Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Scope definition
Answer: Yes, you may have problems with this approach. Information needs change more dynamically than other common aspects used for scope definition (business units, processes and business locations), and you may ending up with more administrative effort to manage this kind of scope.
Besides that, you also may have processes working with both information that are inside and outside the scope, and this requires more effort than simply considering all the information included in the scope.
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Example of assets
Answer: For a manufacture company, information assets you may consider would be product specifications, production lines configuration parameters, production reports, clients list, production plans, etc. The main idea is that you think about which kind of information can have an impact on your production if it was disclosed, changed without authorization or lost.
This article will provide you further explanation about how you can identify information assets:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding identification of information assets:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure -simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Segregation of responsibilities
Answer: When there is a single person responsible for both, networks and applications, there is an increased risk that a malicious or unintentional misconfiguration leaves information exposed to unauthorized people.
For example, application servers sharing the same network with workstations makes infrastructure administration easier, but increases the risks of unauthorized access. Another example is an administrator that opens a service port in a server, and by configuring a network path, uses it for remotely access a server, when organizational policy prohibits that.
By segregating network and applications responsibilities it is more difficult for a single person to make such a mistake or intentional violation of access rights.
These articles will provide you further explanation about job segregation:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera .com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/
These materials will also help you regarding job segregation:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Risk treatment options
Answer: Risk reduction is an option where you take action to reduce the probability of an incident to occur (for example, by installing antivirus software you minimize chances of a computer to be infected) and/or the impact of an incident if it happens (e.g., by using backup, if by any reason you lose a file, the backup can be restored and recover part or all the information).
Risk sharing is an option when you decide either to transfer the operational management of the risk to a third party, or buy an insurance to minimize financial losses if an incident occurs. You should note that in case of risk sharing the final responsibility for the risk still remains with the organization.
This article will provide you further explanation about risk treatment options:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
These materials will also help you regarding risk treatment options:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Risk assessment and PIA for EU GDPR
Answer: The main purpose of Privacy Impact Assessments (PIA's) for EU GDPR is the identification of risks to the privacy rights of individuals when processing their personal data, so proper measures can be taken to properly protect them. In this context, risk assessments based on standards like ISO 31000, and most specifically ISO 27005, fits perfectly for this purpose. In fact, by simply implementing ISO 27001, complemented by ISO 27018, you will cover most of situations related to privacy risks.
This article will provide you further explanation about privacy and risk assessment:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
- Catalogue of th reats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/ (in this list you will find most threats and vulnerabilities that are applicable to PIA) -
Measuring control effectiveness
Answer: Without relying on an IDS system, the best option to measure the probability of breach, or improvements on security by implementing new controls like 2 factor authentication, would be by performing periodic penetration tests and/or vulnerability assessments. They can provide an snapshot of your situation and help you manage potential risk.
This article will provide you further explanation about penetration test and vulnerability assessment:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
These materials will also help you regarding penetration test and vulnerability assessment:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
References on Procedure for Document Control in Toolkit
Answer: The document control procedure, as well as many other documents in the ISO 27001 documentation toolkit, were developed to be compliant with both, information security management system and business continuity management system. That's why you will find references for these standards. If you did not implement the business continuity management system you can simply delete these references. Their deletion won't impact your ISMS. -
Supply chain risks
Answer: The parameters used for vulnerability measuring on supply chain risks will be the same you use for measuring your own organizational risks (e.g., low, medium, and high).
What is different when you consider supply chain is that there will be new types of threats and vulnerabilities usually not found on internal operations (e.g., shared resources between tenants, contractual breaches, etc.)
This article will provide you further explanation about supplier management:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
These materials will also help you regarding supplier management:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk management in e-learning course
Answer: No. The course was designed to help you understand ISO 27001 and manage risks using its content, but to do it properly you should attend all modules related to clauses 6 (planning), 8 (Operation) and Annex A, which would be modules 2, 3, 4, and 6. If you attend only module 3 you will miss items like Information security objectives [clause 6.2], and applicable controls [Annex A]
This article will provide you further explanation about risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This material will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Internal Auditor
Answer:
There is no direct requirement (in ISO 20000) to audit the internal auditor, directly. If consider that internal audit is made before certification audit - that could be seen as a kind of audit of internal audit. But, explicit requirement doesn't exist.