Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Toolkit application
Answer: Besides a practical environment to implement a toolkit, I would advise you to try one of these strategies:
- Identify a potential scenario of your company, or other company you know, and simulate an implementation
- Search in google for lists like "top ten information risks" or "main information risks by industry" and from those lists you try to follow the implementation path
In those scenarios the simulation would follow the steps: risk assessment and treatment, controls elaboration and audit checklist elaboration. Also try to simulate that some controls are with problem, identifying what we call "triple non conformity elements" (rule to be followed, the situation that is breaking the rule, and an verifiable evidence), so you can state a proper non conformity. By doing that you will be capable to understand the whole implementation process in a broader view, which wi ll facilitate your understanding when working on a specific scenario.
These materials will also help you regarding the needed steps for a certification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Applicability of ISO 27017/27018
Answer: No. Both standards also cover practices that should be adopted by the cloud service customer (e.g., defining security requirements, assessing provider's capability, etc.). Where a control covers both, provider and customer, the standards present them explicitly informing the proper practice to be considered for each other.
2 - If I use the cloud service, the security part is done by the cloud vendor right?
Answer: Depending upon the cloud service contracted, the security responsibilities between providers and customers may vary. You should check your service agreement or contract to verify which are the responsibilities for each part.
These articles will provide you further explanation about ISO 27017 and ISO 27018
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting p rivacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
- Resolving cloud security concerns by defining clear responsibilities according to ISO 27017 https://advisera.com/27001academy/blog/2016/08/23/resolving-cloud-security-concerns-by-defining-clear-responsibilities-according-to-iso-27017/ -
Leadership requirements
Top management shall ensure that the requirements of the quality management system are an integral part of the organization’s business practises .
Could you please tell me what evidence can I show the auditor to meet the requirement of the section 5. Leadership. Especially the above mentioned point.
Answer:
Some requirements of this clause, and the specific requirement you mention are met indirectly through other documents and activities within the QMS. Integrating QMS in organization's business practices basically means that you will adopt your processes to requirements of the standard for that particular process. For example, if your sales or production process are aligned with requirements of the standard regarding sales or production, then the requirements of the quality management system are integral part of your business practices.
For more information about leadership, see: How to comply with new lead ership requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/ -
Protecting assets with multiple security levels
Answer: Your approach on the risk assessment is valid, since you will have to state the different impact levels, that will lead to different risk values, but in your asset inventory there is no need to have multiple rows if you can group the assets and the information about them. In your example you have in the asset inventory the asset "database", and in your risk assessment you will have risks like "customer A's database loss" and "customer B's database loss", with differe nt risk values.
This article will provide you further explanation about documentation development: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
This article will provide you further explanation about risk assessment: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding assets management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Assets, Threats and Risk assessment
Answer: If the legal actions are taken as a result of lack of information, caused by duties not being performed on time, this situation must be included on your risk assessment, so you can determine if the risk of this situation is unacceptable, and implemented controls as needed.
2 - How can we reflect them in our documentation?
Answer: You should add asset(s) that handle information from these duties (e.g., payment system XYZ, email server, etc.) in your asset inventory, and related risks should be recorded in your risk assessment (e.g., payment delayed by system downtime or processing error may cause a contractual breach). The risks considered unacceptable must be included in the risk treatment plan, where proper controls should be defined (e.g., sy stem redundancy / processing results review).
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
3 - Can we consider them as our services? In one of your articles I saw this:
“Outsourced services – e.g. legal services or cleaning services, but also online services like Dropbox or Gmail – it is true that these are not assets in the pure sense of the word, but such services need to be controlled very similarly to assets, so they are very often included in the asset management.”
Are these examples also similar to my case?
Answer: If I'm understanding correctly, these activities are being performed by your own organization, so in this case it is more appropriate for you to refer in your inventory to the assets that handle the information, like I explained in the first question.
4 - It is also not clear for me, how can for example cleaning services affect the risk assessment process? (Aren’t they more like threats than assets?)
Answer: According to 27001 clause 8.1, outsourced processes must be determined and controlled, so, outsourced cleaning services, as well as any other outsourced services, must be included in the risk assessment to ensure they do not represent a risk to information security, or in case they introduce unacceptable risks, to ensure those risks are treated properly.
Regarding how cleaning services may affect the risk assessment process, this service, as well as any other outsourced services, may require, for example, that people who work for this external organization, may have access to your environment and information, and if you do not consider them malicious people (e.g., industrial spies), or untrained people,may cause your information to be compromised (e.g., damaged, lost, or stolen), and you should consider these risks and treat them properly (e.g., by means of contracts, training, etc.).
This article will provide you further explanation about assets and threats:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding assets and risk assessment and treatment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Evidences of control implementation and training and awareness program
Answer: In general, the information you have to gather to evidence a control implementation that is compliant with ISO 27001 is:
1. Risk treatment plan (clauses 6.1.3 e and 6.2), to evidence what was planned for the control implementation (e.g., policies, procedures, trainings, etc.). If the control being implemented is part of ISO 27001 Annex A, you have to be sure the mandatory documents defined there are included as deliverable of the plan
2. Records of training, skills, experience and qualifications (clause 7.2), to evidence that people performing the control are competent to do so
3. Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3), to provide information to be evaluated and trigger other related controls (e.g., incident response)
4. Monitoring and measurement results (clause 9.1), to evidence the control is actually working
5. Results of internal audits (clause 9.2), to evidence independent evaluati on of the implemented control
6. Results of the management review (clause 9.3), to evidence management follow-up of the risk treatment plan and the control results
7. Results of corrective actions (clause 10.1), to evidence improvement
Additionally, you should need to have all the records prescribed by your own documentation as well.
2 - For the training and awareness program, can people outside the organization or the unit for which ISMS is being undertaken attend?
Answer: Yes, they can - as long the awareness or training activities do not include confidential information or any other information the organization considers that cannot be shared with external people.
This article will provide you further explanation about ISO 27001 mandatory documentation and training:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
These materials will also help you regarding ISO 27001 documentation ans training:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
OHSAS objectives
Answer:
Objectives related to occupational health and safety should be in line with the OH&S Policy. For example, the objective can be to decrease number of injuries or near misses for 10% compared to the previous year or you can relate the objectives to operational controls that you established for your Occupational Health and Safety Management System.
For more information about OH&S objectives, see: How to define OHSAS 18001 objectives and programs https://advisera.com/18001academy/blog/2015/11/11/how-to-define-ohsas-18001-objectives-and-programs/ -
IT Code of Conduct and ISO 27001:2013
Answer: Generally, an organizational Code of Conduct covers rules, norms, practices and responsibilities to be followed by individuals or other organizations, aiming to protect the business and inform these parties of the organization's expectations. The content of a Code of Conduct should be aligned with an organization expects and considers proper behaviour.
Considering this, in the context of ISO 27001:2013, I would recommend you to take a look at our Acceptable Use Policy, which can be accessed here https://advisera.com/27001academy/documentation/it-security-policy/ .
This article will provide you further explanation about what to consider to implement an IT Code of Conduct and other policies:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
These materials will also help you regarding IT Code of Conduct and other policies:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Scope definition
Answer: I assume you are referring to choosing the organization's scope first. In this case my answer is yes. The scope definition, after getting management buy-in, is one of the most important things for your ISMS implementation, because it defines which information you intend to protect, where it is located and who handles it, which will directly impact in the effort and resources you will need.
2 - Does this still form part if ISMS?
Answer: The scope definition is a mandatory requirement in ISO 27001 (clause 4.3). Regarding Top-down approach, if you pay close attention , you will note the standard sections follow an implementation sequence, so the standard also considers scope definition as one of the first things to be done (just after understanding the organization, its context, and the needs and expectations of interested parties).
This article will provide you further explanation about scope definit ion:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Filling the risk assessment table
Answer: Sometimes the protective effect only takes place when several controls are applied together (e.g., for physical protection, implementing security perimeter without entry controls, or vice versa, does not make much sense). If one fails, the whole protection may be compromised. In cases like this it is enough to put the result on a single row. So, you should assess the effect of all controls implemented for a particular risk to decide how to record them in your Risk Treatment Table.
By the way, together with the toolkit you have received access to video tutorial called How to Implement Risk Treatment According to ISO 27001 which explains exactly how t his is done - I would recommend you watch this tutorial because it will explain you what does the standard require, what options do you have, how to fill out the data, etc.