Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Statement of Applicability Content


    I thought the process for identifying applicable controls are done during the evaluation of risks & risk treatment processes. Could you give me an example?

    Answer: According ISO 27001, clause 6.1.3 d), the Statement of Applicability is required to fulfil these purposes:
    - list the necessary controls and their justification for inclusions; whether they are implemented or not, and
    - the justification for exclusions of controls from Annex A

    So, presenting the applicable controls is only part of the content you will find in a SoA compliant with ISO 27001. That's why the table presented has the "Not applicable controls" & the "Reason why N/A" options.

    R egarding the identification of applicable controls, this is done during the risk treatment processes (the risk evaluation process will help you identify which risks require treatment).

    As an example of a not applicable control, if your organization does not access, process or store information at teleworking sites, there is no reason to apply control A.6.2.2 (Teleworking), thus this controls is stated as Not Applicable in your SoA.

    On the other hand, if your risk assessment identifies the loss of digital information as unacceptable, or if there is a contractual clause or top management decision demanding this risk to be treated, these reasons would be sufficient to justify the applicability of, let's say, control A.12.3.1 (Information backup).

    This article will provide you further explanation about Statement of Applicability:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    These materials will also help you regarding Statement of Applicability:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ISO 27799 and ISO 27001


    Answer: ISO 27799 (Health informatics -- Information security management in health using ISO/IEC 27002) defines guidelines to support the interpretation and implementation of ISO/IEC 27002 in health informatics, being also a complement for ISO 27001.

    While ISO 27001 provides requirements for an Information Security Management System, and ISO 27002 provides guidelines for the controls stated on ISO 27001 Annex A, ISO 27799 provides details, where necessary, to enhance security considering a healthcare environment.

    Some examples of areas covered by ISO 27799 are:
    - anonymization and pseudonymization of personal health information;
    - network quality of service; and
    - data quality

    This article will provide you further explanation about ISO 27799 and ISO 27001:
    - How ISO 27001 and ISO 27799 complement each other in healt h organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/

  • Can you figure out interfaces and dependencies??

    Can you figure out interfaces and dependencies Sir, Can you please put some light on these two scenarios: 1. I've created a webpage, which is hosted on servers of organisation A. Webpage is just a GUI, at the backend, we're utilising the services of SAINT... basically, our organisation provides customers a GUI and paying SAINT for the services going on the back of our webpage. Can you please point out any interfaces and dependencies involved here? 2. We're using a product called Alienvault, for the SOC analysis. In our organisation we have terminals for analysis ( traffic, vulnerabilities in system etc) . At our customers end we have installed Alienvault software at some nodes. All the logs resides on the servers of Alienvault. Can you please help me figure out the interfaces and dependencies in both the scenarios above????

  • Can you figure out interfaces and dependencies

    Sir, Can you please put some light on these two scenarios: 1. I've created a webpage, which is hosted on servers of organisation A. Webpage is just a GUI, at the backend, we're utilising the services of SAINT... basically, our organisation provides customers a GUI and paying SAINT for the services going on the back of our webpage. Can you please point out any interfaces and dependencies involved here? 2. We're using a product called Alienvault, for the SOC analysis. In our organisation we have terminals for analysis ( traffic, vulnerabilities in system etc) . At our customers end we have installed Alienvault software at some nodes. All the logs resides on the servers of Alienvault. Can you please help me figure out the interfaces and dependencies in both the scenarios above????

  • ISMS interfaces and dependencies

    In fact, ISO 27001 does not require the interfaces and dependencies to be documented (only to be considered when defining the scope), so documenting them because of the standard only would create an additional document to be managed without need. On other situations where documentation of interfaces and dependencies may be required, the way to document them should be considered on a case by case basis (e.g., network interfaces and dependencies are better described in a network diagram, services interfaces and dependencies in SLA's, activities interfaces and dependencies on process workflows, etc.)

  • Controls to software related risks


    Answer: For these risks I suggest you to consider the control A.12.5.1 (Installation of software on operational systems) and A.12.6.1 (Management of technical vulnerabilities). These controls will provide you recommendations like periodic review of your installed software, what will help you handle such risks.

    This article will provide you further explanation about controls to software related risks:
    - How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

    These materials will also help you regarding controls to software related risks:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Risk owners and asset owners


    Answer: In fact, the two combinations are possible: these can be two separate persons, or one person can perform both roles, but you should note that while the asset owner is responsible for the protection and management of an asset, considering all risks related to that asset, the risk owner is accountable for, and has authority for managing a risk, considering all assets that can be associated to that risk, which are quite different things. So, before assigning a person to these both roles you should ensure he/she will not be overburdened by these activities.

    This article will provide you further explanation about Risk owner and asset owner:
    - Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

    These materials will also help you regarding Risk owner and asset owner:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Backup and recovery checklist


    Answer: Our templates do not offer such specific details about backup and recovery (each organization has unique requirements that makes unpractical to develop a checklist to cover all possible situations).

    What we can offer you is a template for our Backup Policy (you can take a look at a free demo at this link: https://advisera.com/27001academy/documentation/backup-policy/). In this document you can define your backup and recovery strategy (e.g., weekly differential backup, monthly full backup, etc.), and once this is defined it will be easier to develop a checklist.

    This article will provide you further explanation about backup and recovery:
    - Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/

    These materials will also help you regarding backup and recovery:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    Since you mentioned DR plan, I also suggest you take a look at the free demo of our Disaster Recovery Plan at this link: https://advisera.com/27001academy/documentation/disaster-recovery-plan/

    Since this template is ISO 22301 and ISO 27001 compliant it can help you evaluate what you already have done.

  • Freeware software on product environment


    Answer: ISO 27001:2013 does not define what can or cannot be allowed/accessed in an organization, but requires that any decision made is based on the results of a risk assessment, applicable legal requirements and top management decision. So, you should consult these sources to verify if you can allow/access freeware on production environment.

    What I can tell you is that some freeware have licenses that forbids them to use in commercial environments (you have to use the paid version), so you should consult the terms of the software you are considering.

    This article will provide you further explanation about software installation:
    - Implementing restrictions on software installation using ISO 27001 control A.12.6.2 https://advisera.com/27001academy/blog/2016/02/08/implementing-restrictions-on-software-installation-using-iso-27001-control-a-12-6-2/

    These materials will a lso help you regarding software installation:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Scope definition considering network infrastructure


    Answer: Yes, you can include in the scope of a ISO 27001 certification only part of your infrastructure (in this case the network you share with your customer). An ISO 27001 scope can be defined in terms of processes, information or locations.

    But it is important your organization evaluates if this division will not cause more administrative effort then considering including the whole organization in the scope. This is so because ISO 27001 also requires that the scope interfaces also can be identified and managed, and if your internal and external networks share a significant number of resources or contact points, maybe it won't be worth to treat them separately.

    These articles will provide you further explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    These materials will also help you regarding scope definition:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 873-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +