Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Information security certifications
Answer: CISA is a certification issued by ISACA for persons who fulfills pre requisites related to audit of information systems, while ISO 27001 is a certifiable standard applicable to organization's Information Security Management Systems, but which also has a certification to recognize people capable to audit ISMS's compliant with this standard.
2 - if I have certificate of ISO27001LA and COBIT can it dispens of CISA.
Answer: This will depend of the type and depth of the activities you will perform. If your activity focuses on information security management, ISO 27001 LA would be sufficient. If you want to go a little deeper also considering IT governance activities and technical process, COBIT can help enhance your skills. CISA knowledge would help you perform audits that go beyond the scope of information security, also considering the strategic relationships of the information systems and business objectives.
3 - Who can I use ISO 27001 to audit my company step by step.
Answer: ISO 27001 can provide you the requirements you can use to evaluate your company's capability to plan, implement, operate and improve the practices related to information security used in your process. For more information I suggest you to see these articles: How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/ and How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
4 - What is a future of BCM comparing by IS Audit
Answer: Business Continuity Management and Information Security overlap each other in several points and as business needs for stable and always available information systems grow, the need for professionals who can understand, explain and plan solutions which integrates these two fields will also grow, providing great opportunities for competent people. For more information, please see: Where does information security fit into a company? https://advisera.com/27001academy/blog/2016/10/24/where-does-information-security-fit-into-a-company/
These articles will provide you further explanation about certifications:
- ISO 27001 certification for persons vs. organizations https://advisera.com/27001academy/iso-27001-certification/
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/ -
Risk assessment template
Answer: This situation is related to the "drop down" function in Excel (defining the size of the list of options to show in the drop down list). To find alternatives to adjust the options in your vulnerability selection box, please type "drop down add item" in the search field of Tell Me What You Want To Do in your Excel Functions tab.
The quickest way to solve this situation for you is to include a new line in any part in the middle of the list of vulnerabilities and include your data. After doing that you can reclassify your list in alphabetical order to organize the list with no problem. -
ISO 27001 implementation
Answer: To have a comprehensive overview of ISO 27001 implementation process, I suggest you to take a look at the article "ISO 27001 implementation checklist" (https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/)
Considering the gap assessment, the next step would be for you to prepare a presentation to your top management to show them the organization's current situation regarding compliance with information security good practices. If you already have their support for the project this presentation can help prioritize the most relevant issues. If you do not have their support already, this presentation can help you get their buy in. I suggest you to take a look at these articles to drive you presentation:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- 4 cru cial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Seven key problems to avoid in ISO 27001 implementation [free webinar] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/
- ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ -
Training and awareness
Answer: There is no specific video covering training and awareness practices, but you can find useful material on these articles:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
This material will also help you regarding orientation on training and awareness:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
Please let us know if you have any specific doubt about awareness and training so we can help you. -
Risk management
Dear/Sir
Hi
Thank you very much for your answering and trying to help me, but your answer still not yet enough up to my knowledge .
I went through your articles which covers only 3 standards out of 5 and understand the requirements of risk management for each standard, but the problem couldn't imagine the model of risk management process for all 5 standards together how looks like?, in another words how can we combine all of these risk requirements (5 standards) in one risk management process such as the one in ISO 31000?
I hope that you understand me now and did not disturb you or wast your your time
Thank you again and have a nice time
Kind regards
Nuri -
Control mapping
Answer: Generally, people do not do something (e.g., map controls in risk treatment plan) either because they do not know that this should be done, or because they do not know how to do it. These would be your most probable causes, which can lead to the following root causes: in-existent or unclear risk assessment methodology, or a lack or inadequate training program.
These articles will provide you further explanation about documents elaboration and people training:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
These materials will also help you regarding documents elaboration and people training:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Seven key problems to avoid in ISO 27001 implementation [free webinar] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/ -
ISO 27001 and NIST CSF
Answer: NIST Cybersecurity Framework (NIST CSF) provides a policy framework for computer security, while ISO 27001 provides a framework for information protection. ISO 27001 uses a process approach and the PDCA cycle, while NIST CSF uses the approach Identify - Protect - Detect - Respond - Recover.
Since most information today flows in cyber environments, NIST CSF can be used to support many of the IT-related controls described in ISO 27001 Annex A. On the other hand, ISO 27001 management practices can help build, maintain and improve a cyber environment which relies on NIST CSF.
This article will provide you further explanation about ISO 27001 and NIST practices:
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
- ISO 27001 vs. ISO 27032 cybersecurity standard https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/ -
ISO 27001 Annex A controls mapping to products and solutions
Nonetheless, if you don't mind for me to ask, do you have a mapping for ISO 27001 (Annex A) to technical controls (such as all of the technical products and solutions); I think it is more on IT/IT Security/CyberSecurity technical controls.
Answer: Since technical implementation will depend on each organization's business and security requirements, the market of technical solutions changes very quickly, and combinations of technologies can result in different levels of security, building and maintaining such mapping is unpractical.
What I can orient you to do is identify first the main concepts your security solution needs, based on the recommendations of Annex A controls (these are not product/technology - oriented) and then contact you regular suppliers or the big players to see what they can offer you to cover you r needs. Regarding specific technologies, maybe you can find information on NIST Special Publications (https://csrc.nist.gov/publications/PubsSPs.html)
This article will provide you further explanation about NIST documents:
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
- Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
These materials will also help you regarding ISO 27001 Annex A:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Project scope definition
Answer: For a good project scope definition you should consider questions about:
- How many locations would be involved
- Which finalist processes should be covered by the ISMS
- How many people work on the processes, and if there are multiple shifts
- The expected time frame for implementing the ISMS
With this kind of information you can have an idea of the effort that will be needed for the project.
This article will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
This material will also help you regarding project sc ope definition:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/