Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Cross Function Security Teams
Answer: Yes. Provided that the mandatory topics are addressed (e.g., results of tests, controls performance, etc.) and it is possible to identify a periodicity in the conduct of the meetings, there is no mandatory form for holding meetings.
2 - Can CFST meetings be replacement for BCC?
Answer: If for BCC you refer to Business Continuity Coordinator, this meeting cannot be a replacement. BCC is a function, while the meeting is an activity, so there must be an person in the meeting with the responsibilities of the BCC.
This article will provide you further explanation about the relationship between ISO 22301 and ISO 27001:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/ -
27001 certification process
In any case, I think the answer is probably somewhere in between, and it’s maybe a shared ownerships. We’re attempting to draw clear boundaries though in terms of who does what, and I was wondering if you’ve ever seen a RACI chart of the various activities that are involved in certification. This would help us to create clear areas of responsibility, but in the end I still believe that security should ultimately “own” this as it’s an information security standard.
Answer: Your assumption about shared responsibilities is right. ISO 9001 and ISO 27001 share a lot of clauses that can be both management by the security team as well as the quality team, and this is cl earer now with the new structure of ISO management standards. I particularly never saw a RACI chart in the way you are asking, but who is ultimately responsible for the ISMS/ISO 27001 project is typically someone responsible for security, generally the CISO (Chief Information Security Officer). Regarding other responsibilities, by following the new structure of ISO management standards, you could consider this:
4. Context of the organization - since in this case the context aims to issues that can prevent the ISMS to achieve its desired outcomes, security team should be accountable for the deliverables related to it (e.g., ISMS scope).
5. Leadership - Security team should be accountable for the information security policy elaboration and definition of security responsibilities, as well as ensuring top management commitment to information security. The quality team should be accountable for the integration of security processes to other organizational processes.
6. Planning - This section refers to information risk management and the security team should be accountable for the deliverables related to this section.
7. Support - Quality team should be accountable for almost all this section (e.g., provision of resources and competences), the exception to communications, because this is related to what, when, to whom, and by whom information security issues should be communicated.
8. Operation - The day to day security activities should be held accountable by the security team and those with defined in the procedures.
9. Performance evaluation - These processes could be integrated to the processes already managed by the quality team, so this team could be held accountable.
10. Improvement - These processes also could be integrated to the processes already managed by the quality team, so this team could be held accountable.
In short, common processes and deliverables already implemented by ISO 9001, like internal audit, control of documents and records, and management review could be designated to the quality team, and those specific related to information security could be designated to security team, but it is important to note that for the processes managed by the quality team, the security team becomes a interested party that should be listened.
This article will provide you further explanation about integrated management systems:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
These materials will also help you regarding responsibilities in the ISO 27001 certification process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Gap Analysis for ISO 22301
Answer: Unfortunately we do not have a Gap Analysis tool for ISO 22301, but you may take a look at this free white paper "Clause-by-clause explanation of ISO 22301", which helps understand ISO 22301 and may help you in a gap analysis. Here is the link: https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-223012008
This material will also help you regarding ISO 22301 requirements:
- Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Assigning value to assets
Can asset list consists of asset as office networks or it has to be segregated into further components/devices. -
How often should the controls be audited
1. Do we need to annually test every control that is in scope in the SoA? Or do we do this over a 3 year period?
Answer: If your question is about internal audit, then it would be better if you audit all controls each year, but you can also do it in the 3-year period. If your question was about control A.14.2.8 System security testing or A.12.6.1 Management of technical vulnerabilities (which could also include e.g. pen tests), those activities should be performed continuously or at least periodically, but certainly not only once in 3 years.
2. How should we best structure our audit plan? Should the audit scope reflect the department or the control objectives being reviewed? For example I could see it would make sense for the audit scope in the plan to be 8 Asset management and then using the checklist provided we can assign the specific tests and responsibilities to the auditors. I could then make up an annual checklist for each control area. What do you think?
Answer : You can do it both ways - by controls or by departments. If the auditor has more experience, it is probably better to do it by department; if he/she has less experience, then it will be easier by controls.
By the way, this free online training will teach you everything about performing internal audit: ISO 27001 Internal Auditor Course: https://advisera.com/training/iso-27001-internal-auditor-course/ -
Incident Management implementation duration
Answer:
Incident management (as any other ITIL process) implementation duration depends on many parameters which are case i.e. company specific:
- existing process - use this free ITIL Gap Analysis tool to check how your process complies with ITIL recommendations https://advisera.com/20000academy/itil-iso-20000-tools/itil-gap-analysis-tool/
- know-how - knowledge level of our staff influences pace of the implementation
- tool - if you use a tool you will speed-up the implementation
- organizational set-up - depending on complexity of your company, length of the implementation can vary (usually, bigger organizations need more time).
- people - this includes people that you have (number of supporting employees/customers, as well as people you can involve in incident management process).
This articles can help you with more details:
How much does the ITIL/ISO 20000 implementation cost? https://advisera.com/20000academy/blog/2016/12/13/how-much-does-the-itiliso-20000-implementation-cost/
Is it possible to calculate ROI for ITIL? https://advisera.com/20000academy/blog/2016/09/13/is-it-possible-to-calculate-roi-for-itil/ -
EU ePrivacy review
Answer: The European Union Commission, on 10th January 2017 adopted a proposal for a Regulation on Privacy and Electronic Communications to replace the 2009 Directive, the last update on Directive 2002/58. You can find the proposal on the following link:
https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications
These articles will provide you further explanation about EU GDPR:
- What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/27001academy/blog/2016/10/03/what-is-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/ -
Risk management process flow chart
Answer:
The ISO 27001 risk management process has the steps that are described in the following article: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
And regarding the manual, this document is usually called the Risk assessment methodology, you can see how it is created in this article: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
These materials will also help you regarding ISO 27001 risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Revising Quality Manual
Answer:
It depends on how your existing Quality Manual is structured. If you've followed the clauses of the standard in your Quality Manual structure, you need to restructure the numbering it and add new clauses to the manual. If your manual doesn't follow the structure of the standard, you only need to add information about context of the organization and address risks and opportunities and to compare your manual to requirements of ISO 9001:2015 and make adjustments.
Here you can find more information about Quality Manual and new version of the standard:
- The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/ -
BCP and ISMS
While as per ISO 27001:2013-BCP to be implemented in information security aspect of ISMS.
Could you please give example so that i could understand above statement .
Answer: ISO 27001:2005 A.14 controls had the objective to ensure the continuity of business operations in case the failure of information systems and to ensure their timely resumption, and these controls basically refer to the same approach of ISO 22301, the ISO standard for business continuity management. On the other hand, ISO 27001:2013 A.17 controls have the objective to ensure only the continuity of the information security capabilities (confidentiality, integrity and availability) in case of a disruptive event.
So, while the old version had a higher objective (continuity of business operations), requiring the development of a full business continuity management, the new version covers only the set of capabilities required to ensure continuity of information security capabilities, which can be achiev ed by the elaboration of a business continuity plan that may not depend of a organizational business continuity approach (ideally it is better to be integrated to a organizational approach).
As a practical example, if a data center has access control based on electronic locks and it is hit by a disruptive event that makes all energy sources unavailable, one solution to ensure information security continuity, in this case protected by access control, is to designate a security guard to protect the data center entrance until the electronic locks start to work again. Another example is the use of backup media to protect information availability.