Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Acceptable use policy and telework
Answer: Yes, because the ‘Acceptable Use Policy’ provided with your ISO 27001 & ISO 22301 Premium Documentation Toolkit defines clear rules for the use of the information system and other information assets, including rules regarding the prevention of unauthorized access to mobile devices both within and outside of the organization’s premises.
Regarding mentioning it in the Risk Treatment Plan, you should do this only if the control is still to be implemented or if you decided to make changes in the current implemented policy.
In the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk treatment.
2 - What does the Standard say about an employee who works from home?
Answer: Regarding employees who work from outside the premises, the standard has the control A.6. 2.2 - Teleworking, which basically means the organization has to ensure that proper security measures are implemented in the site and on communication services to ensure proper access, processing and storage of information. -
Risk acceptance
Answer: For ISO 27001, there are three possible justifications to not implement a control:
1) there is no relevant risk that justifies the control implementation;
2) the organization decides to accept the risks in all situations which would justify the control implementation; and
3) the organization decides to accept the risks in a case by case basis, i.e. implementing the control in some projects and not in others.
For options 2 and 3, the decision could be based on an evaluation of the impacts of implementing the control (e.g., loss of business opportunities, loss of prod uctivity) versus the potential losses caused by an incident that happens because of the control's absence.
This article will provide you further explanation about risk treatment options:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
These materials will also help you regarding risk treatment options:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Risk assessment and treatment
1 - The question is whether any control stated as applicable in the statement of applicability should have been identified already in the risk assessment step, .e.g is it possible to have lets say contact of authority as applicable in SoA but no mention of it in risk assessment step?
Answer: Yes, you can have this situation. Maybe a risk you haven't though about justifies the control, or there might be some regulatory or contractual requirement that demands you to implement a particular control.
2 - Another question is regarding the risk treatment table. Is it ok to use more than one control as mitigation to specified risk or just a map of one risk one control is more suggested?
Answer: In fact, in most cases, you will have to implement more than one control to mitigate a risk to acceptable levels. According our proposed method, in the Risk treatment table, you will have to create one row for each combination of the specified risk and control applied.
In th e video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment. -
Incident vs. Event management
Answer:
Difference can be seen from definitions:
Incident:
" An unplanned interruption to an IT service or reduction in the quality of an IT service."
Event
" A change of state that has significance for the management of an IT service or other configuration item. "
Meaning, in case of event - everything is OK, still didn't happen some kind of error in the service. Something just changed, e.g. mail arrived at destination, batch job completed, door opened. Further on, event can detect malfunctioning, e.g. port on the router is down. Then it triggers incident. So, event can be used for information or to trigger incidents.
Read more about incidents and events in following articles:
"ITIL Incident Management" https://advisera.com/20000academy/knowledgebase/itil/-incident-management/
"ITIL Incident Management benefits – Simple explanation for your top management" https://advisera.com/20000academy/blog/2015/11/24/itil-incident-management-benefits-simple-explanation-for-your-top-management/
"ITIL Event Management – Entry point of Service Operation" https://advisera.com/20000academy/blog/2015/03/10/itil-event-management-entry-point-of-service-operation/
"Events – a flood or mountain creek" https://advisera.com/20000academy/blog/2013/07/02/events-flood-mountain-creek/ -
Incident Manager characteristics
Answer:
Incident Manager should be someone capable to be efficient in highly dynamic environment and have organizational, managerial and (if possible) service-related expert knowledge. The article "How to choose an ITIL/ISO 20000 Incident Manager: 5 main characteristics" https://advisera.com/20000academy/blog/2016/05/17/choose-itiliso-20000-incident-manager-5-main-characteristics/ can provide you with more details.
Additionally, Incident Manager is usually same person as Service Desk Manager. The article "What is the job of the Service Desk Manager?" https://advisera.com/20000academy/blog/2016/09/20/what-is-the-job-of-the-service-desk-manager/ gives you more information. -
Major incidents vs. high priority users
Answer:
Major incidents have separate procedure due to their scope and (usually) emergency situation. You can find more details in following article: "Major Incident Management – when the going gets tough…" https://advisera.com/20000academy/knowledgebase/major-incident-management-going-gets-tough/
However, some companies define high-priority users (as you mentioned - P1 users), like e.g. Board of Management, director or the owner of the company. Their incidents are resolved before other incidents of the same priority. But, if there is an major incident and an incident from P1 user, then major incident should be resolved first (usually, P1 users are affected with major incident anyway). -
Examples of risks and opportunties
Can you help to complete few generic examples of risk and opportunities so that I can pick-up form there. What I am not clear is do I need to list down risks separately and opportunities separately and actions to mitigate them.
Answer:
When identifying risks and opportunities, you need to focus on those risks and opportunities related to conformity of products and service you provide, your quality management system and customer satisfaction. Basically, you need to ask yourself what can go wrong in the processes and what can be improved. For example, for sales process risk can be misplaced order, and opportunity can be to determine what period in the year is best for selling your products and develop marketing strategy to seize that opportunity.
The standard does not define how you will document risks and opportunities so you can do it in any way that you find the most appropriate for your company.
For more informat ion about risks and opportunities, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Risk assessment, information labelling and security committee
During implementation of ISO 27001, we had a risk as follows:
When a customer requesting a live demo, the development team most probably are late or not available (has other tasks) to develop this demo. This led to the loss of opportunity in some cases. The mitigation of this risk is to develop an OLA (Operational Level Agreement) of this service (developing a demo). My question is:
Is this risk related to ISMS (ISO 27001)? If yes, as per classification, under which control in ISO 27002 it can be considered?
Answer: Development team late or not available to deliver a demo, leading to loss of opportunity, is a risk related to the process of providing a product, so it is more related to a Quality Management System (QMS), or to a Business Continuity Management System (BCMS), than to an Information Security Management System (ISMS).
Question 2:
Regarding to labelling of information classification:
1- If I use SAP as an ERP. Is it a must for me to customize it to label all generated reports with the classification (confid ential, internal,....)?
Answer: You can define that reports generated by information systems should include classification labels when they have functionalities that allow this to be done in a cost effective way (considering the relevance of associated risks).
2- If I use non-customized software, how can I label its generated reports?
Answer: When labelling functionalities are not available, or their implementation is not cost effective, you can insert the classification level in the textual part of the report (e.g., as the first top line), or you can define in the Classification policy that this particular report must be considered with an specific classified by default, or someone can add classification label by hand writing it on this report after printing.
3- Can we have a code like: If there is no label on any documents, this means it is of the type "Internal use"
Answer: Yes, you can have, but as means to reduce your administrative effort and costs, you should apply it to the most common classification attributed to an information in your organization, which may be or not "Internal use".
4- If the classification of a printed document changed, what should I do for labeling? (the best implementation for such case)
Answer: if the classification of a printed document is changed, it has to be substituted by a new version, with the new classification label, and the old one must be handled accordingly the procedure for documentation control.
5- In a meeting, one of employees said that when we label any document with 'Confidential', we give the theft a sign to steel it. So, he does not like to apply label classification. Another one replied "We have to do for the sake of ISO 27001. We believe it is useful in some cases but has great side effects that make us not interested in applying this control". What do you think?
Answer: first, you do not have to do it "for the sake of ISO 27001", but for the sake of your business. Said that, if a document is classified and marked as confidential, and protected as such, how would a thief get to it? If he can access the document, this means that at some point the access control doesn't work properly.
Question 3:
Instead of having CISO, an Information Security Committee has been formulated. The members are HR, QA and IT Managers. The head of this IS Committee is the HR Manager. This committee will play the role of CISO. Are there any concerns about that?
Answer: ISO 27001 allows you to have team responsibilities for information security, but I think this is a bad idea - when several people are responsible, this actually means that no one is responsible. My suggestion would be to nominate one person who will act as CISO (this person can perform other functions as well), and this person will be responsible for the whole ISMS. Of course, you can still have this committee which will make some bigger decisions.
These articles will provide you further explanation about these issues:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
These materials will also help you regarding about these issues:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISMS scope definition
Answer: Theoretically you can, but in terms of added value this may not be the most effective way because the most sensitive business information will be probably left outside of this scope, since information also exists and flows outside information systems, and the IT department cannot be responsible for the information it doesn't own or control.
Besides that, when considering small and mid-sized business, the costs and effort involved to limit the scope very often will be higher then implementing the ISMS in the whole company.
This article will provide you further explanation about ISMS scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding ISMS scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Annual auditing of controls
Answer: After the certification, both the internal audits and the surveillance audits (from the certification body) are mandatory - therefore, you cannot avoid any of them.
2- The other question is what you do see as the benefit of having a minimal annual system penetration testing performed as part of the internal audit?
Answer: Penetration testing, by effectively trying to breach the system, offers the benefit of increasing the assurance that operational systems are well developed, configured and up to date regarding vulnerabilities patching, something that simple documentation review cannot offer.
This article will provide you further explanation about auditing of controls:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/ surveillance-visits-vs-certification-audits/
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
These materials will also help you regarding auditing of controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/