-content/uploads//sites/6/2015/06/Procedure_for_Document_and_Record_Control_Premium_EN.pdf) which is used to set rules for all documents in scope of the SMS.

    In following articles you can find few details how to approach the topic:
    "How to structure ISO 20000 documentation" https://advisera.com/20000academy/blog/2016/09/27/how-to-structure-iso20000-documentation/
    "Defining roles and responsibilities for ISO 20000-based IT Service Management" https://ad visera.com/20000academy/blog/2017/10/18/defining-roles-and-responsibilities-for-iso-20000-based-it-service-management/

  • Nonconforming output and nonconformity


    Answer:

    I would like to have more context about the use of the two words. Nevertheless I will try to give an explanation. Nonconforming output is related to the non-compliance with a specification associated with a final or intermediate product or service. Nonconformity can be used in the same context as nonconforming output or, more generally, whenever there is the non-fulfillment of a requirement of a management system. For example, a company did not performed the re-evaluation of its supplier base as scheduled.

    The following material will provide you information about nonconformities:

    - ISO 9001 – Understanding dispositions for ISO 9001 nonconforming product - https://advisera.com/9001academy/blog/2014/11/18/understanding-dispositions-iso-9001-nonconforming-product/
    - ISO 9001 - ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/ ion/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

  • Mandatory DRP


    Need your advice on this. As i feel its not mandatory to have DRP.

    Answer: Although ISO 22301 clause 8.4.4 requires procedures for responding to disruptive incidents (e.g. business continuity plan(s) and recovery plan(s), including the disaster recovery plans), neither this standard, nor ISO 27001, mention "badge access request", so you need to analyse the following issues to confirm if a DRP is required for this specific process:
    - the results of the business impact analysis (can the time needed to recover minimal conditions for this process after a disruptive incident prevent the organization to achieve its objectives for recovery or continuity of the business?)
    - legal requirements applicable to the organization (e.g., are there any laws or contracts demanding for this specific DRP?)
    - top management decisions specifically related to the recovery or continuity of this process (regardless of any other conditions, does the top m anagement require a DRP for this process?)

    If after verifying these issues you identify no reason to have a DRP for this process, then you can consider this DRP as no needed.

    This article will provide you further explanation about mandatory ISO 22301 documentation:
    - Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/

    This material will also help you regarding mandatory ISO 22301 documentation:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Auditing clause 4.1

    Hi.. May I know how to audit the clause 4.1. thanks.

  • Compliance of U.S. company dealing with B2B customers


    Answer: In order to provide a precise answer we would need some more information on the type of transactions and services provided by the US based company as well as the purpose of collection of the personal data.

    If these information are lacking my first choice would be to consider that the US based company is acting as a processor and since they are dealing with a EU based controller there is high chance that GDPR would be applicable for the processing activities involving EU citizens personal data.

    See also this article: EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
Page 838-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +