Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Tipo de activo "Físico"
· Software: Software de aplicación, software del sistema, interfaces, herramientas de desarrollo y utilidades.
· Hardware: Equipos de cómputo, equipos de comunicaciones, medios removibles y otros equipos físicos.
· Servicio: Servicios de cómputo y comunicaciones. Ejemplo: acceso a Internet, páginas de consulta, acceso a la red, correo electrónico, redes, etc.)
· Sitio: Instalaciones de procesamiento de información. Ejemplo: Centro de cómputo principal y de respaldo, archivo documental, etc.
En una reciente auditoria interna el Auditor nos hace una observación en el sentido de incluir el tipo de activo FISICO “para activos no digitales “ que hace alusión a documentos tales como fotografías, grabaciones o personas.
Esto debe incluirse?
Respuesta:
Desde mi punto de vista un activo de tipo "Fí sico" relacionado con fotografías, grabaciones o personas no es necesario, aunque debes incluir en tu metodología otros tipos de activos como por ejemplo "Personas", o "Información" (relacionada con información digital: fotografías, grabaciones, o información física: información en formato papel).
Este artículo puede ser interesante para ti “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Y este otro también “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finalmente, nuestro curso online también te puede ser útil, dado que ofrecemos más información sobre activos (aunque de momento el curso solo está disponible en inglés) “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Aligning information security objectives with business strategy
"
Answer: Your top-level information security objectives (objectives for your whole ISMS) must support your business strategy, because information security must be part of the efforts of making your company successful.
For example, for a financial organization, an information security objective might be to decrease the number of data leakages, which directly supports an increase in trust in such organization. And building such a trust is probably a strategic objective of financial organization. -
Report information about compliance and audit
Answer:
From my point of view you can report information about the execution of your process, so you can report information about the NCs (Non-Conformities), OFIs (Opportunity for Improvement), compliance with laws, corrective actions pending, number of audits, departments or areas audited, security controls audited, etc. -
Balance scorecard
Answer:
ISO 27004 is a code of best practices that can help you to measure your ISMS defining metrics, which you can use to develop a balanced scorecard (although this standard does not refer directly to balanced scorecard, but you can use the standard to develop it).
Anyway, these articles about measurement can be interesting for you:
“How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
“ISO 27001 control objectives - Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
And also our online course can be interesting for you because we give more information about the measurement of the ISMS “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Guía para definir el alcance
Respuesta:
Básicamente tienes que tener en cuenta 3 puntos:
1.- Cuestiones internas y externas (definido en la cláusula 4.1 de la ISO 27001:2013)
2.- Partes interesadas (definido en la cláusula 4.2)
3.- Interfaces y dependencias entre lo que sucede en el alcance del SGSI y el mundo exterior
Para las cuestiones internas y externas este artículo te puede ayudar “Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)” : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
Para las partes interesadas este artículo también te puede ayudar “How to identify interested parties according to ISO 27001 and ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
Y nuestra plantilla p ara el alcance también te puede resultar interesante (puedes ver una versión gratuita pulsando en la pestaña "Demo gratis") "Documento sobre el alcance del SGSI" : https://advisera.com/27001academy/es/documentation/documento-sobre-el-alcance-del-sgsi/
Este artículo también te puede ayudar “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Y nuestro curso online también te puede resultar interesante porque damos más información sobre el alcance del SGSI (aunque el curso actualmente está en inglés) “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Information assets
Answer:
I am sorry but ISO 27001 does not establish who determines what constitute an information asset, although the best practice is that the identification of assets is performed by all people involved in the implementation of the standard.
Anyway, one of the most relevant people involved in the implementation (and maintenance) of the ISO 27001 is the CISO (he coordinates the whole project and one of his activities is the asset management). Another important question is the asset owner, which is the employee that operates the asset. This article can be interesting for you “What is the job of Chief Information Security Officer (CISO) in ISO 27001?” : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
This article can be also inter esting for you "ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
And our online course can be also interesting for you because we give more information about the assets “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
KPI and metrics
Answer:
Generally all KPI / metrics can be measured and reported directly on ISO 27001 or ISO 22301, although ISO 27001:2013 does not require you to use KPIs.
Some examples of metrics that are established to measure the effectiveness of security controls implemented are related to the backups, incidents, asset inventory, policy review, etc.
These articles can be interesting for you:
“How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
"ISO 27001 control objectives - Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
By the way, our online course can be interesting for you because we give more information about metrics “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Auditing a server
Answer:
The active directory of a server is related to the control A.9 Access control so you will need to review the security policy of the AD, from, as you know, you can establish the complexity of the password, length, etc,
The backups are related to the control A.12.3.1 Information backup, and you can review the frequency of backups, planning of the backups and restores, etc.
The change management is related to the control A.12.1.2 Change management, and basically you can review the systematic for the changes (request for change, approbation of the change, etc.) related to the server (updates, patches, installation of new software, etc.)
It is also important that you perform an internal audit primarily against the requirements from your own documentation.
By the way, this article can be interesting for you "How to make an Internal Audit checklist for ISO 27001 / ISO 22301" : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Finally, our online course can be also interesting for you because we give detailed information about how to perform the internal audit “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Multi location
Answer:
I am sorry but I am not sure what you mean, anyway, these terms are not directly related to ISO 27001, but you can perform a project of implementation of the standard, including in the scope different locations of the same company. So, basically all locations will have implemented the ISO 27001.
Our online course can be interesting for you because we give more information about the implementation of the ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Making the transition from 2005 to 2013 revision of ISO 27001
Answer: I assume your company is already certified against 2005 revision of ISO 27001, and now you want to certify against 2013 revision - yes, this needs to be done with a certification body.
See also:
- article How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
- webinar recording: What’s new in ISO 27001 2013 revision: How to make the transition from ISO 27001 2005 to 2013 revision https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/
What is the process of the reassessment with the assessing body, do they look at all the internal audit work during the assessment ?
Answer: Until now your 2005 certificate has expired because the transiti on period is over, so you have to go for the completely new certification against 2013 revision of ISO 27001. And yes, they will look at how you're done your internal audit, and they will check also all the other elements of your ISMS.
See also:
- article Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- article Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
If during the assessment there were some areas that needed addressing, then does the company get an opportunity to put a plan together to rectify and still maintain the certificate ?
Answer: Yes, if the certification body finds nonconformities, they will give you a deadline until which you'll have to resolve those problems.
See also:
- article Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/