Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Normal incident vs information security incident


    Answer:
    The main difference between a normal incident and an information security incident is that the second is related to information security and can affect the confidentiality, integrity and availability of information, so for example, a virus can be an information security incident (because for example information can be disclosed), and a norm al incident can be that the printer is failing (it is not related to the information security).

    Many companies define in their information security incident management procedure, what is an information security incident (virus, access problem to information, etc.). So, this can be a good recommendation for you.

    This article can be interesting for you “How to handle incidents according to ISO 27001 A.16” : https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

    And also this one “How a change in thinking can stop 59% of security incidents” : https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/

    And finally, our online course can be also interesting for you because we give more information about the information security incidents “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Risk Assessment Methodology.

    There is no specific methodology in ISO 27001 for the risk assessment (you can develop your own methodology), although this article can help you to write a basic risk assessment methodology “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

    FEMA (Federal Emergency Management Agency) and FISMA (Federal Information Security Management Act) are basically regulations that are applicable only in USA.

    Most of cases the risk assessment methodology chosen is an asset based, because it is the most easy, and common methodologies are CRAMM, OCTAVE, MAGERIT, but as you know, you can write your own methodology.

    This article can be also interesting for you “ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification” : https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/

    Finally, these materials will help you more with risk assessment:
    - free online training ISO 2700 1 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Perform the asset register easily


    Answer:
    It is the most easy way, I mean, matching threats and vulnerabilities for each asset although if you want to reduce the work, the best recommendation is to reduce the number of assets, for example grouping similar assets with the same threats/vulnerabilities. For example: laptops (for all laptops), workstations (for all workstations), printers (for all printers), etc.

    Anyway, it is not mandatory to have an asset based risk management, although is very recommendable to work with the asset based risk management, because is more easy that other methods.

    This article can be interesting for you “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    And also our online course, because we give more information about the risk assessment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • ISO for knowledge sharing


    Answer:
    I am sorry but there is no specific ISO directly related to the knowledge sharing, although you can use ISO 27001 (related to the protection of the information), because it can help you to share information (from my point of view, the knowledge is also information).

    If you want to know more information about ISO 27001, please read this article “What is ISO 27001?” : https://advisera.com/27001academy/what-is-iso-27001/

    And our online course can be also interesting for you, because we give more information about the ISO 27001 and the protection of information “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • ITIL and ISO 27001


    Answer:
    Length of the ISO 20000 implementation depends on many parameters, e.g.
    - size of the organization
    - whether you have an ITSM tool in place
    - whether you have some other ISO standard in place
    - level of knowledge and experience
    - complexity of the services and related infrastructure, etc.

    But, according to provided information, I assume that you'll need 6 months (and plus).
    And, if you have ISO 27001 in place, yes you can reuse some of the parts. Please see the article which can help you: "How to implement ISO 27001 and ISO 20000 together" How to implement ISO 27001 and ISO 20000 together
    And, yes, you can implement both standards at the same time.

    This article can also help you: "Main obstacles during ISO 20000 implementation and how to overcome them" https://advisera.com/20000academy/blog/2016/07/06/main-obstacles-during-iso-20000-implementation-and-how-to-overcome-them/

  • Nonconformity and Corrective Action records


    Answer:

    NCR of nonconformity record is a way of documenting nonconformity that occurred in the Quality Management System. Its purpose is to describe the nonconformity and give an input for further actions regarding nonconformity. The standard does not prescribe what information NCR should include but it usually contain information about the process where the nonconformity is identified and who identified it.

    CAR or corrective action record is used to document actions taken for removing nonconformity, this includes analysis of nonconformity, determining the causes, defining actions to remove the cause and providing evidence of corrective action effectiveness.

    These two can be separate records but there can also be one record that meets requirements for both NCR and CAR, here you can find a free preview of our Nonconformity and Corrective Action Record https://community.advisera.com/topic/nonconformity-and-corrective-action-records/

  • Updating internal audit checklist to ISO 9001:2015


    Due to clauses have changed, I will need to change Internal Audit questions . Can you direct me or guide me ,how to create new questions for internal audits for every clause in ISO 9001:2015 .

    Answer:

    The clause numbers are not the only thing that changed, basically every clause and every requirements suffered at least some small change, so the internal audit checklist should be updated to reflect all these changes.

    Depending on the way of how your existing checklist looks like, you will need to take ISO 9001:2015 text and identify all requirements in it and then to insert them in the checklist. A lot of existing questions in the checklist will remain but also a lot of them will need to be changed and added. You will need to exclude some of the questions, for example regarding some no longer mandatory documents, management representative, etc. and to add some new ones regarding context of the organization, risks and opportunities, etc.

    All these ca n be a big effort and time-consuming, just to make a checklist. I would suggest you to take a look at free preview of our ISO 9001:2015 Internal Audit Checklist because it can really save you a lot of time and effort, you can find it on this link https://advisera.com/9001academy/documentation/internal-audit-checklist/

    Here are also some articles that might be interesting to you:
    - ISO 9001 Audit Checklist https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
    - Writing an Audit Checklist for ISO 9001 Processes https://advisera.com/9001academy/blog/2014/11/25/writing-audit-checklist-iso-9001-processes/
    - How to create a check list for an ISO 9001 internal audit for your QMS https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/

  • Is Asset register required?


    Answer: If I understood the question correctly, you're asking if Asset register is required - the answer is no, ISO 27001 does not require you to have such register.

    ISO 27001 covers this topic under the control A.8.1.1 Inventory of assets - since this is a non-mandatory control, you can choose whether to apply it or not. The most common reasons for applying this control are the following:
    a) You want to use the asset register for performing the risk assessment - see this article for details: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    b) You want to decrease some risks that you identified during the risk assessment - see this article: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    c) There is a legal or regulatory requirement for you to have such register.

    This a rticle may also help you: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • Delay in implementing the controls

    Yes, it is acceptable, but you need to have a really good reason - shifting the dates without any justification will bring you trouble with the certification auditor.

  • How to treat suppliers that are ISO 27001 certified


    Answer: The fact that they are ISO 27001 certified doesn't change their status towards you - so yes, you have to treat them as suppliers. To understand the details on how to handle suppliers, please read this article: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    My second question is that as we are a new and small company we do not have any IT department so we (personally) managed our IT equipment, will this cause us problems in our certification?

    Answer: No, your size and the fact that you are managing your IT equ ipment won't cause any problems at the certification, as long as you comply with your policies and procedures.

    Is it better to have a dedicated IT department or have someone who manages our IT?

    Answer: I'm not sure if I understood your question correctly - if you meant whether it is better to have your own IT department or to outsource the IT function, this is primarily a business issue (what is more profitable) and a skill issue (does your IT equipment require some special skills that might not be easy to find in the market).

    Or can we just put encryption / passwords / administration rights to particular systems to get round this??

    Answer: Managing security is not only about encryption, passwords and administration rights - the best thing for you would be to go through this free online training to learn all that is important for security management: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 985-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +