Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Book recommendation
Answer: If you are referring to our ISO 27001 foundation course, there is no need to buy additional material to take the exam. The information presented in the course will be sufficient to take the exam. But if you are considering another exam, or still consider acquiring more information before taking our exam, I suggest you to take a look at our book Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
This book contains an easy to follow structure for you to comprehend the ISO 27001 standard and implement it in an organization. -
Obsolete equipment disposal
Answer: The most common difficulties regarding the proper disposal of obsolete equipment are:
1) make people aware of the importance of proper equipment disposal;
2) the need for space and access controls to store the equipment before they undergo the information sanitization procedures;
3) the control of information to ensure that no sensitive data is lost because users forgot to retrieve them from the equipment before sending them for disposal;
4) the disposal of equipment under BYOD terms.
This article will provide you further explanation about equipment and media disposal:
- Secure equipment and media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2015/12/07/secure-equipmentand-media-disposal-according-to-iso-27001/
These materials will also help you regarding equipment and media disposal:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Ow n https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Audit report finding
Could you please let me know what type of document I should deliver to auditors? whether it is checklist which compare ISO27001 control with our policy or any other type of document?
Answer: I will assume that even though your organization is not ISO 27001 certified it considers relevant to follow its practices. Considering this, since ISO 27001 was updated on 2013, and organizational practices are based on 2005 version, your organization should present:
1) a management decision considering if it is still relevant to be aligned to ISO 27001 practices after the standard's update (this can be part of management review content)
2) if management has decided to maintain alignment, you also should provide a gap analysis between the organization's practices and the 2013 version o f ISO 27001, the management decision about how to proceed considering the gap analysis findings (e.g., what practices to update, what to keep and what to discontinue), and the action plans regarding the changes deemed relevant.
These articles will provide you further explanation about handling this audit finding:
- How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
- Infographic: New ISO 27001 2013 revision – What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/
These materials will also help you regarding handling audit findings:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- Free ISO 27001 Gap Analysis Tool https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/ -
Information security certifications
Answer: CISA is a certification issued by ISACA for persons who fulfills pre requisites related to audit of information systems, while ISO 27001 is a certifiable standard applicable to organization's Information Security Management Systems, but which also has a certification to recognize people capable to audit ISMS's compliant with this standard.
2 - if I have certificate of ISO27001LA and COBIT can it dispens of CISA.
Answer: This will depend of the type and depth of the activities you will perform. If your activity focuses on information security management, ISO 27001 LA would be sufficient. If you want to go a little deeper also considering IT governance activities and technical process, COBIT can help enhance your skills. CISA knowledge would help you perform audits that go beyond the scope of information security, also considering the strategic relationships of the information systems and business objectives.
3 - Who can I use ISO 27001 to audit my company step by step.
Answer: ISO 27001 can provide you the requirements you can use to evaluate your company's capability to plan, implement, operate and improve the practices related to information security used in your process. For more information I suggest you to see these articles: How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/ and How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
4 - What is a future of BCM comparing by IS Audit
Answer: Business Continuity Management and Information Security overlap each other in several points and as business needs for stable and always available information systems grow, the need for professionals who can understand, explain and plan solutions which integrates these two fields will also grow, providing great opportunities for competent people. For more information, please see: Where does information security fit into a company? https://advisera.com/27001academy/blog/2016/10/24/where-does-information-security-fit-into-a-company/
These articles will provide you further explanation about certifications:
- ISO 27001 certification for persons vs. organizations https://advisera.com/27001academy/iso-27001-certification/
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/ -
Risk assessment template
Answer: This situation is related to the "drop down" function in Excel (defining the size of the list of options to show in the drop down list). To find alternatives to adjust the options in your vulnerability selection box, please type "drop down add item" in the search field of Tell Me What You Want To Do in your Excel Functions tab.
The quickest way to solve this situation for you is to include a new line in any part in the middle of the list of vulnerabilities and include your data. After doing that you can reclassify your list in alphabetical order to organize the list with no problem. -
ISO 27001 implementation
Answer: To have a comprehensive overview of ISO 27001 implementation process, I suggest you to take a look at the article "ISO 27001 implementation checklist" (https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/)
Considering the gap assessment, the next step would be for you to prepare a presentation to your top management to show them the organization's current situation regarding compliance with information security good practices. If you already have their support for the project this presentation can help prioritize the most relevant issues. If you do not have their support already, this presentation can help you get their buy in. I suggest you to take a look at these articles to drive you presentation:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- 4 cru cial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Seven key problems to avoid in ISO 27001 implementation [free webinar] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/
- ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ -
Training and awareness
Answer: There is no specific video covering training and awareness practices, but you can find useful material on these articles:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
This material will also help you regarding orientation on training and awareness:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
Please let us know if you have any specific doubt about awareness and training so we can help you. -
Risk management
Dear/Sir
Hi
Thank you very much for your answering and trying to help me, but your answer still not yet enough up to my knowledge .
I went through your articles which covers only 3 standards out of 5 and understand the requirements of risk management for each standard, but the problem couldn't imagine the model of risk management process for all 5 standards together how looks like?, in another words how can we combine all of these risk requirements (5 standards) in one risk management process such as the one in ISO 31000?
I hope that you understand me now and did not disturb you or wast your your time
Thank you again and have a nice time
Kind regards
Nuri -
Control mapping
Answer: Generally, people do not do something (e.g., map controls in risk treatment plan) either because they do not know that this should be done, or because they do not know how to do it. These would be your most probable causes, which can lead to the following root causes: in-existent or unclear risk assessment methodology, or a lack or inadequate training program.
These articles will provide you further explanation about documents elaboration and people training:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
These materials will also help you regarding documents elaboration and people training:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Seven key problems to avoid in ISO 27001 implementation [free webinar] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/