Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Document Controller and Management Representative
Answer:
Document controller can be a management representative. The standard does not prescribe required qualifications of the MR, but it is reasonable to expect that the MR is familiar with requirements of the standard. The MR responsibilities include coordinating the QMS, defining internal audit program, reporting to the top management, etc.
For more information about responsibilities of the MR, see: Additional Responsibilities of Quality Management Representatives https://advisera.com/9001academy/blog/2014/05/27/additional-responsibilities-quality-management-representatives/ -
Datacenter audit
I would assume that as an audit company, you would have done a lot of work certifying data centers. Hence there will be materials or journals around check list or things to look out for in ensuring that a data center is fit for purpose. I am currently reading Dejan’s book on cyber security. Hope this is a useful hint into what I am hoping get from you?
Answer: We are a company focused on providing ISO standards related resources so organizations can be compliant with those standards and seek out certification if they desire, but we do no not provide audit services.
Regarding material for audit or review of data center environment, I suggest you take a look at the free demo of our Internal Audit Checklist at https://advisera.com/27001academy/documentation/internal-audit-checklist/
This checklist can provide you information on what to conside r for a data center according ISO 27001.
As an external resource I suggest you to consult the standard TIA 942, revision A (2014), that specifies the minimum requirements for telecommunications infrastructure of data centers and computer rooms. For additional information you can take a look at https://en.wikipedia.org/wiki/TIA-942
The link to buy this document is https://global.ihs.com/doc_detail.cfm?&csf=TIA&item_s_key=00414811&item_key_date=860905&input_doc_number=TIA%2D942&input_doc_title=
This article will provide you further explanation about ISO 27001 and datacenters:
- ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ -
Risk assessment questionnaire
Answer: No. Although many questions are common, each questionnaire should also contain questions regarding the specific business process under assessment, and elaborating a single questionnaire to try to cover all possible questions is unpractical. When you do an interview you adjust your questions "on the fly", depending on the interviewee answers and your own perception. Questionnaires are useful when you need to gather specific information. When you do not have a focus to work on it is better to use interviews.
Our ISO 27001 toolkits work with the asset-threath-vulnerability approach, using a risk assess ment sheet which needs to be filled out, together with a video tutorial which explains how this is done, so in this case the use of a questionnaire is not really applicable with risk assessment. You can take a look at the free demo of the our Risk Assessment Table at this link https://advisera.com/27001academy/documentation/risk-assessment-table/
This article will provide you further explanation about risk assessment methods based on interviews, checklists and other tools:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Scope definition
Answer: Yes, you may have problems with this approach. Information needs change more dynamically than other common aspects used for scope definition (business units, processes and business locations), and you may ending up with more administrative effort to manage this kind of scope.
Besides that, you also may have processes working with both information that are inside and outside the scope, and this requires more effort than simply considering all the information included in the scope.
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Example of assets
Answer: For a manufacture company, information assets you may consider would be product specifications, production lines configuration parameters, production reports, clients list, production plans, etc. The main idea is that you think about which kind of information can have an impact on your production if it was disclosed, changed without authorization or lost.
This article will provide you further explanation about how you can identify information assets:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding identification of information assets:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure -simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Segregation of responsibilities
Answer: When there is a single person responsible for both, networks and applications, there is an increased risk that a malicious or unintentional misconfiguration leaves information exposed to unauthorized people.
For example, application servers sharing the same network with workstations makes infrastructure administration easier, but increases the risks of unauthorized access. Another example is an administrator that opens a service port in a server, and by configuring a network path, uses it for remotely access a server, when organizational policy prohibits that.
By segregating network and applications responsibilities it is more difficult for a single person to make such a mistake or intentional violation of access rights.
These articles will provide you further explanation about job segregation:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera .com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/
These materials will also help you regarding job segregation:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Risk treatment options
Answer: Risk reduction is an option where you take action to reduce the probability of an incident to occur (for example, by installing antivirus software you minimize chances of a computer to be infected) and/or the impact of an incident if it happens (e.g., by using backup, if by any reason you lose a file, the backup can be restored and recover part or all the information).
Risk sharing is an option when you decide either to transfer the operational management of the risk to a third party, or buy an insurance to minimize financial losses if an incident occurs. You should note that in case of risk sharing the final responsibility for the risk still remains with the organization.
This article will provide you further explanation about risk treatment options:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
These materials will also help you regarding risk treatment options:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Risk assessment and PIA for EU GDPR
Answer: The main purpose of Privacy Impact Assessments (PIA's) for EU GDPR is the identification of risks to the privacy rights of individuals when processing their personal data, so proper measures can be taken to properly protect them. In this context, risk assessments based on standards like ISO 31000, and most specifically ISO 27005, fits perfectly for this purpose. In fact, by simply implementing ISO 27001, complemented by ISO 27018, you will cover most of situations related to privacy risks.
This article will provide you further explanation about privacy and risk assessment:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
- Catalogue of th reats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/ (in this list you will find most threats and vulnerabilities that are applicable to PIA) -
Measuring control effectiveness
Answer: Without relying on an IDS system, the best option to measure the probability of breach, or improvements on security by implementing new controls like 2 factor authentication, would be by performing periodic penetration tests and/or vulnerability assessments. They can provide an snapshot of your situation and help you manage potential risk.
This article will provide you further explanation about penetration test and vulnerability assessment:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
These materials will also help you regarding penetration test and vulnerability assessment:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
References on Procedure for Document Control in Toolkit
Answer: The document control procedure, as well as many other documents in the ISO 27001 documentation toolkit, were developed to be compliant with both, information security management system and business continuity management system. That's why you will find references for these standards. If you did not implement the business continuity management system you can simply delete these references. Their deletion won't impact your ISMS.