Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Performing BIA and protecting privacy
Answer: Considering your need for a DIY tool for BIA, I recommend you to take a look at these articles:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/
I also recommend you to take a look at the free demo of our ISO 22301 Business Impact A nalysis Toolkit at this link https://advisera.com/27001academy/iso22301-business-impact-analysis-documentation-toolkit/ (you only have to scroll down the screen a little to find the free demo tab)
In this toolkit you have templates for Business Impact Analysis Methodology, and Business Impact Analysis Questionnaire, which can help you perform a business impact analysis according ISO 22301, the ISO standard for business continuity.
With this toolkit you also have access to business impact analysis video tutorials that will help you fill the documents and perform the BIA.
Regarding mapping GLBA and Cyber Security, unfortunately we do not cover this specific issue. We are focused in ISO standards, but since main concern of GLBA is protection of private information of individuals, by implementing an ISMS based on ISO 27001, and complemented by ISO 27018, we can ensure you will have a pretty strong base to develop your security controls.
This article will provide you further explanation about ISO 27001 and ISO 27018:
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
- What is an Information Security Management System (ISMS) according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/23/information-security-management-system-isms-according-iso-27001/
These materials will also help you regarding business impact analysis and ISMS implementation:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISMS checklist
Answer: Regarding an ISMS implementation checklist, I suggest you to take a look ate these materials:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Project checklist for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation
To understand the basics of how to prepare an audit checklist I suggest you to take a look at this article
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
We also have available, ready for use checklist for ISO 27001 internal audit. At the following link you can have access to a free preview of the checklist and verify if it can fulfill your needs: https://advisera.com/27001academy/documentation/internal-audit-checklist/
You just have to scroll down the screen a little to see the free demo tab.
These materials will also help you regarding preparing an ISMS checklist:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Scope and Policy Definition
Answer: For a ISMS project you should consider first ISO 27001, since this standard defines the requirements for an ISMS. This will help you define your project scope and policy. ISO 27002 can help you best in the risk treatment phase, when you need to define details regarding controls to be implemented.
These articles will provide you further explanation about scope and policy definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
Regarding documentation about an ISMS project, I suggest you to take a look at these materials:
- Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
- Project checklist for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation
To help you organize your project material, I suggest you take a look at this material:
- Project plan for ISO 27001 / ISO 22301 implementation https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation
These materials will also help you regarding scope and policy definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Asset owner
Answer: You are right in your assumption to substitute the mention of all single employees by a single term, but the correct one to be used is "asset user", because this term establishes that the person who handles the laptop in a given moment is the one responsible for its security. Defining "all employees" as an asset owner is the same as defining that no one is responsible for it.
This article will provide you further explanation about asset management:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Also in the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment. -
Document Control
If the forms are the same in terms of content, you can use the same control number. -
Risks related to ID cards
Answer: The two main risks are
1 - The employee won't have access to areas or systems which require the ID card as part of the access control until he gets a replacement, becoming unable to perform his activities, which may cause delays on services, non-compliance with deadlines, or loss of business opportunities
2 - If he forgets the ID card in some place other people can find, someone can try to impersonate that employee and gain unauthorized access to areas and systems, and he also may perform activities in the name of the employee, what can cause embarrassment for him and the organization.
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Information security policies
Answer: Besides the information security policy that is a requirement for an ISO 27001 ISMS, we have other policies that are more operational. Since you stated you want something more generic, suggest you to take a look at our Acceptable Use Policy, which defines clear rules for the use of the information system and other information assets, ans may attend your needs. The link for a free demo of this policy is https://advisera.com/27001academy/documentation/it-security-policy/
You just have to scroll down the screen a little to find the free demo tab.
This article will provide you further explanation about security policies:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
These materials will also help you regarding security policies:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Templates content
I have already downloaded DEMO before, and the question is on the basis of the demo. I do not want to buy a package that is only extension of ISO 27002 without technical suggestions and parameters. Is it possible to present me an example (one sentence) from Access control policy, 3.7 Technical implementation or any other? I hope you understand my doubts.
Answer: By your description, I'm assuming you downloaded our free toolkit demo, and on this one only parts of the each document are available. To see the whole document you should go to the single document web page of the document you want to see. In the case of the Access control policy the link is https://advisera.com/27001academy/docume ntation/access-control-policy/
To find the Free demo you only have to scroll down the scree a little to find the Free demo tab.
In terms of content, our templates describe what should be done and by whom (in terms of job titles).
In terms of how things should be done, the templates point where this information should be included, and in a few cases there are comments with suggestions. Since each organization is unique in its needs it is unpractical to try to list or include technical content on all templates. In other words, all the technical details need to be filled out by the company since it differs from one company to another.
Regarding Access control policy, section 3.6 - technical implementation, examples I can give you may be:
The allocation/revocation of access rights is made by the following persons
- ERP system: System's Administrator
- Intranet network: Network's Administrator
- Printing service: Head of department xx
- Data center access: Head of IT department ,
If you still have any doubts about how our templates can help you, you can schedule a meeting with Aleksandar, our representative, at https://meetme.so/aleksandarbozovic , so he can provide more information to you. -
Audit Objective
Audit objectives are basically the same thing as audit criteria - for example, "compliance with ISO 27001:2013", "compliance with ISMS policies and procedures", "compliance with requirements of interested parties".
This is why we didn't mention specifically audit objectives in our documentation because this would be a duplication of information - therefore, in the Internal Audit Program, you can use the column "Audit criteria" for that purpose.
With the toolkit you also have a 60-day access to our Video tutorial: How to Write ISO 27001/ISO 22301 Internal Audit Procedure and Audit Program that can help you perform your audits.