Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Document Control
If the forms are the same in terms of content, you can use the same control number. -
Risks related to ID cards
Answer: The two main risks are
1 - The employee won't have access to areas or systems which require the ID card as part of the access control until he gets a replacement, becoming unable to perform his activities, which may cause delays on services, non-compliance with deadlines, or loss of business opportunities
2 - If he forgets the ID card in some place other people can find, someone can try to impersonate that employee and gain unauthorized access to areas and systems, and he also may perform activities in the name of the employee, what can cause embarrassment for him and the organization.
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Information security policies
Answer: Besides the information security policy that is a requirement for an ISO 27001 ISMS, we have other policies that are more operational. Since you stated you want something more generic, suggest you to take a look at our Acceptable Use Policy, which defines clear rules for the use of the information system and other information assets, ans may attend your needs. The link for a free demo of this policy is https://advisera.com/27001academy/documentation/it-security-policy/
You just have to scroll down the screen a little to find the free demo tab.
This article will provide you further explanation about security policies:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
These materials will also help you regarding security policies:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Templates content
I have already downloaded DEMO before, and the question is on the basis of the demo. I do not want to buy a package that is only extension of ISO 27002 without technical suggestions and parameters. Is it possible to present me an example (one sentence) from Access control policy, 3.7 Technical implementation or any other? I hope you understand my doubts.
Answer: By your description, I'm assuming you downloaded our free toolkit demo, and on this one only parts of the each document are available. To see the whole document you should go to the single document web page of the document you want to see. In the case of the Access control policy the link is https://advisera.com/27001academy/docume ntation/access-control-policy/
To find the Free demo you only have to scroll down the scree a little to find the Free demo tab.
In terms of content, our templates describe what should be done and by whom (in terms of job titles).
In terms of how things should be done, the templates point where this information should be included, and in a few cases there are comments with suggestions. Since each organization is unique in its needs it is unpractical to try to list or include technical content on all templates. In other words, all the technical details need to be filled out by the company since it differs from one company to another.
Regarding Access control policy, section 3.6 - technical implementation, examples I can give you may be:
The allocation/revocation of access rights is made by the following persons
- ERP system: System's Administrator
- Intranet network: Network's Administrator
- Printing service: Head of department xx
- Data center access: Head of IT department ,
If you still have any doubts about how our templates can help you, you can schedule a meeting with Aleksandar, our representative, at https://meetme.so/aleksandarbozovic , so he can provide more information to you. -
Audit Objective
Audit objectives are basically the same thing as audit criteria - for example, "compliance with ISO 27001:2013", "compliance with ISMS policies and procedures", "compliance with requirements of interested parties".
This is why we didn't mention specifically audit objectives in our documentation because this would be a duplication of information - therefore, in the Internal Audit Program, you can use the column "Audit criteria" for that purpose.
With the toolkit you also have a 60-day access to our Video tutorial: How to Write ISO 27001/ISO 22301 Internal Audit Procedure and Audit Program that can help you perform your audits. -
Cloud risks
1. Do you have a list of threats and vulnerabilities for cloud services?
Answer: We have some examples available in the Risk Assessment Table that comes with the ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit, and here are some examples of threats and vulnerabilities from this document:
- Threats: changes in legal jurisdiction, customer's management interface compromising, supply chain failure, unauthorized network access, and resource exhaustion
- Vulnerabilities: weak passwords, inadequate isolation between tenants, and inadequate supervision of external suppliers
Another source I can recommend you it the white paper "The Treacherous 12 - Cloud Computing Top Threats in 2016" from the Cloud Security Alliance (CSA) at this link https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf
2. Would it be possible to talk through our list of assets and threats and vulnerabilities with you?
Answer: Sure. Included in your toolkit you have 2 web conferences with an expert + review of 5 documents you filled in. You just need to schedule a meeting with me at https://www.meetme.so/dejankosutic -
Risk treatment
Answer: No. Risk owners are persons from the organization that are responsible for the risks. What can happen is that the risk treatment can be transferred to a 3rd party, but the ultimate responsibility for the risk still is with the organization.
This article will provide you further explanation about risk treatment:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
2 - And what about rules for interns?
Answer: The establishment of information security rules for interns must follow the local laws, regulations and other legal requirements applicable. On top of that, you can set any security rules for interns that reflect the risks related to their work.
This article will provide you further explanation about identification of requirements:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advis era.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
Additionally, in the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment. -
Data classification and labelling
Answer: Data classification and labelling are ISO 27001 controls applied to protect information (controls A.8.2.1 and A.8.2.2 respectively). Information classification is used to segregate information according to their value to the organization and to define which type of controls should be applied to protect its confidentiality, integrity and availability during their life cycle (e.g., information with high classification may be gathered only by a certain people, and must be recorded only with electronic media). Labelling is used to allow people to identify the classification of an information, so they can handle them according to the specified rules.
This article will provi de you further explanation about data classification and labelling:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
These materials will also help you regarding data classification and labelling:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Security Audit
Answer: For information regarding security audit I suggest you take a look at the following articles:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Regarding documentation, I suggest you take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit (https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/). This toolkit provides templates to help establish, plan and report an internal audit according to the requirements set in ISO 27001.
These materials will also help you regarding security audit:
- ISO Internal Audit: A Plain English Guide https://advisera.co m/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/