Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 and NIST CSF
Answer: NIST Cybersecurity Framework (NIST CSF) provides a policy framework for computer security, while ISO 27001 provides a framework for information protection. ISO 27001 uses a process approach and the PDCA cycle, while NIST CSF uses the approach Identify - Protect - Detect - Respond - Recover.
Since most information today flows in cyber environments, NIST CSF can be used to support many of the IT-related controls described in ISO 27001 Annex A. On the other hand, ISO 27001 management practices can help build, maintain and improve a cyber environment which relies on NIST CSF.
This article will provide you further explanation about ISO 27001 and NIST practices:
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
- ISO 27001 vs. ISO 27032 cybersecurity standard https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/ -
ISO 27001 Annex A controls mapping to products and solutions
Nonetheless, if you don't mind for me to ask, do you have a mapping for ISO 27001 (Annex A) to technical controls (such as all of the technical products and solutions); I think it is more on IT/IT Security/CyberSecurity technical controls.
Answer: Since technical implementation will depend on each organization's business and security requirements, the market of technical solutions changes very quickly, and combinations of technologies can result in different levels of security, building and maintaining such mapping is unpractical.
What I can orient you to do is identify first the main concepts your security solution needs, based on the recommendations of Annex A controls (these are not product/technology - oriented) and then contact you regular suppliers or the big players to see what they can offer you to cover you r needs. Regarding specific technologies, maybe you can find information on NIST Special Publications (https://csrc.nist.gov/publications/PubsSPs.html)
This article will provide you further explanation about NIST documents:
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
- Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
These materials will also help you regarding ISO 27001 Annex A:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Project scope definition
Answer: For a good project scope definition you should consider questions about:
- How many locations would be involved
- Which finalist processes should be covered by the ISMS
- How many people work on the processes, and if there are multiple shifts
- The expected time frame for implementing the ISMS
With this kind of information you can have an idea of the effort that will be needed for the project.
This article will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
This material will also help you regarding project sc ope definition:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/ -
Customer satisfaction and related departments
Well, in that case you shouldn't be evaluated according to performance of some other department. If there is some way of getting out from this situation is to conduct customer satisfaction survey in a way that provides exact and precise answer on what the client is really complaining and then to conduct a root cause analysis to determine what is causing the problem. This would help your department to demonstrate that it is not its fault -
IATF 16949 implementation process
Answer:
First step in the implementation process is to perform a gap analysis to determine to what level your company is already compliant with the standard and what needs to be done to bridge those gaps. Once you determine what needs to be done, you can develop project plan for the implementation where you will define the activities, deliverables, responsibilities and deadlines.
Than you can start with implementation which contains of developing required documentation and records, updating and establishing processes and performing training and awareness sessions for employees. Finally, you need to conduct internal audit and management review to ensure that your QMS (Quality Management System) is compliant with the standard. Then, you can hire certification body to conduct certification audit. For more information, see: IATF 16949:2016 Implementation diagram https://info.advisera.com/16949academy/free-download/iatf-16949-implementation-diagram
We are in process of developing the IATF 16949 Documentation toolkit that will address all requirements of the standard and will contain all necessary guidelines for filling in the documents. For now, you can see what are the mandatory documents by IATF 16949: List of mandatory documents required by IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/list-of-mandatory-documents-required-by-iatf-16949-2016/ -
IEC 62443 and ISO 27001
@Rhand Leal Your comment is correct on ISO 27001, but IEC 62443 is a massive standard that ranges from policies, system security and secure development to certifying single products. For instance IEC 62443-2-1 section has a direct correlation list with ISO 27001 -- as they both essentially do the same thing.
Quick overview on relevant parts of IEC 62443:
2-1: Same as ISO 27001
2-4: System policies
3-3: Organizational security
4-1: Secure development
4-2: Single product security
I can understand the confusion since the standards are vague enough you could easily take 3-3 and match it to a single product. However, that's definitely not all that IEC 62443 is.
-
COBIT and ISO 27001
Answer: Unfortunately, Advisera does not have products related to COBIT; however you can use our ISO 27001 Documentation Toolkit to cover many COBIT requirements.
In this link you can take a look at a free demo of our ISO 27001 toolkit and see if it can fulfill your needs: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
You just have to scroll down the screen a little to access the free demo tab.
This article will provide you further explanation about ISO 27001 and COBIT:
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/ -
Risk assessment process
Our team has decided to move forward with a new approach for Risk Management, wherein they will not be doing the analysis of the risk identified instead, all the risks for a particular process will be identified, identify the key controls and evaluate them based on the impacts - Financial, Reputational, effectiveness of the existing Controls
Could you please advise, whether there will be any impacts to the organization as well as to our existing ISO certification, if we are deviating from the standard by not performing the Risk analysis
Also, does the standard gives us any flexibility to avoid performing the analysis of risks
Your advise please...
Answer: ISO 27001, in its clause 6.1.2, requires the definition of criteria to assess consequences and likelihood of risks, as well as of how the risk will be calculated, what is basically the definition of risk analysis. So, by not performing risk analysis you are not complying with a standard's requirement.
But the standard gives you flexibility to keep the risk analysis, as well as other steps of risk assessment, as simple as possible, so you can avoid unnecessary effort.
This article will provide you further explanation about risk assessment process:
- How to access consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
These materials will also help you regarding risk assessment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Emergency Change
Answer:
There are no specified (at least not in ITIL/ISO 20000) types of Emergency Changes. Quite contrary, emergency changes should be kept at minimum. They are different from organization to organization, so it's hard to tell what could be, exactly, emergency change.
Usually, emergency change are result of emergency incidents or some security issues.
Read the article to find out more:
How to manage Emergency Changes as part of ITIL Change Management https://advisera.com/20000academy/blog/2016/01/19/how-to-manage-emergency-changes-as-part-of-itil-change-management/ -
GAP Analysis
Answer:
Customer facing services are explained in the following article:
ITIL Customer-facing vs. supporting services https://advisera.com/20000academy/blog/2014/05/27/itil-customer-facing-vs-supporting-services/
Additionally, I think that this article can help you with your concerns related to the customer facing services:
How ITIL can help reduce the gap between customers and the IT department https://advisera.com/20000academy/blog/2016/06/28/how-itil-can-help-reduce-the-gap-between-customers-and-the-it-department/
By supporting technology I assume you mean tool that is used for IT Service Management (ITSM). Please check the articles to get further information
5 things to beware of when selecting an ITSM tool :https://advisera.com/20000academy/blog/2016/03/08/5-things-to-beware-of-when-selecting-an-itsm-tool/
Free tools for ITSM – supporting IT Service Management for zero tool cost https://advisera.com/20000academy/knowledgebase/free-tools-for-itsm/
Regarding processes and their assessment - there are two issues. Firstly, you can measure GAP between existing processes and ITIL recommendations. ITIL GAP Analysis tool (https://advisera.com/20000academy/itil-iso-20000-tools/itil-gap-analysis-tool/) is suited for that purpose.
Secondly, you can go deeper and see how efficient processes are. For example:
How to measure Change Management efficiency according to ITIL https://advisera.com/20000academy/blog/2016/10/11/how-to-measure-change-management-efficiency-according-to-itil/
How to measure Incident Management efficiency according to ITIL https://advisera.com/20000academy/blog/2015/09/08/how-to-measure-incident-management-efficiency-according-to-itil/