Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How to treat an ISMS document that is due for review
Thank you so much for this answer. It is exactly what I was looking for. In my case, I will record it by listing all the docs due for review in our ticket management system and simply comment next to each one. In the case of docs not requiring change, I will just say "Reviewed but no changes were necessary. It will however be reviewed again next year 201x". -
Asset value
Answer:
There is no universal way to calculate the asset value, but a common way is to select the high value from the 3 parameters (in your case 5), or another way is to sum the 3 parameters (so in this case you can have the value 15). If you want to know my opinion, for my is more easy is you select the high value (5).
Anyway, for the risk management, it is not mandatory to use the asset value, so if you want an easy way you can use simply the impact value.
This article can help you “How to assess consequences and likelihood in ISO 27001 risk analysis” : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
And also this article “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
And also our online course, because we give more inform ation about the evaluation of assets “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Documenting the information security objectives
Answer:
ISO 27001 is pretty flexible when it comes to documenting your security objectives - you can write them in your Information Security Policy, in the Statement of Applicability, or in some separate document.
When using our ISO 27001 Documentation Toolkit, you can document the general ISMS objectives in the Information Security Policy, and specific objectives for controls (or groups of controls) in the Statement of Applicability.
This article will also help you: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
In this free online training you'll find detailed guidance on setting the objectives: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Focus the ISMS scope
Answer:
I am sorry but I am not sure what do you mean, but you can define the scope of the ISMS limiting it to only the IT department. Another way, is to define the scope for the whole organization, and generally it is our recommendation. For more information about the definition of the scope, please read this article “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
If you limit the ISMS scope to your IT department only, you will have to treat the other departments in your company as third parties, and this is why creating such a scope is difficult.
This article can be also interesting for you “Problems with defining the scope in ISO 27001” : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
And our online course can be also interesting for you because we give more infor mation about how to define the ISMS scope “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Contents of Internal audit program
In case you are planning a single audit to cover all the ISMS scope at once, these references you defined are sufficient.
In case you are planning to perform multiple audits to cover small parts of the scope each time (e.g., IT processes audit, HR processes, etc.), then you need to be more specific about which criteria you will use. For example, in the case of auditing HR processes, most probably controls from section A.14 System acquisition, development and maintenance won’t be part of your checklist, while controls from section A.7 Human resource security will take more space in your checklist.
This article will provide you a further explanation about building an audit checklist:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding building the audit program:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
-
Clarifications reg GAP Analysis.
ISO 27001 does not require you to perform the Gap Analysis prior to the start of the project; you should perform a kind of shortened version of Gap Analysis while writing your Statement of Applicability.
These materials will help you:
- article ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
- article The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- free ISO 27001 Gap Analysis Tool: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/ -
Audit Doubt
I'm not sure if I understood your question correctly, but the certification auditor will check your whole ISMS - all your documents, records, activities, etc.
It doesn't matter that you have checked all of these during the internal audit - the certification auditor will check everything all over again; he will review your internal audit process as well.
See also these materials:
- article Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Documents Clarification
The best would be if you register for this free online training: ISO 27001 Foundations Course - there you will find all the answers https://advisera.com/training/iso-27001-foundations-course/ -
Narrowing down the list of risks
What is the best practice to group info Sec risks?
Answer: I assume you refer to our article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ - if you come up with 500 risks, this doesn't mean that you have to treat all of them - you will need to treat only unacceptable risks, and this is usually 10% or 20% of all the risks you have identified.
If you still want to reduce the number of risks, then I suggest to group similar assets into a single class of assets - e.g. you could group all the servers into a single class of assets, or your laptops, etc.
These materials explain in detail how to perform the risk assessment:
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
How do you suggest to aggregate and report to business owners so the risks are technical jargon free, etc.
Answer: You should present only the biggest (unacceptable) risks to your business owners/top management, and you can use small scenarios (in couple of sentences) - what could happen if such incident happens.
Here is a template which provides examples of scenarios, focused mainly on larger incidents: https://advisera.com/27001academy/documentation/examples-of-disruptive-incident-scenarios/ -
Asset register
Answer:
Simply you need to include in your asset register those assets that you can manage, so if you have a server and this server has software that you can manage (Virtual Machines, web server, email server, etc), you can include this information in your asset register.
Regarding the services provided by other companies (internet connection, housing, etc) you can see as service, and you are right, you can implement security controls related to suppliers (section A.15 Supplier relationships). Anyway, remember that the implementation of secu rity controls need to be performed after the results of the risk analysis.
This article can be interesting for you “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And our online course can be also interesting for you because we give more information about the asset register “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/