Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 project


    Answer: The answer to this question depends fundamentally of the type of your business and the needs and expectations of you interested parties. For example, a research and development company will have different critical information assets than a bank. In this case I suggest you first identify which requirements your information security management system needs to fulfil, because those requirements will tell you which are the most critical assets you should focus on.

    See this article for more information: How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

    2 - Is it true that: the more controls in the Statement of Applicability are applicable, the easier it is to get certified? Or are just all mandatory controls enough? (I know it depends on the risk assessment table, but still)

    Answer: The truth is just the oppo site, the less controls you need, the easier is to get certified, because you will have less work to do implementing and managing them. And there is no such thing as "mandatory controls" required by the standard. Documents from Annex A are mandatory only if there are risks which would require their implementation, and this decision is up to the organization. Basically, the justifications in a Statement of Applicability for implementing controls refers to (1) risks, (2) requirements of interested parties and (3) other logic considered by your organization.

    See more information about Statement of Applicability here: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    3 - Any other parts of the project we should put extra focus on?

    Answer: Definitely awareness and training should be on your list, because if people in the organization do not adopt the information security culture, you can have the best procedures and technical controls and still the organization's information won't be safe.

    This article will provide you further explanation about awareness and training:
    - 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
    - How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

    These materials will also help you regarding implementation of ISO 27001:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Mapping from ISO28001 to ISO27002


    Answer: ISO 28001 deals with supplier security covering more aspects than ISO 27k series, which covers most Information and Communication Technologies issues. You can map ISO 28001 practices to ISO 27002 controls from section A.15 - Supplier relationships, but I suggest you to take a look at ISO 27036 ( Information security for supplier relationships), which has more detailed information regarding information security with suppliers. You can find this standard on this link: https://www.iso.org/obp/ui/#iso:std:iso-iec:27036:-1:ed-1:v1:en

    Regarding the ISO 28001 Annexes, documents from Annex A and B (security assessment and treatment) can be mapped to sections 6.1 (Actions to address risks and opportunities), 8 (Operation), 9 (Performance evaluation) and 10 (Improvement) from ISO 27001.

    Unfortunately we do not have a direct mapping document available.

    This article will pro vide you further explanation about supplier security:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • Benefits of certified auditor


    - This is a great domain to be aware of in terms of cyber security
    - It is able to develop specific communication skills so to identify risks in a company
    - It is establishing a CIA mindset whenever positioning a specific technology

    I wonder what else can be justified so the management to support the certification process and related costs

    Answer: All benefits you mentioned are related to the auditor itself. To get the buy in from management to support the certification process and related costs, you should explain to them that a certified auditor is more capable to identify both non conformities and opportunities for improvement (which are much better) during internal audits, and that knowledge makes it easier to talk with the certi fication auditor, avoiding misunderstandings and getting useful tips to improve the information security management system.

    These articles will provide you further explanation about benefits of a certified auditor:
    - ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
    - How to approach an auditor in a certification audit https://advisera.com/articles/how-to-approach-an-auditor-in-a-certification-audit/
    - Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/

    These materials will also help you regarding audits and auditors:
    - Book ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 27035 and incident management


    Answer: You can see ISO 27035 parts 1 and 2 as an additional deepening of the ISO 27002 recommendations regarding incident management (section 13), while part 3 will cover the effective incident response. So, these parts can be used regardless the publication of part 3

    If you already have an implemented incident management process that fulfils your objectives, using the ISO 27035 parts 1 and 2 is optional, as a source of possible improvement opportunities. If you are in the process of implementing an incident management process ISO 27035 parts 1 and 2 can provide more recommendations than ISO 27002.

    This article will provide you further explanation about incident management:
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

    These materials wi ll also help you regarding incident management:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Challenges in auditing and getting the top mangemnet on board

    Thanks Strahinja to share your knowledge against the questions.

  • Statistical Quality Control


    Answer:

    Statistical Quality Control (SQC) is the term used to describe the set of statistical tools used by quality improvement professionals to monitor, control, and improve products and processes.

    SQC tools fall into three broad categories:

    1. Descriptive Statistics which are used to describe quality characteristics and relationships. Included are statistics such as the mean, standard deviation, the range, and other measures of the distribution of data.

    2. Statistical Process Control (SPC) which involves inspecting samples of the output from a process and deciding whether the process is producing products with characteristics that fall within a predetermined control limits. SPC answers the question of whether the process is functioning in a stable and predictable manner or not. Low cost SPC training.

    3. Acceptance Sampling which is the process of randomly inspecting a sample of goods and d eciding whether to accept the entire batch based on the results. Acceptance sampling determines whether a batch of goods should be accepted or rejected.

  • Risk assessment in ISO 22301

    Yes, because the general approach is the same, and you even can use asset-based risk assessment for ISO 22301 too, since process relies on assets, but instead of information security risks, you will assess business risk, which covers a wider range of risks (e.g., RH, financial, environmental, etc.). For more detailed information on ISO 27001 risk assessment you should consult ISO 27005.
    This article will provide you further explanation about Risk assessment in ISO 22301:
    - Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
    These materials will also help you regarding Risk assessment in ISO 22301:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Incidents and Non conformities

    2 - Email exchange is down for sometime and there is no email service : major incident ? or security incident ? or problem ?

    I would like to know when to raise them ? Even though it is mentioned : NC is non-fulfillment of a requirement and security incident an unwanted event which Happened and lead to a compromise of business

    Answer: The main criteria you can use to identify what you can rise is the type of impact on business caused by the situation. And you also should note that these options do not exclude each other, so for a same situation you can rise a security incident, a non conformance, a major incident and a problem. Let's take a look at your examples:

    In example 1 we have a policy not being followed, so you can raise a non conformity. To know if the situation is also a security incident, we have to know if this caused any impact on the business, e.g., sharing of passwords caused an important file to lose its integrity when users attempted to update it at the same time from different locations. If no impact was perceived, you raise only the non conformity.

    In example 2, you definitely have a security incident, but you have to identify which is the impact to classify it as a major incident. How many people were affected by the service downtime? Which business processes were affected? For example, the downtime happening during a Saturday night may have less impact than other happening at 3 pm on a Thursday. Regarding the identification as a problem, you only can use this classification when you do not know the cause of the downtime, because this situation will lead you to an additional effort to also discover the root cause of the situation, so you can try to eliminate it.

    This article will provide you further explanation about Incidents:
    - Incidents in ISO 22301 vs. ISO 27001 vs. ISO 20000 vs. ISO 28003 https://advisera.com/27001academy/blog/2016/09/05/incidents-in-iso22301-vs-iso27001-vs-iso-20000-vs-iso28003/
    - How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

    These materials will also help you regarding Incidents and Non conformities:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • When and where did ISO 27001 start?


    Answer: The origins of this standard were in the British standard BS 7799-2 which was published in 1995; in 2005 the first version of ISO 27001 was published and it replaced the BS 7799-2.

  • Interested party and supplier


    Answer:

    The same organization can be both supplier and interested party, suppliers in general are interested in success of the company and expanding the existing contracts. Licencor is special kind of suppliers because it provides the company with licences and has requirements towards the company so it can maintain the licences, so it is definitely an interested parties with needs and expectations.

    For more information about external provides and interested parties, please see these two articles:
    - How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
    - How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
Page 937-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +