Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Cloud risks
1. Do you have a list of threats and vulnerabilities for cloud services?
Answer: We have some examples available in the Risk Assessment Table that comes with the ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit, and here are some examples of threats and vulnerabilities from this document:
- Threats: changes in legal jurisdiction, customer's management interface compromising, supply chain failure, unauthorized network access, and resource exhaustion
- Vulnerabilities: weak passwords, inadequate isolation between tenants, and inadequate supervision of external suppliers
Another source I can recommend you it the white paper "The Treacherous 12 - Cloud Computing Top Threats in 2016" from the Cloud Security Alliance (CSA) at this link https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf
2. Would it be possible to talk through our list of assets and threats and vulnerabilities with you?
Answer: Sure. Included in your toolkit you have 2 web conferences with an expert + review of 5 documents you filled in. You just need to schedule a meeting with me at https://www.meetme.so/dejankosutic -
Risk treatment
Answer: No. Risk owners are persons from the organization that are responsible for the risks. What can happen is that the risk treatment can be transferred to a 3rd party, but the ultimate responsibility for the risk still is with the organization.
This article will provide you further explanation about risk treatment:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
2 - And what about rules for interns?
Answer: The establishment of information security rules for interns must follow the local laws, regulations and other legal requirements applicable. On top of that, you can set any security rules for interns that reflect the risks related to their work.
This article will provide you further explanation about identification of requirements:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advis era.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
Additionally, in the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment. -
Data classification and labelling
Answer: Data classification and labelling are ISO 27001 controls applied to protect information (controls A.8.2.1 and A.8.2.2 respectively). Information classification is used to segregate information according to their value to the organization and to define which type of controls should be applied to protect its confidentiality, integrity and availability during their life cycle (e.g., information with high classification may be gathered only by a certain people, and must be recorded only with electronic media). Labelling is used to allow people to identify the classification of an information, so they can handle them according to the specified rules.
This article will provi de you further explanation about data classification and labelling:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
These materials will also help you regarding data classification and labelling:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Security Audit
Answer: For information regarding security audit I suggest you take a look at the following articles:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Regarding documentation, I suggest you take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit (https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/). This toolkit provides templates to help establish, plan and report an internal audit according to the requirements set in ISO 27001.
These materials will also help you regarding security audit:
- ISO Internal Audit: A Plain English Guide https://advisera.co m/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Interested parties and stakeholders
Answer: Yes, they basically have the same meaning (people or organizations that affect or can be affected by the Information Security Management System).
This article will provide you further explanation about interested parties and stakeholders:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
These materials will also help you regarding interested parties and stakeholders:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Change Management
Answer:
There are few resources you can use - they will help you get into Change Management process:
Webinar
An overview of the ITIL Change Management Process https://advisera.com/20000academy/webinar/an-overview-of-the-itil-change-management-process-free-webinar-on-demand/
Articles:
5 benefits of ITIL Change Management implementation https://advisera.com/20000academy/blog/2016/06/21/5-benefits-of-itil-change-management-implementation/
ITIL V3 Change Management – at the heart of Service Management https://advisera.com/20000academy/knowledgebase/itil-v3-change-management-at-the-heart-of-service-management/
Elements of Change Management in ITIL
https://advisera.com/20000academy/blog/2013/04/23/elements-change-management-itil/
5 benefits of ITIL Change Management implementation https://advisera.com/20000academy/blog/2016/06/21/5-benefits-of-itil-change-management-implementation/ -
Implementation steps
Answer:
To start with the ISO 20000 implementation, you can follow steps presented in the document:
"ISO 20000 implementation diagram" https://info.advisera.com/20000academy/free-download/iso-20000-implementation-diagram
which is a diagram that shows the ISO 20000 implementation process, from the initiation of the project all the way to the certification.
Additionally, you can use "Project Plan for Implementation of the Service Management System according to ISO/IEC 20000-1" https://info.advisera.com/20000academy/free-download/project-plan-for-implementation-of-the-service-management-system-according-to-iso-iec-20000-1 which will enable you to keep oversight and maintain control. This includes milestones, roles and re sponsibilities…etc. Use this document to structure your ISO 20000 implementation project.
Additionally, follow the folder structure in our documentation toolkit, it will also help you keep progress and control. -
Performing Risk Assessment
Answer: The first thing you should do is write your risk assessment methodology, so you can have in hand all the rules, considerations and steps regarding how to identify, analyse, and evaluate the risk. After all these items are properly documented you can proceed with the assessment itself (and be sure that people will ask you about these things during the assessment).
Considering the number of people, maybe it would be better to divide them in smaller groups (at most 20 people per facilitator), grouping them by process performed (e.g., accounts receivable, accounts payable, etc.), or by offices (Assuming that this number of people do not stay at the same room), or any other criteria you can use to divide them. Try to make cycles considering the threats and vulnerabilities f or a specific asset before going to another asset. Also consider to take with you checklists to help you identify risks, and paper to take notes of all information.
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment -
Privacy and cloud computing security documents
Answer: Considering all perspectives you are working on, I suggest you consider all the documents on the ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit. This way you can have a systemic and integrated approach of all controls which cover specific clauses from both ISO 27017 (cloud computing services) and ISO 27018 (personally identifiable information in cloud services). Besides the documents you already mentioned, I can add these ones:
- Access Control Policy https://advisera.com/27001academy/documentation/access-control-policy/
- Information Transfer Policy https://advisera.com/27001academy/documentation/information-transfer-policy/
- Security Clauses for Suppliers and Partners https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/
These articles will provide you further explanation about ISO 27017 and ISO 27018:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Filling templates
Answer: The references to clauses of ISO 27001, or any other references like laws or regulations, can be included in the section two of your templates (Reference document). As for the source of the references you consider relevant to include, you should verify the content of the document "List of Legal, Regulatory, Contractual, and Other Requirements".
In the video tutorials that came with your toolkit, you can see examples of how to fill out the details of your policies and procedures.