Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Teleworking


    Answer:
    I am not sure if I have understood your question, but teleworking means that your company has employees working usually from their home, and if you want to implement the control 6.2.2 Teleworking of the Annex A of ISO 27001:2013, basically you need to define a policy that defines the conditions and restrictions for using teleworking.

    For this, our template can be useful for you (you can see a free version clicking on “Free demo” tab) “Mobile Device and Teleworking Policy” : https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/

    You can also use a BYOD policy, so this article can be also interesting for you “How to write an easy-to-use BYOD policy compliant with ISO 27001” : https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

    Finally, our online course can be also interesting for you because we give more information about the controls of the Annex A of ISO 27001:2013 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Are the documents from Annex A mandatory?


    Answer: Basically you are right - if you do not select the control A.8.1.1 "Inventory of assets" as applicable (this is done in the Statement of Applicability), then you don't have to create the document for inventory of assets.

    These articles will also help you:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    And this free online course will also describe you above mentioned logic, as well as describe the controls fro m the Annex A: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Cuadro de mando integral


    Respuesta:
    No existe un estándar específico enfocado únicamente a un cuadro de mando integral Balanced Scorecard, pero puedes utilizar ISO 27004 para desarrollarlo, porque es un estándar que básicamente contiene un código de buenas prácticas que te puede ayudar a medir un SGSI (Sistema de Gestión de Seguridad de la Información) basado en ISO 27001 (definiendo métricas).

    Estos artículos pueden ser interesantes para ti:

    “How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

    “ISO 27001 control objectives - Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

    Y este webinar también te puede resultar interesante "ISO 27001 and ISO 27004: How to measure the effectiveness of information security?" : https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/ 004-measure-effectiveness-information-security-free-webinar/

    También te puede interesar nuestro curso online, donde proporcionamos más información sobre cómo medir un SGSI basado en ISO 27001, aunque este curso de momento sólo está disponible en inglés "ISO 27001:2013 Foundations Course" : https://advisera.com/training/iso-27001-foundations-course/

  • Policy Applicability Questions

    If you have outsourced your IT infrastructure to an external provider (external data center providing hosting services), you cannot manage controls related to their physical perimeter, so in this case you must identify all risks related to their service and include security clauses in the agreement with that provider. However, you can control assets that you directly manage: data, applications, virtual servers, etc. so there you will apply appropriate security controls.

    So, basically all IT infrastructure provided by an external company (physical servers, etc.) should be out of the scope of your ISMS, and all assets that you can manage (virtual servers, web servers, applications, etc) should be included in the scope.

    I think that this article can be useful for you “6-step process for handling supplier security according to ISO 27001” : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    And also this one “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/ 27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

    And also this one “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    Finally, our online course can be also interesting for you because we give more information about the security controls of the Annex A of ISO 27001:2013 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Information Classification Questions


    Answer: ISO 27001 doesn't specify who should it be, so you can do whatever you feel is appropriate for your company. Very often this job is really done by person in charge of security.

    2. Does it make a difference that my asset inventory is also my risk assessment table? Is there any additional information that I should include? e.g. a column for classification level, labelling requirement, handling information.

    Answer: ISO 27001 allows you to use one sheet for both risk assessment and asset inventory - this is very often done in smaller companies. ISO 27001 requires you only to include asset owner in this sheet, but you can add other information if you feel this is necessary for you.

    3. If a new asset needs to be entered to the inventory would you immediately perform a risk assessment on that asset to ensure appropriate controls are put in place?

    Answer: If this is an importan t asset (i.e. if that asset that can significantly influence the confidentiality, integrity and availability of your information), then the answer is yes; if the asset is not important then the risk assessment will be done during the first risk review.

    4. How should a list of authorised persons be structured and where should it be stored? Should there be separate list for each asset that requires one?

    Answer: You should use list of authorized persons only for highly confidential information, not for all classified information that you handle. For example, if you have a document that specifies your company strategy to acquire a competitor, such document will have one list of authorized persons who can access it; if your company has admin passwords printed out and stored in a safe, then you will have a different list of persons for this particular document. The best thing is if this list is attached to the document itself.

    5. Do you have to include labelling for information systems, databases, applications etc? In some cases this may not be practical.

    Answer: You should include labeling, but in case of information systems, databases, applications, etc. this could be displayed only on the login screen.

    6. Further to question 4 would you have to put a label on every USB stick in use? And would labelling be required for PC's and laptops?

    Answer: You could define a rule where this labeling is required only if these media contain highly confidential information; if you have less confidential information then you can define a rule where those media are not labeled at all - you can simply say that it is assumed all the assets contain the information which is classified with lowest level of confidentiality.

  • Number of not applicable controls in statement of applicability

    Thank you for your answer. Non I am preparing a new version and I'll exclude about 10 controls.

  • Various IT audits to an organization

    So detail. Thank you for the clarifications, end to end clarifications.

  • What does 'Managing records kept on the basis of this document' mean?


    Answer:

    The activities that are prescribed by policies and procedures almost always produce some kind of records - e.g. if you define the rule that you will perform the backup every 24 hours, you will have backup logs that are created every time the backup process is initiated.

    Similar with BYOD policy - for example, section 3.2 requires you to create a list of persons who are allowed to use their own devices, and this particular list is then a record that needs to exist.

    In all our templates you have a suggestion on what should be included in the section 4, i.e. what kind of records need to be produced.

    See also this article: Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

  • Mobile device management for ISO 27001 implementation?


    Answer:
    From my point of view a Mobile Device Management can help you to implement only the control A.6.2.1 Mobile device policy of the Annex A of ISO 27001:2013, but it is only 1 control of 114 controls.

    So, the MDM in this case can help you with a smaller part of ISO 27001 implementation.

    I think that this article can be interesting for you “The basic logic of ISO 27001: How does information security work?” : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    And also this one "How to write an easy-to-use BYOD policy compliant with ISO 27001" : https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

    And if your are interested in the implementation of the standard, this article can be also interesting for you “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    And our online course can be also interesting because we give more information about the implementation of the standard ISO 27001 and about the controls of the Annex A “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Risk assessment - threats related to top management


    Answer:

    Threats could be numerous, but I would say that the biggest threat is unavailability of e.g. the CEO, especially if the related vulnerability would be that there are no replacements for that person.

    Other threats could be similar to other employees - breaking the information security rules, misuse of assets, not protecting adequately confidential information, etc.

    This article may help you: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Page 995-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +