Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Mapping of risks to ISO 27001 controls


    Answer: Once you have identified the risk you should first look at the controls section objectives to find the one that are the most probable to treat the risk (some risk may be treated by controls from different sections). Once you find the section you should look into the controls description to find which ones are most adequate.

    For example, for the risk "loss of a notebook", you can identify the following section objectives, and respective controls:
    - Objective from section A.6.2 (Mobile devices and teleworking): To ensure the security of teleworking and use of mobile devices. Applicable control: Mobile device policy (A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.)
    - Objective from section A.11.2 (Equipment): To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. Applicable controls: Security of equipment
    and assets off-premises (Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises.) and Unattended user equipment (Users shall ensure that unattended equipment has appropriate protection.)

    This material will provide you further explanation about matching risks to controls:
    - Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

  • Scope definition

    Regarding the video tutorials, please check the "Repository" at the top left corner of your screen in Conformio. From there you can find the subfolder "Video Tutorials". Consult this screenshot as a reference: https://www.screencast.com/t/T5rLxMgc3UJz

    Since your scope is limited to IT, you should include in the scope only the IT personnel, but it is important that you state in your scope who is responsible for the information security regarding employees that have access to IT systems and resources in each branch (e.g., someone in headquarters or the head of each branch). To see more information about this issue, please read the section Interfaces and dependencies from the article "How to define the ISMS scope" (https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/) that was also included in the previous post.

    You can exclude elements from the scope (e.g fax or printers) only if they are not related to the information your ISMS is propose d to protect. For example, fax or printers located on branches that cannot be used to sent or print information related to the systems in your ISMS scope can be excluded from the scope.

  • IT risk identification


    Answer: According to ISO 27001, you must establish a risk assessment methodology, which involves:
    1) Defining how to identify the risks that could cause the loss of confidentiality, integrity and/or availability of your information
    2) Defining how to identify the risk owners
    3) Defining criteria for assessing consequences and assessing the likelihood of the risk
    4) Defining how the risk will be calculated
    5) Defining criteria for accepting risks

    For risk identification, the most common approach is the identification of assets and threats and vulnerabilities related to them.
    These articles will provide you further explanation about risk assessment:

    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    - ISO 27001 risk assessment: How to match asse ts, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Design, validation versus verification


    Answer:

    Verification is a sort of final control, you are going to control the output of the design project with the inputs for the project (performance requirements, legal and statutory requirements, for example).

    Validation is a field control, you are going to test if the output of the design project works in the customer environment. The output can comply with all specifications and yet not getting the favor of the customers. For example, after developing a product to use in a certain context, during validation one realize that customers can use it in another context where it will fail to deliver the promised performance.

    The following material will provide you information about the design system:

    - ISO 9001 – ISO9001 Design Verification vs Design Validation - https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
    - The ISO 9001 Design Process Explained https://advisera.com /9001academy/blog/2013/11/05/iso-9001-design-process-explained/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

  • Risk Assessment


    Answer: To put together a risk management process which includes criteria for Risk Appetite, including for IT related risks, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    This toolkit contains the following documents: Risk Assessment and Risk Treatment Methodology, Risk Assessment Table, Risk Treatment Table, Risk Assessment and Treatment Report, Statement of Applicability and Risk Treatment Plan. In the template Risk Assessment and Risk Treatment Methodology you can define the criteri for Risk Appetite you will use to perform the risk assessment and treatment with support of the other templates.

    This article will provide you further explanation about Risk Appetite:
    - Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-2700 1-implementation/

    These articles will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Certification and cloud providers


    How am I going to become 27001 compliant without implementing 27017? Is there perhaps a document where I can write that we have outsourced security in the cloud to this ISO-certified provider? Will that be enough?

    Challenging my sponsor to either implement ISO27017 or in-source all outsourced data, will be complicated, to say the least.

    Answer: First of all, even though your organization uses cloud services, it doesn't need to implement ISO 27017 to be compliant with ISO 27001. It is true that ISO 27017 provides cloud oriented recommendations and guidelines to help implement controls from ISO 27001 Annex A, but ISO 27001 controls are generic enough to cover cloud information security risks without the need to relay on ISO 27017.

    Considering the fact that almost all data is placed at cloud pro viders, the main documents you should consider to record and handle this situation are the ISMS scope (where you have to state that some organization data are handled by cloud providers), the Statement of applicability (where you have to state which controls are to be implemented by cloud providers), and the service agreements/contracts signed between the organization and the cloud providers (where you have to include information security clauses the cloud providers must comply with).

    You should note that, even if your sponsor wants to fulfil only the bare necessities of ISO 27001, since the data placed on cloud providers, the organization will have to consider these providers when performing the risk assessment and risk treatment process required by the standard, at risk of leaving a significant part of the information out of the process and thus not being able to comply with the standard.

    This article will provide you further explanation about ISO 27017:
    - ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

    These articles will provide you further explanation about handling suppliers:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
    - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  • QMS scope narrowed to one department

    In our Department, there are about 7 units, and about 100 employees. My question is whether the Department can get ISO 9001 . Regardless Our organization get it or not?..

    Answer:

    Theoretically, it is possible but I'm failing to see the value in it. QMS is developed to be applied in whole organization and it contain requirements for the entire organization. If you decide to implement it only in one department, it means that the rest of the organization will be the client and supplier of this department, and on the level of the department you will have to define processes, such as purchasing, design and development, etc, and implementing it in just one department would have arguable effect on the conformity of the organization products and services and customer satisfaction. Implementing some parts of the standard can be ben eficial for the department, but implementing QMS that will only cover one department would cause the department to have redundant bureaucracy and not much more

  • Quality objectives and risks


    Answer:

    Fast and short answer: No. It is not a requirement of the standard. On a second thought, doing that can be considered a good project management practice, something called “premortem method”. You can determine the new risks and incorporate actions to deal with them embedded in the quality objectives implementation plan.

    The following material will provide you information about quality objectives and risks:

    - ISO 9001 – Aligning quality objectives of the QMS with the strategic direction of the company - https://advisera.com/9001academy/blog/2017/03/07/aligning-quality-objectives-of-the-qms-with-the-strategic-direction-of-the-company/
    - How to address risks and opportunities in ISO 9001 - https://adv isera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
    - Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Scope definition


    We have yet to start on anything yet.

    Let describe the situation.

    - Our company was awarded a concession contract by the government to build a system (operate and maintain for 10 years).
    - A subsidiary was set-up to design and built this system for the government.
    - The Info security and IT business continuity design must comply to ISO 27001/27002 and 22301 requirements.
    - It is a greenfield project (it will replaced all together the old system and infrastructure)

    Questions:

    1 - We would like to start in defining the scope of ISMS – As it involve the customer sites (the government agency and its branches), and also development (at new subsidiary) and the operations (a command center, DC & DR) at customer sites – how do we scope this ISMS implementation?

    Answer: An ISO 27001 ISMS scope can be defined in terms of locations, processes or business units, so, considering the information you provided, you may define the ISMS scope in terms of customer and subsidiary locations, and the business and supporting processes and infrastructure related to the information system you have to operate and maintain, as well as the related development and maintenance processes. For example:

    "The ISMS scope comprises the process XYZ performed by the information system ABC, and its related infrastructure, which is operated and accessed from the following locations: customer site address 01, ..., customer site address n.

    Also comprises the ISMS scope the information system development and maintenance processes performed at subsidiary site address."

    These articles will provide you further explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    2 - How do we conduct the risk assessment – there is no (infrastructure) assets (it is a greenfield project) for us to identify. Asset based risk assessment will be a bit difficult to implement. Can you advise and point to the right resources for scenario based RA or other risk assessment methodology that is suitable. The context of risk assessment should cover the company (who develop the system) and also the government agency (where the system will be in operation).

    Answer: Since you are working with a greenfield project, first you should identify the requirements, assumptions and constrains for this system, its related IT infrastructure, and the locations where the system will operate, so you can devise how this implementation should be performed (as in all project, you have to identify the deliverables in order to know what you have to build and how).

    After that you can create a scenario on which the system will operate and then you can identify the elements you should consider in your risk assessment. For example, in one site you can identify that you may have an average of 1000 simultaneous accesses and that it is in a highly populated area subject to storms and floods. This information will give you an idea about the systems requirements (either for software and infrastructure).

    You also should consider information from the current system (e.g., configurations, schemes, incident history) so you can have an idea of what this new system should have and what it should avoid.

    Considering this approach, you can use the asset based methodology to perform your risk assessment.

    This article will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • ISO 27001 Lead Auditor or CISA?


    Which one should I choose?

    Answer: This will depend of the type and depth of the activities you desire to perform. If your want to focus on information security management, you should consider ISO 27001 LA. If you want to go beyond the scope of information security, and also consider the strategic relationships between information security and the information systems and business objectives you should consider CISA. Please note that these courses do not exclude each other, they only offer different perspectives about how information interacts with business.

    This article will provide you further explanation about CISA and ISO 27001:
    - CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/

    This material will also help you regarding ISO 27001 Lead Auditor:
    - ISO 27001 Lead Auditor Course preparation train ing [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
Page 838-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +