Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Documentation review


    Answer: ISO 27001 does not require an ISMS Implementation Project Plan as documented information. The plan required by the standard as documented information is the Risk Treatment Plan Plan (clauses 6.1.3 e and 6.2). During documentation review you use the risk treatment plan to verify if all documentation implemented conform the deadlines defined, or you update the risk treatment plan itself if a policy review is needed because of the changes in risk (e.g., a new risks or changes in an already identified risks).

    These articles will provide you further explanation about mandatory documents and risk treatment:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by- iso-27001-2013-revision/
    - Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

    These materials will also help you regarding mandatory documents and risk treatment:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free webinar – The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Free online webinar ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Procedure for document and record keeping

    >1 - What I understand is that if an IS policy updated, then the old policy shall be stored in a secure location as a record and only authorized users have access to it. Controls should be implemented as per the classification of the document. In case if there is some requirement of retrieving the old version of IS policy, for instance, an external auditor wants access to the old policy, then the access shall be provided after necessary approval.

    Answer: Your understanding of the consequences of the IS policy update is correct.

    >2 - For clarification of “Documents of external origin”, can you give some example. If somebody sends a parcel to a friend who is working in an organization, how can it be applicable? who will define the classification of such things? In addition to this, is this the duplication of work that the person sitting at the reception is first registering the parcel and then the one who is the recipient of the parcel.

    Answer: You can understand documents of external origin as all documentation outside sole organization control that is relevant to the ISMS, for example a law, industry standard or contract with customer/supplier.

    Considering your example, the first thing to be observed is if this parcel is intended to the organization or to the person himself.

    If the parcel is intended to the person himself it should be considered private mailing and you should consult your internal policies regarding the receipt of personal mailing in the organization to know how to proceed (yes, if this situation occurs in your organization you should consider how to handle this in at least one of your policies).

    If the parcel is intended to the organization, the person to whom it its addressed should apply the information classification according the parcel content.

    Regarding the parcel register process, the role of the person at the reception is only to input the parcel information in the incoming mail register and forward the parcel to the intended recipient, the one who has the responsibility to formally acknowledge the parcel receipt in name of the organization. So, there is no duplication or work, since the person at the reception fills one part of the incoming mail register (the parcel information), and the recipient fills another (the receipt acknowledge).

  • Documenting RTO and RPO


    Answer: Considering ISO 22301:2012, the mandatory requirement is that there are defined recovery objectives. How they are defined is an organization's decision, so you can use a single value or a ranged one.

    Using single values to RTO and RPO makes easier to communicate to people the organization's general expected results. Using a range of values makes more sense when the organization wants to monitor specific situations in the recovering progress, so it can evaluate if the general results can be achieved until the maximum value defined, and make proper adjustment decisions.

    For example, you can adopt a single RTO of 8h, meaning your recovery objectives from "A to G" must be achieved in 8h, or you can adopt a RTO range from 4 to 8, considering that at 4h you should recover objectives A-B-C, at 6h you should recover objectives D-E-F, and at 8h you should recove r objective G. In both cases you have to recover objectives A to G in 8 hours, but by using a ranged value you can have more control over the recovering process. Of course the trade off is that your recovering plan will get more complex.

    One thing you also should note is that only RTO is measured in time. The RPO is measured in terms of system state (e.g., the RPO will be the system's situation 4 hours before the incident, which not implies the system will be recovered in 4 hours).

    This article will provide you further explanation about RTO and RPO:
    - What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

    These materials will also help you regarding RTO and RPO:
    - Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/blog/2013/12/16/new-book-becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Free online webinar ISO 22301: An overview of the BCM implementation process https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/

  • Policy elaboration


    Answer: Roughly speaking, to formulate a good security policy you should consider the following steps: 1) identify and understand the requirements that justify the need for a policy (e.g., clauses of a standard or contract, business decisions, etc.); 2) consider the results of risk assessment, so measures to control relevant risks are supported by the policy; 3) make your policy manageable and integrated to you process (its hard to follow huge policies that are very different of the daily operations); 5) get high level approval (so the policy has more enforcement power); and 7) train and make people aware of the policy (if no one knows the policy, how can you expect they will follow it?)

    This article will provide you further explanation about elaborating a policy:
    - Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
    - What should you write in your Information Security Policy accor ding to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/

    These materials will also help you regarding policy elaboration:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Security in suppliers relationship


    Answer: When handling with external suppliers you should ensure security clauses are included in the service agreement or contract, so you can have a legal base in case of complaints or disputes. The other point is that you have to ensure the implemented policies, procedures and controls on the suppliers processes are aligned with those of your organization, or if they can at least ensure a security level your organization considers acceptable.

    This article will provide you further explanation about security in supplier relationship:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    These materials will also help you regarding supplier relationship:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ISO 27001 implementation and certification and ISO 9001


    Answer: Roughly speaking, ISO 27001 implementation steps can be resumed in: 1) getting management buy-in for the project; 2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties; 3) development of risk assessment and treatment methodology; 4) perform risk assessment and define risk treatment plan; 5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.); 6) people training and awareness; 7) controls operation; 8) performance monitoring and measurement; 9) perform internal audit; 10) perform management critical review; and 11) address nonconformities, corrective actions and opportunities for improvement.

    This article will provide you further explanation about ISMS implementation:
    - ISO 27001 implementation checklist advisera.com/27001academy/knowledgebase/iso-27001-implementation-check list/

    Regarding integration with ISO 9001 QMS, after releasing of Annex SL and new versions of ISO 9001:2015 and ISO 27001:2015, integrating both standards became a much easier task. Since your question refers to ISO 9001:2008 I suggest you first consider a gap analysis between ISO 9001:2008 and ISO 9001:2015. This way you ensure your QMS will be ready when the transition period is over (this will happen on September 2018), and your QMS will be prepared with most of clauses also required by ISO 27001, like documented information control, internal audit and nonconformities and corrective actions treatment

    This article will provide you further explanation about differences and similarities between ISO 9001 versions 2008 and 2015:
    - ISO 9001:2015 vs. ISO 9001:2008 matrix https://info.advisera.com/9001academy/free-download/iso-90012015-vs-iso-90012008-matrix

    This article will provide you further explanation about using ISO 27001 and ISO 9001 together:
    - Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/

    These materials will also help you regarding using ISO 27001 and ISO 9001 together:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
    Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - ISO 27001 implementation: How to make it easier using ISO 9001 https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/

  • Residual risk

    Thank you very much for the information.

  • Risk standards comparison


    Answer: In a general manner, risk standards cover in different levels of details these steps listed in ISO 31000: context establishment, risk identification, risk analysis, risk evaluation and risk treatment.

    While ISO 31000 is more focused on general risk management structure (it does not define specific methods, although you can find examples in ISO 31010), OCTAVE focus on risk management, on a strategic and planning level, and FAIR addresses security practice weaknesses. Another risk management framework I can tell about is used by NIST (National Institute of Standards and Technology). Documents SP 800-30 and 800-37 are focused on helping implementation in US federal systems, presenting great level of details regarding risk levels, security and assurance controls.

    The European Network and Information Security Agency has an old, but still useful, content about Risk Management / Risk Assessment Methods you may find useful: ENISA Inventory of R isk Management / Risk Assessment Methods: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods

    This article will provide you further explanation about risk standards:
    - ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
    - How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/

  • ISO 27001 and COBIT 5 relationship

    Implementing COBIT 5 and ISO 27001 together is not a mandatory requirement of the ISO standard, but COBIT practices provide a good framework to guide IT process and make information security implementation easier. This article will provide you a further explanation about COBIT and ISO 27001:
Page 957-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +