Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implementing business continuity management system
Answer:
Regarding your first question, generally the implementation project for a business continuity management system is not structured in process, it is structured in steps, and here you can see how to implement a business continuity management system based on ISO 22301 “17 steps for implementing ISO 22301” : https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
Regarding the audit, I suppose that you mean the internal audit, and you can use a checklist for this, so this article can help you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Regarding the process involved in auditing business continuity management system, generally it is not used, I mean, the internal audit is structured in steps, not in process, and besides the previous article, you can also use our specific toolkit for the internal audit, which have all necessary tools that you can use to perform the internal audit in your company (you can see a free version clicking “Free demo” tab) “ISO 27001/ISO 22301 Internal Audit Toolkit” : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/ -
Creating policies and procedures: Stage of implementation
Answer:
Generally the creation of policies and procedures begins after the risk assessment & treatment, because you will need policies and procedures to implement the security controls.
Regarding your second question, the first policy that you can write is the top-level information security policy.
Anyway, remember that there are some mandatory policies and procedures that you need for the implementation of ISO 27001:2013, which you can see here “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article can be also interesting for you "How to structure the documents for ISO 27001 Annex A controls" : https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
And also this one “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Finally, our online course can be also interesting for you because we give more information about how to implement policies and procedures “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Monitoring and measurement results
There are two more documents in the documentation toolkit that will be helpful regarding the measurement and monitoring:
- In the top-level Information Security Policy, in the section 4.1 you need to specify the responsibilities for measurement and monitoring.
- Risk Treatment Plan - in the column "Method for evaluation of results" you need to specify how you will evaluate whether the implementation plan of the controls has been complied with, while in the column "Status" you need to specify whether particular control is implemented or not, which you can use for monitoring the implementation plan. -
Tipo de activo "Físico"
· Software: Software de aplicación, software del sistema, interfaces, herramientas de desarrollo y utilidades.
· Hardware: Equipos de cómputo, equipos de comunicaciones, medios removibles y otros equipos físicos.
· Servicio: Servicios de cómputo y comunicaciones. Ejemplo: acceso a Internet, páginas de consulta, acceso a la red, correo electrónico, redes, etc.)
· Sitio: Instalaciones de procesamiento de información. Ejemplo: Centro de cómputo principal y de respaldo, archivo documental, etc.
En una reciente auditoria interna el Auditor nos hace una observación en el sentido de incluir el tipo de activo FISICO “para activos no digitales “ que hace alusión a documentos tales como fotografías, grabaciones o personas.
Esto debe incluirse?
Respuesta:
Desde mi punto de vista un activo de tipo "Fí sico" relacionado con fotografías, grabaciones o personas no es necesario, aunque debes incluir en tu metodología otros tipos de activos como por ejemplo "Personas", o "Información" (relacionada con información digital: fotografías, grabaciones, o información física: información en formato papel).
Este artículo puede ser interesante para ti “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Y este otro también “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finalmente, nuestro curso online también te puede ser útil, dado que ofrecemos más información sobre activos (aunque de momento el curso solo está disponible en inglés) “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Aligning information security objectives with business strategy
"
Answer: Your top-level information security objectives (objectives for your whole ISMS) must support your business strategy, because information security must be part of the efforts of making your company successful.
For example, for a financial organization, an information security objective might be to decrease the number of data leakages, which directly supports an increase in trust in such organization. And building such a trust is probably a strategic objective of financial organization. -
Report information about compliance and audit
Answer:
From my point of view you can report information about the execution of your process, so you can report information about the NCs (Non-Conformities), OFIs (Opportunity for Improvement), compliance with laws, corrective actions pending, number of audits, departments or areas audited, security controls audited, etc. -
Balance scorecard
Answer:
ISO 27004 is a code of best practices that can help you to measure your ISMS defining metrics, which you can use to develop a balanced scorecard (although this standard does not refer directly to balanced scorecard, but you can use the standard to develop it).
Anyway, these articles about measurement can be interesting for you:
“How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
“ISO 27001 control objectives - Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
And also our online course can be interesting for you because we give more information about the measurement of the ISMS “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Guía para definir el alcance
Respuesta:
Básicamente tienes que tener en cuenta 3 puntos:
1.- Cuestiones internas y externas (definido en la cláusula 4.1 de la ISO 27001:2013)
2.- Partes interesadas (definido en la cláusula 4.2)
3.- Interfaces y dependencias entre lo que sucede en el alcance del SGSI y el mundo exterior
Para las cuestiones internas y externas este artículo te puede ayudar “Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)” : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
Para las partes interesadas este artículo también te puede ayudar “How to identify interested parties according to ISO 27001 and ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
Y nuestra plantilla p ara el alcance también te puede resultar interesante (puedes ver una versión gratuita pulsando en la pestaña "Demo gratis") "Documento sobre el alcance del SGSI" : https://advisera.com/27001academy/es/documentation/documento-sobre-el-alcance-del-sgsi/
Este artículo también te puede ayudar “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Y nuestro curso online también te puede resultar interesante porque damos más información sobre el alcance del SGSI (aunque el curso actualmente está en inglés) “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Information assets
Answer:
I am sorry but ISO 27001 does not establish who determines what constitute an information asset, although the best practice is that the identification of assets is performed by all people involved in the implementation of the standard.
Anyway, one of the most relevant people involved in the implementation (and maintenance) of the ISO 27001 is the CISO (he coordinates the whole project and one of his activities is the asset management). Another important question is the asset owner, which is the employee that operates the asset. This article can be interesting for you “What is the job of Chief Information Security Officer (CISO) in ISO 27001?” : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
This article can be also inter esting for you "ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
And our online course can be also interesting for you because we give more information about the assets “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
KPI and metrics
Answer:
Generally all KPI / metrics can be measured and reported directly on ISO 27001 or ISO 22301, although ISO 27001:2013 does not require you to use KPIs.
Some examples of metrics that are established to measure the effectiveness of security controls implemented are related to the backups, incidents, asset inventory, policy review, etc.
These articles can be interesting for you:
“How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
"ISO 27001 control objectives - Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
By the way, our online course can be interesting for you because we give more information about metrics “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/