Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 Gap Analysis Tool


    Answer: Yes, our ISO 27001 Gap Analysis Tool (https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/) covers all 14 sections of ISO 27001 Annex A.

    On each section you will find objective questions that will help you verify if you can consider a control as implemented or what you still need to consider for implementation.

    This article will provide you further explanation about gap analysis:
    - ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/

  • Information as an asset


    Answer: ISO 27005 (Information security risk management) considers two types of assets:
    - Primary assets: business process and activities, and information itself
    - Support and infrastructure assets: hardware, software and other elements on which primary assets rely on

    Considering this, you should treat both, customer information and the database storing the customer information as the assets. This makes sense because the same information can exist in many different formats (e.g., in paper reports and in people's minds), that will require completely different practices to be implemented to ensure information protection.

    This article will provide you further explanation about information assets:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    These materials will also help you regarding information assets:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Vulnerabilities identification


    Answer: In fact, the best approach is to consider every information source you can access (Nessus's reports, manual reviews, market trends, etc.), because each one of them better fits for different situations. For example, Nessus is perfect to find vulnerabilities that are known and which evaluation procedures can be automated, but it is not good for scenario and context evaluation, something we humans still are best doing it. Market trends can help you figure out vulnerabilities that in principle may be out of your day to day activities.

  • Standard for Disaster Recovery

    What is the best Iso norme for Drp ( Disaster recovery plan)

    Answer: For information and communication technology readiness, the main ISO standard for disaster recovery is ISO 27031 (Information technology -- Security techniques -- Guidelines for information and communication technology readiness for business continuity). For a more systemic view you may consider ISO 22301 (Societal security -- Business continuity management systems --- Requirements), which provides you a basis for the business continuity management, which also includes disaster recovery planning, and the practices of ISO 22313 (Societal security -- Business continuity management systems -- Guidance).

    These articles will provide you further explanation about ISO 27031, ISO 22301 and ISO 22313:
    - Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/
    - What is ISO 22301? | 27001Academy - Advisera https://advisera.com/27001academy/what-is-iso-22301/
    - ISO 22301 vs. ISO 22313 https://advisera.com/27001academy/blog/2013/05/21/iso-22301-vs-iso-22313/

    This material will also help you regarding Business continuity management:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • ISO 27001 Annex A


    "Answer: The Annex A is at the end if the ISO 27001 standard. The controls objectives can be found right below the title of the sub-section of the control you want to apply."

    But we cannot find Annex A.

    Answer: Unfortunately Annex A is not a part of the toolkit, because it is a part of ISO 27001 standard, published by ISO (https://www.iso.org), and we cannot make it available as part of our toolkit because that would be a violation of ISO's intellectual property rights..

    You can buy ISO 27001:2013 standard at this link: https://www.iso.org/standard/54534.html

    In our template for Statement of Applicability you'll find a list of all the controls from the Annex A, and in the folder "08 Annex A" you will find all the templates you need to become compliant with the Annex A.

    For getting an overview of Annex A, I suggest you to attend our free online ISO 27001:2013 Foundations Course (https://advisera.com/training/iso-27001-foundations-course/)

  • Keeping records for certification audit


    Answer:

    If the organization has implemented the standard for the first time, the records should be kept from the moment when the standard was implemented and documents and records are approved. It wouldn't be reasonable to expect from organizations to keep documents required by the standard or be compliant with the standard before the implementation.

  • Uncontrolled Copy and New Issues in ISO 9001 2015

    So, there will be no more unreasonable & conflicting finding on each assessment..regards : sfroel

  • Mejora continua

    La mejora continua se lleva a cabo mediante los objetivos que establece la alta dirección. Como mínimo los objetivos de calidad deben de abordar:
    - La mejora de la eficiencia interna
    - Los requisitos de los clientes individuales
    - El nivel de desempeño que espera tu sector del mercado .

    Cada mejora requiere del compromiso de los recursos, los cuales estarán priorizados por la alta dirección, especialmente si es necesaria una inversión.

    Las oportunidades de mejora se obtienen de las siguientes fuentes:
    - Satisfacción del cliente
    - Reclamaciones y opiniones de los clientes
    - Investigación y análisis de mercado
    - Aportaciones de los empleados, proveedores y otras partes interesadas
    - Auditorias internas y externas del sistema de calidad
    - Registros de no conformidades de producto o proceso
    - Datos y características de procesos y productos, así como sus tendencias

    El procesos de mejora continua e trata de un requerimiento que no es obligatorio documentar. Sin emba rgo la implementación de un procedimiento para la mejora continua es apropiado para la mayoría de los negocios.

  • BS EN ISO IEC 27001 2017


    https://www.bsigroup.com/en-GB/iso-27001-information-security/BS-EN-ISO-IEC-27001-2017/

    Info is from this website, plus there are others referring to it.

    Answer: The change was only in the presentation form of clause 6.1.3 d), related to the Statement of applicability, and does not include any new requirements. You can see the ISO TECHNICAL CORRIGENDUM 2, that defined this change, released at 2015-DEC-01, at this link: https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:cor:2:v1:en

    Former text: "d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;"

    New text: "d) produce a Statement of Applicability that contains:
    - the necessary controls (s ee 6.1.3 b) and c));
    - justification for their inclusion;
    - whether the necessary controls are implemented or not; and
    - the justification for excluding any of the Annex A controls."

  • Identifying threats and vulnerabilities


    Answer: I'm assuming you are talking about the article "ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" (https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/). That said, technically there is no difference if you start first with identifying threats or vulnerabilities (this choice is basically upon which element you know best considering your context). However, in operational terms, the best approach is to identify the vulnerabilities first, since they are easier to be confirmed (assets and controls that may have them are under your management). In case of threats, specially those external to your organization, not always you will have enough information to confirm if they are applicable.

    This material will also help you regarding threats and vulnerabilities:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Page 871-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +