Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk management for cloud computing
Answer:
From my point of view, in a cloud computing environment it is better ISO 27005, because it is developed for risks about information security, although you can also use ISO 31000 because this standard has the same structure that ISO 27005 but it is developed to any type of risk (information security, financial, environmental, etc).
Regarding ISO 91000, I suppose that you mean ISO 9001 because ISO 91000 does not exist, and ISO 9001 is not specifically developed to manage risks,it is developed to establish the requirements for a quality management system, although in the current version of the standard (ISO 9001:2015) there is a new requirement related to the risk analysis (the risk treatment is not mandatory), so it is not useful to use this standard for the risk management.
Remember that if you want to write your own methodology for the risk management, this article can be interesting for you “How to write ISO 2700 1 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
This article can be also interesting for you "ISO 27001 vs. ISO 27017 - Information security controls for cloud services" : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
And also this one "ISO 27001 vs. ISO 27018 - Standard for protecting privacy in the cloud" : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
And our online course can be also interesting for you because we give more information about the risk management “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Level of confidentiality
Answer:
This quote is from our Classification Policy template, and this means that when classifying information, you should always take the lowest level of classification. This is because the higher the classification level, the more you will have to pay for the protection.
According to our Classification Policy template, the lowest level of confidentiality is "Internal use", however this is not mandatory according to ISO 27001.
See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
SLA/OLA
Answer:
SLA is a formal contract between IT service provider and customer. OLA is a contract between IT service provider and another unit of the same organization. Is Systemadmin would be completely different organizational unit - you can define OLA with them. Usually, they are part of the I T Service Management team and there is no OLA with them.
On the other side, IT service management organization signs Underpinning Contract (UC) with vendor.
Read more about different kind of contracts in the articles:
"What’s the content of an ITIL/ISO 20000 SLA?" https://advisera.com/20000academy/blog/2016/06/14/whats-the-content-of-an-itiliso-20000-sla/
"SLAs, OLAs and UCs in ITIL and ISO 20000" https://advisera.com/20000academy/knowledgebase/slas-olas-ucs-itil-iso-20000/
"Who is your ideal ITIL/ISO 20000 Service Level Manager?" https://advisera.com/20000academy/blog/2016/04/19/who-is-your-ideal-itiliso-20000-service-level-manager/ -
Defining criteria for evaluation of environmental aspects
Answer:
Criteria used for evaluation of environmental aspects should reflect type, size and complexity of your business. Meaning that, if you have some small company that doesn't have some big impact on the environment, you can use only one criteria. On the other hand, if you are big company with great impact on the environment, you should use several criteria for determining significance of your environmental aspect.
Our Procedure for Identification and Evaluation of Environmental Aspects and Risks https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/ uses four criteria for evaluation of environmental aspects and they all combined provide information on whether the aspect is significant or not.
Criteria that we use are:
- Criteria related to probabi lity (frequency) of aspects and their impact
- Criteria related to scale of impact and consequences
- Criteria related to time of recovery
- Criteria related to the reach of impact -
Example of quantitative and qualitative risk assessment
Answer:
Basically quantitative is when you determine the risk with numeral values (for example based on economical values), and qualitative is when you determine the risk with nominal values.
For example, in a quantitative risk assessment, you can have this formula for the risk:
Risk = Impact x Likelihood
Being the Impact in terms of money and the likelihood in terms of %. So, if the impact in economical terms is $10.000 and the likelihood is 90%, the risk is: $10.000 x 0,9 = 9000. Here you also need to define different levels of risks (for example, 0-5000 is low, 5000-10.000 is medium, 10.000 and 50.000 is high).
Regarding the qualitative risk assessment, you can you also the same formula:
Risk = Impact x Likelihood
But in this case the values will be only nominal: Low, Medium, High (or you can also use 1, 2, 3), so in this case you will need a table with all po ssible values. For example, if the impact is low and the likelihood is low, the risk will be low. If the impact is low and the likelihood is medium, the risk will be low, etc.
Examples of quantitative risk assessment are MAGERIT, or SOMAP, and examples of qualitative risk assessment are CRAMM, or OCTAVE.
Generally, the qualitative risk assessment is more easy, and the quantitative is more precise, and you can develop the methodology that you want. So this article can be interesting for you “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
And our online course can be also interesting for you because we give more information about the risk assessment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Alcance del SGSI
Respuesta:
De acuerdo a los requerimientos de la ISO 27001, para la definición del alcance del SGSI, necesitas:
- Tener en cuenta las cuestiones internas y externas (definido en la cláusula 4.1)
- Tener en cuenta las partes interesadas (definido en la cláusula 4.2)
- Considerar las interfaces y dependencias entre lo que está pasando dentro del alcance del SGSI y el mundo externo
Este artículo te puede resultar útil “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Nuestra plantilla también te puede resultar interesante, puedes visualizar una versión gratuita pulsando en la pestaña "Demo gratis" aquí “Documento sobre el alcance del SGSI” : https://advisera.com/27001academy/es/documentation/documento-sobre-el-alcance-del-sgsi/
Finalmente, nuestro curso online también te puede resultar interesante dado que ofrecemos más información sobre la definición del alcance del SGSI (aunque actualmente únicamente está disponible en inglés) “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 certification for one division
Answer:
Sure, you can limit the scope of the implementation of ISO 27001, so you can limit the certification to one division of your business, there is no problem with this, but in the future could be recommendable to expand this scope to other divisions, and finally for the whole organization.
This article can be useful for you “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Our online course can be also interesting for you because we give more information about the scope in the ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Policies and procedures
Answer:
I am sorry but the standard ISO 27001:2013 does not require to map policies with procedures, but you need to develop various mandatory documents, which you can see them here “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article can be also interesting for you “How to structure documents for ISO 27001 Annex A controls” : https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
And our online course can be also interesting for you becaus e we give more information about the documents of ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Risk assessment of outsourced hosting service
Answer:
This is basically the question of the ISMS scope - you should include in your scope (and therefore in your risk assessment) only the assets you can control. So you should include in your scope/risk assessment the applications and your data on those virtual servers you control, however you should exclude the physical servers because you do not control them.
However, control A.15.1.1 requires you also to perform risk assessment of your suppliers, so this means that you should assess how this hosting service can affect confidentiality, integrity and availability of your data - for that purpose you can use the same Risk Assessment Table, and write as an asset "hosting service". So you won't be assessing the physical servers, but figure out what incidents can happen in general - e.g. unauthorized access to your data, loss of data, unavailability of the service, etc.
These articles can also help you:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Determining scope of internal audit
Answer:
There is no specific requirement to audit entire scope of the standard and even entire organization in a one year period. However, it is recommendable to audit the system against all requirements of the standard during one year period since it is a natural time frame for every company. It is hard to find justification for auditing only part of the organization against part of the standard per year.
Quality policy should be reviewed during management review, but if the top management chooses not to make changes to the policy, it can be left as it is without changing dates or any other information.