Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 implementation project

    Answer: The main point you should consider to include or not the business process description and scoping as a deliverable in your ISO implementation is if there are other projects or initiatives under way, or in the near future, that will require business process description and scoping (e.g., a information system development, or processes' re-engineering). Depending upon the scope of these other projects, it may be better to treat business process description and scoping as a separated project that will provide input for your ISO implementation. If this is not the case, you may include the business process description and scoping as a deliverable in your project, reducing the administrative load to run two projects. This article will provide you further explanation about ISO 27001 project: - ISO 27001 project – How to make it work https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ These materials will also help you regarding ISO 27001 project: - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Financial benefits of ISO 27001

    Some examples of how the right kind of software can help decrease operational costs are:

    • increasing the number of automatized activities (i.e., fewer people required to perform the same number of tasks)
    • improving response time to handle incidents or deviations in processes results (by means of monitoring features)
    • providing information for decision making (by means of standard or customized reports and dashboards)

    For further information, see:

  • ISO 27001 awareness material


    Answer: Sure. We do have a free download presentation called "Why ISO 27001 – Awareness presentation" you can access through this link: https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation .

    Additionally, you could check this article about topics for ISO 27001 awareness presentations:
    - 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

    These materials will also help you regarding topics for ISO 27001 awareness presentations:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Cross Function Security Teams


    Answer: Yes. Provided that the mandatory topics are addressed (e.g., results of tests, controls performance, etc.) and it is possible to identify a periodicity in the conduct of the meetings, there is no mandatory form for holding meetings.

    2 - Can CFST meetings be replacement for BCC?

    Answer: If for BCC you refer to Business Continuity Coordinator, this meeting cannot be a replacement. BCC is a function, while the meeting is an activity, so there must be an person in the meeting with the responsibilities of the BCC.

    This article will provide you further explanation about the relationship between ISO 22301 and ISO 27001:
    - How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/

  • 27001 certification process


    In any case, I think the answer is probably somewhere in between, and it’s maybe a shared ownerships. We’re attempting to draw clear boundaries though in terms of who does what, and I was wondering if you’ve ever seen a RACI chart of the various activities that are involved in certification. This would help us to create clear areas of responsibility, but in the end I still believe that security should ultimately “own” this as it’s an information security standard.

    Answer: Your assumption about shared responsibilities is right. ISO 9001 and ISO 27001 share a lot of clauses that can be both management by the security team as well as the quality team, and this is cl earer now with the new structure of ISO management standards. I particularly never saw a RACI chart in the way you are asking, but who is ultimately responsible for the ISMS/ISO 27001 project is typically someone responsible for security, generally the CISO (Chief Information Security Officer). Regarding other responsibilities, by following the new structure of ISO management standards, you could consider this:

    4. Context of the organization - since in this case the context aims to issues that can prevent the ISMS to achieve its desired outcomes, security team should be accountable for the deliverables related to it (e.g., ISMS scope).
    5. Leadership - Security team should be accountable for the information security policy elaboration and definition of security responsibilities, as well as ensuring top management commitment to information security. The quality team should be accountable for the integration of security processes to other organizational processes.
    6. Planning - This section refers to information risk management and the security team should be accountable for the deliverables related to this section.
    7. Support - Quality team should be accountable for almost all this section (e.g., provision of resources and competences), the exception to communications, because this is related to what, when, to whom, and by whom information security issues should be communicated.
    8. Operation - The day to day security activities should be held accountable by the security team and those with defined in the procedures.
    9. Performance evaluation - These processes could be integrated to the processes already managed by the quality team, so this team could be held accountable.
    10. Improvement - These processes also could be integrated to the processes already managed by the quality team, so this team could be held accountable.

    In short, common processes and deliverables already implemented by ISO 9001, like internal audit, control of documents and records, and management review could be designated to the quality team, and those specific related to information security could be designated to security team, but it is important to note that for the processes managed by the quality team, the security team becomes a interested party that should be listened.

    This article will provide you further explanation about integrated management systems:
    - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
    - Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
    - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

    These materials will also help you regarding responsibilities in the ISO 27001 certification process:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Gap Analysis for ISO 22301


    Answer: Unfortunately we do not have a Gap Analysis tool for ISO 22301, but you may take a look at this free white paper "Clause-by-clause explanation of ISO 22301", which helps understand ISO 22301 and may help you in a gap analysis. Here is the link: https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-223012008

    This material will also help you regarding ISO 22301 requirements:
    - Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Assigning value to assets

    Can asset list consists of asset as office networks or it has to be segregated into further components/devices.

  • How often should the controls be audited


    1. Do we need to annually test every control that is in scope in the SoA? Or do we do this over a 3 year period?

    Answer: If your question is about internal audit, then it would be better if you audit all controls each year, but you can also do it in the 3-year period. If your question was about control A.14.2.8 System security testing or A.12.6.1 Management of technical vulnerabilities (which could also include e.g. pen tests), those activities should be performed continuously or at least periodically, but certainly not only once in 3 years.

    2. How should we best structure our audit plan? Should the audit scope reflect the department or the control objectives being reviewed? For example I could see it would make sense for the audit scope in the plan to be 8 Asset management and then using the checklist provided we can assign the specific tests and responsibilities to the auditors. I could then make up an annual checklist for each control area. What do you think?

    Answer : You can do it both ways - by controls or by departments. If the auditor has more experience, it is probably better to do it by department; if he/she has less experience, then it will be easier by controls.

    By the way, this free online training will teach you everything about performing internal audit: ISO 27001 Internal Auditor Course: https://advisera.com/training/iso-27001-internal-auditor-course/

  • Incident Management implementation duration


    Answer:
    Incident management (as any other ITIL process) implementation duration depends on many parameters which are case i.e. company specific:
    - existing process - use this free ITIL Gap Analysis tool to check how your process complies with ITIL recommendations https://advisera.com/20000academy/itil-iso-20000-tools/itil-gap-analysis-tool/
    - know-how - knowledge level of our staff influences pace of the implementation
    - tool - if you use a tool you will speed-up the implementation
    - organizational set-up - depending on complexity of your company, length of the implementation can vary (usually, bigger organizations need more time).
    - people - this includes people that you have (number of supporting employees/customers, as well as people you can involve in incident management process).

    This articles can help you with more details:
    How much does the ITIL/ISO 20000 implementation cost? https://advisera.com/20000academy/blog/2016/12/13/how-much-does-the-itiliso-20000-implementation-cost/
    Is it possible to calculate ROI for ITIL? https://advisera.com/20000academy/blog/2016/09/13/is-it-possible-to-calculate-roi-for-itil/

  • EU ePrivacy review


    Answer: The European Union Commission, on 10th January 2017 adopted a proposal for a Regulation on Privacy and Electronic Communications to replace the 2009 Directive, the last update on Directive 2002/58. You can find the proposal on the following link:

    https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications

    These articles will provide you further explanation about EU GDPR:
    - What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/27001academy/blog/2016/10/03/what-is-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
    - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
Page 951-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +