Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Cloud service customers and ISO 27018


    Answer:

    ISO 27018 is not a certifiable standard. It is a code of practice that can be used to support certifiable management systems, like ISO 27001 for information security management systems. For more information click [here]( https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/)
    So, a cloud service customer could be certified against ISO 27001 and include in his/her Statement of Aplicability (SOA) controls with ISO 27018 recomendations, but this decision is up to him/her, and cannot be enforced. To know more about SOA click [here](https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/)

  • PII role identification


    Answer:

    Its a relative question, depending upon if it has its own data on this cloud service it uses, because:

    - When you talk about your own data on the cloud service you use, you are the PII principal. You define by your own how the data can be used.
    - When you deal with your customer data on the cloud service you use, you are the PII controller. You receive personal data from customers (the PII principals) and use a third party (the PII processor) to perform operations previously agreed with customers.

  • Certification against ISO 27108


    Answer:

    ISO 27018 is not a certifiable standard. It is a code of practice that can be used to support certifiable management systems, like ISO 27001 for information security management systems. For more information click [here](https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/)

    In case someone decides to use ISO 27001 to implement PII controls in a certifiable manner, either principal, controller and processor can be part of the certified scope, but with different purposes:
    - For the PII principal, the certification purpose would be to ensure the PII principal can demand and verify actions from those who collect, store and process his/her PII
    - For the PII controller and PII processor, the certification purpose would be to ensure they protect properly the PII they collect, store and process from their users

  • Practical example of ISO 27018 PII processor, principal and controller


    Answer:

    Consider the following scenario: John wants to make a bank transfer, and asks Mark, his account manager, to arrange this operation. Mark receives the bank transfer information (account number, value to be transfered and transfer date) from John and authorizes Bill, his assistant, to do the bank transfer.

    - John are the PII principal. The PII required for the bank transfer, the account data, is related to him.
    - Mark, the account manager, is the PII controller. He is the one, besides John, who can authorize the use of John's PII to perform the bank transfer.
    - Bill, Mark's assistant, is the PII processor. It is him who uses John's PII to perform the bank transfer in accordance with Mark's instructions (value to be transfered and transfer date, sent by John).

  • ISO 14001 vs ISO 14025


    Answer:

    ISO 14001 - Environmental management system is a standard that provides a framework for environmental protection. It does not defines what kind of control you need to establish for environmental protection rather defines processes for identification, evaluation and control of significant environmental aspects in the company. For more information, see: ISO 14001: What is it, how does it work and why use it? https://advisera.com/14001academy/what-is-iso-14001/

    ISO 14025 establishes the principles and specifies the procedures for developing Type III environmental declaration programmes and Type III environmental declarations. It specifically establishes the use of the ISO 14040 series of standards in the development of Type III environmental declara tion programmes and Type III environmental declarations. ISO 14025:2006 establishes principles for the use of environmental information.

    Type III environmental declarations as described in ISO 14025 are primarily intended for use in business-to-business communication, but their use in business-to-consumer communication under certain conditions is not precluded.

    As you can see, the standards are dealing with different things, if you want to establish environmental management system, you need to go with ISO 14001. ISO 14025 is used only for developing declarations and communication between businesses.

  • How ISO 27001 and ISO 27002 are related


    Answer:
    The relation between ISO 27001 and ISO 27002 is simple: ISO 27001 establishes requirements for an Information Security Management System, and includes the Annex A with 114 security controls. ISO 27002 is a guide of best practices for the implementation of the 114 security controls of the Annex A of ISO 27001.

    Really you only need to implement the necessary security controls after the risk analysis, and you will nee d ISO 27002 only if you need specific information about how to implement the security controls of Annex A of ISO 27001. This article can be interesting for you “The basic logic of ISO 27001: How does information security work?” : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    And also this article "ISO 27001 vs. ISO 27002" : https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

    Regarding the threats/vulnerabilities, this article can be also interesting for you, because you can see a complete list of them “Catalogue of threats & vulnerabilities” : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

    Finally, these materials will help you to know more about the ISO 27001:
    - free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • ISO 27001, CISA and COBIT


    Answer:
    I am sorry but you cannot implement CISA in a company because it is only a certification for people. Regarding COBIT, this standard is focused on IT governance, which also includes the information security, but has a different objective.

    So, if you need to manage the information security, the best standard from my point of view is ISO 27001, because is specifically developed for this, while COBIT is developed for IT governance.

    This article can show you the benefits of ISO 27001 “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

    And also this free webinar “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/

    Finally, these materials will help you to know more about the benefits of ISO 27001:
    - free online training ISO 27001 Foundations Course https://training.advisera. com/course/iso-27001-foundations-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • ISO 27001 instead COBIT and COSO


    Answer:
    ISO 27001 is the lead standard about the information security, and most of laws and regulations about information security of all the world are based on this standard.

    COBIT is focused on IT governance, which also includes information security, but ISO 27001 is more specific.

    Regarding COSO, this standard is also for different things: internal control, event identification, risk assessment, etc. So, again, this standard is not specifically developed for information security.

    So, if you want to establish an Information Security Management System to protect your information, the best option, from my point of view, if the ISO 27001.

    This article can be interesting for you Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

    And also this free webinar “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/

    Finally, these materials will help you to know more about the benefits of ISO 27001:
    - free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Development of the Information Security Policy


    Answer:
    If your question is about the information security policy, basically you can include in this document the scope of the ISMS, responsibilities for key parts of the ISMS, and measurement. This article can help you to write this document “What should you write in your Information Security Policy according to ISO 27001?” : https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/

    And also our template can be useful for you, you can download a free version clicking on “Free demo” tab here “Information Security Policy” : https://advisera.com/27001academy/documentation/information-security-policy/

    Finally, these materials will help you to know more about the Information Security Policy:
    - free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27 001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Certify cloud computing environment


    Answer:
    There is an ISO standard specifically related to the information security control for cloud services (or cloud computing environments): ISO 27017.

    This standard is a code of best practices, but there are some certification bodies that offer a certification if the company comply with a series of requirements based on the standard.

    This article can be interesting for you “ISO 27001 vs. ISO 27016 - Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

    Maybe can be interesting for you the ISO 27018, although this standard is for protecting privacy in the cloud, so this article can be interesting for you “ISO 27001 vs. ISO 27018 - Standard for protecting privacy in the cloud” : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

    And maybe our toolkit about the implementat ion of ISO 27001 and ISO 27017 can be also interesting for you (you can download a free demo clicking on “Free demo” tab) “ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-iso-27017-iso-27018-cloud-documentation-toolkit/
Page 978-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +