Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How ISO 27001 and ISO 27002 are related
Answer:
The relation between ISO 27001 and ISO 27002 is simple: ISO 27001 establishes requirements for an Information Security Management System, and includes the Annex A with 114 security controls. ISO 27002 is a guide of best practices for the implementation of the 114 security controls of the Annex A of ISO 27001.
Really you only need to implement the necessary security controls after the risk analysis, and you will nee d ISO 27002 only if you need specific information about how to implement the security controls of Annex A of ISO 27001. This article can be interesting for you “The basic logic of ISO 27001: How does information security work?” : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
And also this article "ISO 27001 vs. ISO 27002" : https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Regarding the threats/vulnerabilities, this article can be also interesting for you, because you can see a complete list of them “Catalogue of threats & vulnerabilities” : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Finally, these materials will help you to know more about the ISO 27001:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
ISO 27001, CISA and COBIT
Answer:
I am sorry but you cannot implement CISA in a company because it is only a certification for people. Regarding COBIT, this standard is focused on IT governance, which also includes the information security, but has a different objective.
So, if you need to manage the information security, the best standard from my point of view is ISO 27001, because is specifically developed for this, while COBIT is developed for IT governance.
This article can show you the benefits of ISO 27001 “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And also this free webinar “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
Finally, these materials will help you to know more about the benefits of ISO 27001:
- free online training ISO 27001 Foundations Course https://training.advisera. com/course/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
ISO 27001 instead COBIT and COSO
Answer:
ISO 27001 is the lead standard about the information security, and most of laws and regulations about information security of all the world are based on this standard.
COBIT is focused on IT governance, which also includes information security, but ISO 27001 is more specific.
Regarding COSO, this standard is also for different things: internal control, event identification, risk assessment, etc. So, again, this standard is not specifically developed for information security.
So, if you want to establish an Information Security Management System to protect your information, the best option, from my point of view, if the ISO 27001.
This article can be interesting for you Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And also this free webinar “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
Finally, these materials will help you to know more about the benefits of ISO 27001:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Development of the Information Security Policy
Answer:
If your question is about the information security policy, basically you can include in this document the scope of the ISMS, responsibilities for key parts of the ISMS, and measurement. This article can help you to write this document “What should you write in your Information Security Policy according to ISO 27001?” : https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
And also our template can be useful for you, you can download a free version clicking on “Free demo” tab here “Information Security Policy” : https://advisera.com/27001academy/documentation/information-security-policy/
Finally, these materials will help you to know more about the Information Security Policy:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27 001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Certify cloud computing environment
Answer:
There is an ISO standard specifically related to the information security control for cloud services (or cloud computing environments): ISO 27017.
This standard is a code of best practices, but there are some certification bodies that offer a certification if the company comply with a series of requirements based on the standard.
This article can be interesting for you “ISO 27001 vs. ISO 27016 - Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
Maybe can be interesting for you the ISO 27018, although this standard is for protecting privacy in the cloud, so this article can be interesting for you “ISO 27001 vs. ISO 27018 - Standard for protecting privacy in the cloud” : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
And maybe our toolkit about the implementat ion of ISO 27001 and ISO 27017 can be also interesting for you (you can download a free demo clicking on “Free demo” tab) “ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-iso-27017-iso-27018-cloud-documentation-toolkit/ -
Obtain the management support
Answer:
I am not sure if I have understood your question, but if you want to obtain the support from the management to implement an Information Security Management System in your organization (based on ISO 27001),it is very important to show them the benefits of the implementation of the standard, which basically are: compliance, marketing edge, lowering the expenses, and putting your business in order. This article can be interesting for you “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And also this free webinar “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
Finally, these materials will help you to know more about the benefits of ISO 27001:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Comply with clause 9.1
Answer:
To comply with the clause 9.1 basically you need to perform a monitoring, measurement, analysis and evaluation of your ISMS. How can you do this? A way is using metrics. An example:
If an objective is to reduce backups failures (10%), you can perform a periodic measurements (for example each week) with this formula: Failure backups / Total backups. And you can see how is the evolution of the measurements.
Another example can be to reduce the number of unauthorized access to a critical server (15%), so you can use this formula : Unauthorized access / Total access. And see the evolution performing periodic measurements.
This article can help you “How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
And also this free webinar “ISO 27001 and ISO 27004: How to measure the effectiveness of information security?” : https://advisera.com/27001academy/webinar/iso-27001iso-22301-the-certification-process-free-webinar/
Finally, these materials will help you to know more about how to measure your ISMS:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Creating two separate password policies?
Answer: ISO 27001 does not require you to separate password policies for different types of users/employees - therefore, you can create a single document for this purpose. In bigger and very complex companies it might make sense to have separate policies for this purpose. -
How to do risk assessment on sample of assets
Answer: You can group all similar assets together, so in your case you could have one item called "Critical firewalls" and for this item find threats, vulnerabilities, etc. See also this article: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Also, if there are 10 sites in the scope of the certification audit, so at the time of surveillance audit (how can auditor do sampling of site i.e. what to include and what not).
Answer: If you are asking about the surveillance visit that is performed by the certification auditor, then this is the decision made by the certification auditor, not the company that has the certificate. They make such decision based on the importance of particular sites, and based on the fact where did they find most of the nonconformities during the previous visit.
See also: Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
Determining scope of QMS
Answer:
When determining what parts of your company should be a part of your quality management system, you need to look first into the reasons for implementing the standard. Is is the requirement of the customer, is it a condition for applying to tenders or is it a requirement of the company itself? The answer to this question will shape the scope of your QMS.
If it is a requirement of the customer and it only refers to a product produced on only of of your production lines, you might decide to include in the scope only that production line and leave others from the scope, the same can be applied in case of tenders as well. If it is a requirement of the company itself, it is most common to include the entire company in the scope.
Regardless of the reason for implementing ISO 9001, you might choose to implement it in only several processes in the company, on one ore more location where your company has branches or to cover one or more production lines and yet not to cover entire organization.
Reasons for limiting the scope to only a part of the company can be to decrease the price of implementation and certification of the system or to cut the time of implementation.
For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/