Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Supply chain risks
Answer: The parameters used for vulnerability measuring on supply chain risks will be the same you use for measuring your own organizational risks (e.g., low, medium, and high).
What is different when you consider supply chain is that there will be new types of threats and vulnerabilities usually not found on internal operations (e.g., shared resources between tenants, contractual breaches, etc.)
This article will provide you further explanation about supplier management:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
These materials will also help you regarding supplier management:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk management in e-learning course
Answer: No. The course was designed to help you understand ISO 27001 and manage risks using its content, but to do it properly you should attend all modules related to clauses 6 (planning), 8 (Operation) and Annex A, which would be modules 2, 3, 4, and 6. If you attend only module 3 you will miss items like Information security objectives [clause 6.2], and applicable controls [Annex A]
This article will provide you further explanation about risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This material will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Internal Auditor
Answer:
There is no direct requirement (in ISO 20000) to audit the internal auditor, directly. If consider that internal audit is made before certification audit - that could be seen as a kind of audit of internal audit. But, explicit requirement doesn't exist. -
Risk evaluation
>1 - Is this asset evaluation is mandatory in iso 27001.?
Answer: Risk assessment is a mandatory clause for ISO 27001, but you can choose which methodology to use, and assessing assets risks is just one of them. You can use, for example, scenario analysis, interviews or checklists also.
This article will provide you further explanation about ISO 27001 requirements:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
>2 - Can you please tell me what is the risk residual acceptance criteria .
Answer: The risk residual acceptance criteria are the same criteria you use to evaluate a risk. The difference is that they are applied to the risks after controls deemed necessary are implemented, so you can re-evaluate them to decide if additional treatment is necessary or if the risk as it is now will be accepted.
This article will provide you further explanation about residual risks:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
These materials will also help you regarding ISO 27001 requirements and residual risk:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Becoming an ISO 27001 and information security expert
Answer: The path to become an ISO27001 and an Information Security Expert goes through acquiring theoretical and practical knowledge on information security and accumulation of experience solving daily problems.
So, you should consider buying documents like ISO 27001 standard (https://www.iso.org/isoiec-27001-information-security.html), attend courses about ISO 27001 and other related to information security, and apply those knowledges to implement security controls and solve daily situations like incidents.
Some organizations also measure an expert by the certification he holds, so you also should consider to include some certifications in your curriculum (e.g., ISO 271001 Lead Auditor, CISSP, etc.).
These articles will provide you further explanation on what consider in information security competences development:
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
- How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
These materials will also help you regarding training resources:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Access control over Risk Assessment and Treatment Tables
Answer: Risk assessment and treatment tables should be accessed only by those who need to know them to plan, implement, monitor and improve controls to protect information. So, only a few people should have access to them, since most of organization's people will be users, with not active participation on controls management.
This article will provide you further explanation about access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
These materials will also help you regarding access control:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 per industry
According to last ISO Survey, the industries most interested in ISO 27001 are Information technology, Transport, storage and communication, Electrical and optical equipment and Health and social work. You can access the results of ISO Survey at this link: https://www.iso.org/the-iso-survey.html
This article will provide you further explanation about ISO 27001 applicability:
- Applicability of ISO 27001 across industries https://advisera.com/27001academy/blog/2015/06/29/applicability-of-iso-27001-across-industries/
These materials will also help you regarding ISO 27001 applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 implementation
Answer:The sequence for ISO 27001 implementation does not change if you already have ISO 9001:2008 certification. What happens is that some steps became quicker, like elaboration of documents and internal audit. You can find a detailed list of steps for ISO 27001 implementation here: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
This article will provide you further explanation about using ISO 9001 to support ISO 27001 implementation:
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
Risk assessment webinar
Answer: Yes, the risk assessment webinar covers all steps from risk identification through risk treatment plan, including preparation of SOA, but you should note that for a checklist SOA will only provide information about which controls are implemented and why. The auditor should prepare another checklist considering what to audit regarding the implementation.
This article will provide you further explanation about risk assessment and SOA:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding risk assessment and SOA:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 and ISO 22301
Answer: ISO 27001 is no predecessor for ISO 22301. These standards fulfill different purposes (business continuity for 22301 and information security for 27001), but there is a set of controls in ISO 27001, in Annex A section A.17 - Information security aspects of business continuity management, that can be covered by ISO 22301 requirements.
Since that these standards have different purposes, we cannot say which one is better. This perception will depend upon the organizational context and its purposes, what can tell you which one is more appropriate.
This article will provide you further explanation about the relationship between ISO 27001 and ISO 22301:
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
These materials will also help you regarding ISO 27001 and ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/