Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Can you figure out interfaces and dependencies

    Sir, Can you please put some light on these two scenarios: 1. I've created a webpage, which is hosted on servers of organisation A. Webpage is just a GUI, at the backend, we're utilising the services of SAINT... basically, our organisation provides customers a GUI and paying SAINT for the services going on the back of our webpage. Can you please point out any interfaces and dependencies involved here? 2. We're using a product called Alienvault, for the SOC analysis. In our organisation we have terminals for analysis ( traffic, vulnerabilities in system etc) . At our customers end we have installed Alienvault software at some nodes. All the logs resides on the servers of Alienvault. Can you please help me figure out the interfaces and dependencies in both the scenarios above????

  • ISMS interfaces and dependencies

    In fact, ISO 27001 does not require the interfaces and dependencies to be documented (only to be considered when defining the scope), so documenting them because of the standard only would create an additional document to be managed without need. On other situations where documentation of interfaces and dependencies may be required, the way to document them should be considered on a case by case basis (e.g., network interfaces and dependencies are better described in a network diagram, services interfaces and dependencies in SLA's, activities interfaces and dependencies on process workflows, etc.)

  • Controls to software related risks


    Answer: For these risks I suggest you to consider the control A.12.5.1 (Installation of software on operational systems) and A.12.6.1 (Management of technical vulnerabilities). These controls will provide you recommendations like periodic review of your installed software, what will help you handle such risks.

    This article will provide you further explanation about controls to software related risks:
    - How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

    These materials will also help you regarding controls to software related risks:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Risk owners and asset owners


    Answer: In fact, the two combinations are possible: these can be two separate persons, or one person can perform both roles, but you should note that while the asset owner is responsible for the protection and management of an asset, considering all risks related to that asset, the risk owner is accountable for, and has authority for managing a risk, considering all assets that can be associated to that risk, which are quite different things. So, before assigning a person to these both roles you should ensure he/she will not be overburdened by these activities.

    This article will provide you further explanation about Risk owner and asset owner:
    - Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

    These materials will also help you regarding Risk owner and asset owner:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Backup and recovery checklist


    Answer: Our templates do not offer such specific details about backup and recovery (each organization has unique requirements that makes unpractical to develop a checklist to cover all possible situations).

    What we can offer you is a template for our Backup Policy (you can take a look at a free demo at this link: https://advisera.com/27001academy/documentation/backup-policy/). In this document you can define your backup and recovery strategy (e.g., weekly differential backup, monthly full backup, etc.), and once this is defined it will be easier to develop a checklist.

    This article will provide you further explanation about backup and recovery:
    - Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/

    These materials will also help you regarding backup and recovery:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    Since you mentioned DR plan, I also suggest you take a look at the free demo of our Disaster Recovery Plan at this link: https://advisera.com/27001academy/documentation/disaster-recovery-plan/

    Since this template is ISO 22301 and ISO 27001 compliant it can help you evaluate what you already have done.

  • Freeware software on product environment


    Answer: ISO 27001:2013 does not define what can or cannot be allowed/accessed in an organization, but requires that any decision made is based on the results of a risk assessment, applicable legal requirements and top management decision. So, you should consult these sources to verify if you can allow/access freeware on production environment.

    What I can tell you is that some freeware have licenses that forbids them to use in commercial environments (you have to use the paid version), so you should consult the terms of the software you are considering.

    This article will provide you further explanation about software installation:
    - Implementing restrictions on software installation using ISO 27001 control A.12.6.2 https://advisera.com/27001academy/blog/2016/02/08/implementing-restrictions-on-software-installation-using-iso-27001-control-a-12-6-2/

    These materials will a lso help you regarding software installation:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Scope definition considering network infrastructure


    Answer: Yes, you can include in the scope of a ISO 27001 certification only part of your infrastructure (in this case the network you share with your customer). An ISO 27001 scope can be defined in terms of processes, information or locations.

    But it is important your organization evaluates if this division will not cause more administrative effort then considering including the whole organization in the scope. This is so because ISO 27001 also requires that the scope interfaces also can be identified and managed, and if your internal and external networks share a significant number of resources or contact points, maybe it won't be worth to treat them separately.

    These articles will provide you further explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    These materials will also help you regarding scope definition:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Development of new product and ISO 14001 certificate


    Answer:

    Development or introduction of new product doesn't necessarily impact the existing EMS (Environmental Management System). If the process of making the product is the same as the products already produced in the company, then there is no need for changes.

    If the production process or materials used are completely new for the organization, you need to conduct identification and evaluation of environmental aspects of all activities related to production of the product and if there are significant ones, you need to develop and establish operational controls.

    For more information, see: 4 steps in identification and evaluation of environmental aspects https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/

  • Implementing product safety


    Answer:

    There is no universal rules for safety of all products. Safety requirements for some products are defined by legislation or CE mark, or by customer requirements. It is not common to define requirement for product safety in contracts, simply because such requirements are implied. Or, it can be part of customer requirements as requirement for raw materials to be used or features of the product to be demonstrated.

    In you case the product safety can be demonstrated by providing attestation of safety of raw materials or by testing durability of t he product (harness) on strain or other product features. Basically, you need to demonstrate that your product is safe for use and fit for its purpose and, maybe, you can consult your customer on how to demonstrate this.

  • Definition of implementation for an ISO 27001 project


    Answer: The calculator considers as required time for implementation the performing of at least one cycle of the Information Security Management System, which starts with organization's context understanding (standard's clause 4.1), goes through implementation, operation and control of the system, and finishes with the outputs established in the management review of the system (standard's clause 9.3), covering decisions related to continual improvement opportunities and a ny needs for changes of the information security management system.

    Basically, the calculator will tell you the time needed for your company to become ready for the certification.

    The 3 months of the system in operation is required by some certification bodies, but not all. Therefore, our calculator did not take this time into account.
Page 873-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +