Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How to account for mobile devices that are not company owned
Answer: BYOD physical devices are typically excluded from the ISMS scope because you cannot control them completely, but you should include in the ISMS scope the company data on those devices - in that case, you simply list those data in your asset list and in your risk assessment.
This article might help you: How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
We have interfaces setup with our clients. W ould we consider those interfaces to be a separate asset, or would we only account for the data when it is stored in a database?
Answer: I'm not sure what do you mean by interfaces - if you refer to some devices or software, then you should include those assets in your asset list. In some cases you will view data separately from the devices - e.g. you will list a database separately from a physical server, in other cases you can view server as a both physical server and data on this server - you are free to do it any way you feel more appropriate. -
Milestones in the project plan
Answer:
Actually you can divide your project in 4 phases according to the Plan-Do-Check-Act cycle:
- Plan phase: documents from the ISO 27001 & ISO 22301 Premium Toolkit in folders 0 to 7
- Do phase: documents in folders 8 and 9
- Check phase: documents in folders 10 and 11
- Act phase: documents in folder 12 -
Problem in describing risks
Thank you, but it is written in italian language. I should translate it. -
Performing internal audit as a service
Answer:
The exam for our ISO 27001 Internal Auditor Course does not require an experience in a specific industry - the exam requires you to prove that you have learned the curriculum that was presented in the course.
I understand that your intention is to provide internal audit as a service to your clients, and the point is that you will be much more successful performing this internal audit in the industries where you have experience. On the other hand, for most industries there are no laws or regulations that would prevent you from performing an internal audit in those companies, so if you can convince those companies to use your services, you are free to use that opportunity. In some industries (like banking) there might be regulations which strictly regulate who can perform IT or information security audits.
By the way, you should not mention "third party" phrase in the context of an internal audit, because the phrase "third party audit" means the certification audit performed by certification bodies. -
Risk assessment for critical assets or confidential assets?
Answer:
I am not sure if I have understood your question 100%, but the risk assessment is not prepared for specific assets (critical or confidential) it is for all assets of your organization, and you can find various types of assets: hardware, software, people, etc.
This article can be interesting for you “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And also this one “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally, our online course can be also interesting for you because we give more information about assets “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Become information security consultant
Answer:
Regarding the qualifications, it can be interesting for you ISO 27001 certificates, and regarding the experience it would be recommendable a minimal of 1 year working for another consultant, or working as an information security practitioner.
Regarding become fully qualified, I am not sure if I have understood your question, but generally ISO 27001 certificates have an exam, and you need to pass it to become qualified.
Some steps that you can follow to become an information security consultant for somebody without knowledge in information security are:
1.- Perform a course about information security. Th is can be interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ . Or also this one “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
2.- Obtain a certification, for example ISO 27001 Lead Auditor or Lead Implementer. This article can be interesting for you “Lead Auditor Course vs. Lead Implementer Course - Which one to go for?” : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ Or also this one “Qualifications for an ISO 27001 Internal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
3.- Acquire experience working for another consultant, information security practitioner, etc.
Finally this article can be also interesting for you “How to become an ISO 27001 / ISO 22301 consultant” : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/ -
Risk management for cloud computing
Answer:
From my point of view, in a cloud computing environment it is better ISO 27005, because it is developed for risks about information security, although you can also use ISO 31000 because this standard has the same structure that ISO 27005 but it is developed to any type of risk (information security, financial, environmental, etc).
Regarding ISO 91000, I suppose that you mean ISO 9001 because ISO 91000 does not exist, and ISO 9001 is not specifically developed to manage risks,it is developed to establish the requirements for a quality management system, although in the current version of the standard (ISO 9001:2015) there is a new requirement related to the risk analysis (the risk treatment is not mandatory), so it is not useful to use this standard for the risk management.
Remember that if you want to write your own methodology for the risk management, this article can be interesting for you “How to write ISO 2700 1 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
This article can be also interesting for you "ISO 27001 vs. ISO 27017 - Information security controls for cloud services" : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
And also this one "ISO 27001 vs. ISO 27018 - Standard for protecting privacy in the cloud" : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
And our online course can be also interesting for you because we give more information about the risk management “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Level of confidentiality
Answer:
This quote is from our Classification Policy template, and this means that when classifying information, you should always take the lowest level of classification. This is because the higher the classification level, the more you will have to pay for the protection.
According to our Classification Policy template, the lowest level of confidentiality is "Internal use", however this is not mandatory according to ISO 27001.
See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
SLA/OLA
Answer:
SLA is a formal contract between IT service provider and customer. OLA is a contract between IT service provider and another unit of the same organization. Is Systemadmin would be completely different organizational unit - you can define OLA with them. Usually, they are part of the I T Service Management team and there is no OLA with them.
On the other side, IT service management organization signs Underpinning Contract (UC) with vendor.
Read more about different kind of contracts in the articles:
"What’s the content of an ITIL/ISO 20000 SLA?" https://advisera.com/20000academy/blog/2016/06/14/whats-the-content-of-an-itiliso-20000-sla/
"SLAs, OLAs and UCs in ITIL and ISO 20000" https://advisera.com/20000academy/knowledgebase/slas-olas-ucs-itil-iso-20000/
"Who is your ideal ITIL/ISO 20000 Service Level Manager?" https://advisera.com/20000academy/blog/2016/04/19/who-is-your-ideal-itiliso-20000-service-level-manager/ -
Defining criteria for evaluation of environmental aspects
Answer:
Criteria used for evaluation of environmental aspects should reflect type, size and complexity of your business. Meaning that, if you have some small company that doesn't have some big impact on the environment, you can use only one criteria. On the other hand, if you are big company with great impact on the environment, you should use several criteria for determining significance of your environmental aspect.
Our Procedure for Identification and Evaluation of Environmental Aspects and Risks https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/ uses four criteria for evaluation of environmental aspects and they all combined provide information on whether the aspect is significant or not.
Criteria that we use are:
- Criteria related to probabi lity (frequency) of aspects and their impact
- Criteria related to scale of impact and consequences
- Criteria related to time of recovery
- Criteria related to the reach of impact