Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Cryptography verification


    Answer: Cryptographic controls can be tested during information system development or operation. During development, you can ensure testing by applying controls from section A.14 (14.2.8 - System security testing and 14.2.9 - System acceptance testing), and for regular testing in operation, controls A.14.2.3 - Technical review of applications after operating platform changes and A.18.2.3 - Technical compliance review are good choices.

    This article will provide you further explanation about security testing:
    - How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
    - How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/

    These materials will also help you regarding security tes ting:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • BCP content


    Disaster declaration procedure: this content focuses on criteria to be evaluated so a disaster situation can be identified and properly communicated.
    Emergency notification procedure: this content focuses on the means and activities required to alert people about an emergency situation. This content differs from disaster declaration because it considers faster and local responses (e.g., a building evacuation), while disaster declaration involves incidents of greater scale.
    Incident response procedure: this content focuses on how to react initially to an incident in order to reduce the damage
    Recovery procedure: this material focuses on activities required to bring back operations back to agreed service levels, regardless if it is on original site or not.

    2 - What other procedure are contained in the BCM plan other than the above?

    Answer: You can also find as BCP content:

    a - the communication plan, covering activities to ens ure information flow for organization's employees, and emergency services, as well as which information should be communicated to the media.
    b - specific procedures for critical assets, like servers, information systems and key personnel.

    3 - Should the BCM plan be one big book containing the above or should each be written separately?

    Answer: Since BCPs cover multiple issues, in operational terms you should keep multiples BCPs, each one of them as small as possible, with only the necessary information for each team that will use them(e.g., systems recovery team, facilities disaster recovery team, emergency teams, etc.). In management terms, you can also keep one or two copies with all the BCPs, so you can use it to keep track of all plans, which will make their review easier.

    This article will provide you further explanation about documenting a BCP:
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
    - How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/

    These materials will also help you regarding :
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • ISO 27000 series quotations in academic work


    (I am doing a TCC (Course Completion Work) on Information Security Policy in the course of Information Systems and would like to know if I can quote texts from the ISOs of the 27000 family as direct and indirect quotations in the TCC, even without actually buying any standard.)

    Answer: Para ter acesso ao conteúdo das normas você não precisa necessariamente comprá-las. Você pode acessá-las através de uma biblioteca ou outra fonte autorizada (ex.: norma adquirida pela empresa onde você trabalha).

    Caso você tenha tido acesso ao conteúdo das normas de forma autorizada você pode fazer uso de citações diretas. Caso contrário, você deve fazer uso somente de citações indiretas, referenciando a autores que você leu de forma autorizada que incluem estas normas em suas próprias bibliografias.

    (To access the content of the standards you do not necessarily have to buy them. You can access them through a library or other authorized source (eg, standard acquired by the company where you work).

    If you have had access to the content of the standards in an authorized manner you can make use of direct quotes. Otherwise, you should only use indirect quotes, referencing authors that you read in an authorized manner that included these standards in their own bibliography.)

  • ISO 9001 nonconformities during IATF 16949 internal audit

    Thank you in advance and wish you a nice day,

    Answer:

    IATF 16949 includes all requirements of ISO 9001:2015, so if you find nonconformity regarding ISO 9001 requirements, that nonconformity can be raised during IATF 16949 internal audit.

  • Internal auditor competence in IATF 16949


    Answer:

    Requirements for internal auditor in IATF 16949 have been increased compared to the previous version of the standard. The standard now directly refer to ISO 19011 regarding competences of the internal auditor, the rest of the requirements regarding internal auditor competence are located in clause 7.2.3. There is a explicit requirement for internal auditor training to be provided by the competent trainer and the records about trainer's competency need to be retained.

    If the internal auditors meet requirements of the standard in terms of competency, no further certification is necessary, unless it is explicitly required by the company's customer.

  • Management representative and ISO 9001:2015

    No, you do not need MR in new version of the standard

  • ISO 27001 study material


    I don’t have the official ISO 27001 requirements with all the clauses and annex A. I also don’t have the best practices ISO 27002.
    Since I not only plan to perform internal audits (maybe later external audits) but also consult clients in the implementation of ISO27001, I want to learn more about the details in ISO27001 and ISO27002.
    1 - Are there any online implementation courses you can recommend ?

    Answer: You can learn about the details of ISO 27001 and the implementation steps in our ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/, and if you want more thorough training on the implementation, then I would recommend the ISO 27001 Lead Implementer Course - unfortunately, we do not offer such a course.

    This article will provide you further explanation about ISO 27001 implementer course:
    - What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like

    This material will also help you regarding ISO 27001 study material:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

    2 - Where should I buy the official requirements of ISO27001 and ISO27002 ? Here: www.iso.org ?

    Regarding the acquisition of the standards, the ISO site is exactly where you have to go. Here are the links for the standards:
    - ISO 27001 https://www.iso.org/standard/54534.html
    - ISO 27002 https://www.iso.org/standard/54533.html

    Since you are considering offer consultant services, I suggest you take a look at our consultants toolkits at this link: https://advisera.com/27001academy/consultants/

    These materials can help you develop policies, procedures, and plans, as well manage project tasks and interested parties.

    These material will provide you further explanation about becoming a consultant:
    - How to become an ISO 27001 / BS 25999-2 consultant [free webinar on demand] https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
    - How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/

  • SLA and ISO 27001

    You can use the same logic, but backwards, that is, instead of you being a customer demanding security conditions from a supplier, your clauses would be about the security conditions you, as a provider, is offering to a customer.

    For example, in a clause about backup, as a client demanding from the provider you would include a clause like "provider should ensure backup copies are made of all information classified information and handled according their respective classification". As a provider offering this service for a client you would have a clause something like "as service provider, we will provide to customer backup copies from all his information stated by him as sensitive information, handling them according their respective classification"

    To better prepare SLAs for Customers, you could check ISO 27001 clause 4.2 (Understanding the needs and expectations of interested parties) and control A.18.1.1 (Identification of applicable legislation and contractual requirements), so you can have a better understanding on the rationale a potential customer can use to id entify his security needs.

    This article will provide you further explanation about interested parties requirements identification:
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

    These materials will also help you regarding interested parties requirements identification:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Security controls and SaaS


    Answer: The quantity of controls that would become not directly applicable would depend of the results of your risk assessment, so there is no way I can precise you a number of controls, but most of controls in sections A.10 to A.13 would not be directly applicable. I used the expression "directly applicable" because in a situation like this, when an organization adopts a SaaS provider, what happens is a risk transfer (your organization transfer the risks related to the operation and maintenance of an IT infrastructure to a third party).

    In this case, the organization has to establish clear security clauses in the service agreement, including the monitoring of provider services, or it may find itself with an environment that is riskier than one r an by the organization itself.

    For this situation, ISO 27001 has the Annex A.15 (supplier relationships), which covers controls regarding on what clauses to include in agreement's and how to monitor suppliers. Basically, the security clauses would define that the provider should ensure at least the same security levels the organization would deem necessary if it was was running the environment itself.

    So, at the end what happens is that you change your direct application of many IT-related controls to the application of few administrative ones, related to contracts and monitoring.

    This article will provide you further explanation about security in cloud computing:

    - Cloud computing and ISO 27001 / BS 25999 https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/
    - ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • Risk assessments


    1. The first column of the Risk Assessment Table and Risk Treatment Table ("Number"): should I refer to the applicable unique Asset ID Number that I placed in the first column of the Asset Inventory Table? or do I have to place complete new numbers (i.e. Risk Identification Number)?

    Answer: No, you do not need to refer to the ID number from the inventory list, only use the asset name and asset owner information. You will have to place new numbers, one for each risk associated to the assets in the Risk Assessment Table.

    2. The Risk Assessment (likelihood / consequence) do I have to score from a residual risk perspective (i.e. keeping in mind the effect of all existing control measures that are already in place)?

    Answer: Yes, you have to assess the risk considering the effects of all the already implemented controls, and you should identify these implemented controls in the observation column.

    In the vid eo tutorials that come with your toolkit you can access videos that can guide and help you fill the risk assessment table and risk treatment table.
Page 910-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +