Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Guía para definir el alcance
Respuesta:
Básicamente tienes que tener en cuenta 3 puntos:
1.- Cuestiones internas y externas (definido en la cláusula 4.1 de la ISO 27001:2013)
2.- Partes interesadas (definido en la cláusula 4.2)
3.- Interfaces y dependencias entre lo que sucede en el alcance del SGSI y el mundo exterior
Para las cuestiones internas y externas este artículo te puede ayudar “Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)” : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
Para las partes interesadas este artículo también te puede ayudar “How to identify interested parties according to ISO 27001 and ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
Y nuestra plantilla p ara el alcance también te puede resultar interesante (puedes ver una versión gratuita pulsando en la pestaña "Demo gratis") "Documento sobre el alcance del SGSI" : https://advisera.com/27001academy/es/documentation/documento-sobre-el-alcance-del-sgsi/
Este artículo también te puede ayudar “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Y nuestro curso online también te puede resultar interesante porque damos más información sobre el alcance del SGSI (aunque el curso actualmente está en inglés) “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Information assets
Answer:
I am sorry but ISO 27001 does not establish who determines what constitute an information asset, although the best practice is that the identification of assets is performed by all people involved in the implementation of the standard.
Anyway, one of the most relevant people involved in the implementation (and maintenance) of the ISO 27001 is the CISO (he coordinates the whole project and one of his activities is the asset management). Another important question is the asset owner, which is the employee that operates the asset. This article can be interesting for you “What is the job of Chief Information Security Officer (CISO) in ISO 27001?” : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
This article can be also inter esting for you "ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
And our online course can be also interesting for you because we give more information about the assets “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
KPI and metrics
Answer:
Generally all KPI / metrics can be measured and reported directly on ISO 27001 or ISO 22301, although ISO 27001:2013 does not require you to use KPIs.
Some examples of metrics that are established to measure the effectiveness of security controls implemented are related to the backups, incidents, asset inventory, policy review, etc.
These articles can be interesting for you:
“How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
"ISO 27001 control objectives - Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
By the way, our online course can be interesting for you because we give more information about metrics “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Auditing a server
Answer:
The active directory of a server is related to the control A.9 Access control so you will need to review the security policy of the AD, from, as you know, you can establish the complexity of the password, length, etc,
The backups are related to the control A.12.3.1 Information backup, and you can review the frequency of backups, planning of the backups and restores, etc.
The change management is related to the control A.12.1.2 Change management, and basically you can review the systematic for the changes (request for change, approbation of the change, etc.) related to the server (updates, patches, installation of new software, etc.)
It is also important that you perform an internal audit primarily against the requirements from your own documentation.
By the way, this article can be interesting for you "How to make an Internal Audit checklist for ISO 27001 / ISO 22301" : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Finally, our online course can be also interesting for you because we give detailed information about how to perform the internal audit “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Multi location
Answer:
I am sorry but I am not sure what you mean, anyway, these terms are not directly related to ISO 27001, but you can perform a project of implementation of the standard, including in the scope different locations of the same company. So, basically all locations will have implemented the ISO 27001.
Our online course can be interesting for you because we give more information about the implementation of the ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Making the transition from 2005 to 2013 revision of ISO 27001
Answer: I assume your company is already certified against 2005 revision of ISO 27001, and now you want to certify against 2013 revision - yes, this needs to be done with a certification body.
See also:
- article How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
- webinar recording: What’s new in ISO 27001 2013 revision: How to make the transition from ISO 27001 2005 to 2013 revision https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/
What is the process of the reassessment with the assessing body, do they look at all the internal audit work during the assessment ?
Answer: Until now your 2005 certificate has expired because the transiti on period is over, so you have to go for the completely new certification against 2013 revision of ISO 27001. And yes, they will look at how you're done your internal audit, and they will check also all the other elements of your ISMS.
See also:
- article Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- article Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
If during the assessment there were some areas that needed addressing, then does the company get an opportunity to put a plan together to rectify and still maintain the certificate ?
Answer: Yes, if the certification body finds nonconformities, they will give you a deadline until which you'll have to resolve those problems.
See also:
- article Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/ -
Contents of the Risk assessment report
Answer:
ISO 27001 doesn't specify the contents of the Risk assessment report, it only says that the results of the risk assessment and risk treatment process need to be documented - this means that whatever you have done during this process needs to be written down.
Typically it includes all the risks that were identified, risk owners, their impact and likelihood, level of risk, risks that are not acceptable, and treatment options for each unacceptable risk. The risk appetite (i.e. acceptable level of risk) should be specified in the Risk assessment methodology, but yes - you can mention it in the Risk assessment report as well. -
Risk assessment for ICS or SCADA?
Answer:
From my point of view, NIST 800-82 is a security guide for the Industrial Control Systems (ICS) and SCADA systems, but this standard does not define how to perform a risk assessment.
ISO 27005 is a code of best practices that can help you to develop your own methodology for the risk assessment & treatment, but remember that is focused in information security, and is very global, but from my point of view you can use ISO 27005 using also the list of threats/vulnerabilities of NIST 800-82 (which are specific focused to ICS and SCADA systems) and on this way you can develop your own methodology (with NIST 800-82 and ISO 27005).
Anyway, with this article you can also develop your own methodology “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/, although it doest not include threats/vulnerabilities related to ICS and/or SCADA, but you can use NIST 800-82 for this.
Finally, our online course can be also interesting for you because we give more information about the risk assessment & treatment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Risks in many site offices
Answer:
If you have many site offices, you can have a separate sheet for each office, I mean, you can identify and assess risks for each office independently. For this identification you can read this article “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Regarding your second question, if you want to know a typical folder structure, you can download our toolkit and you will see a basic structure, although you can define the structure that you want. Here you can download our toolkit clicking on “DOWNLOAD FREE TO OLKIT DEMO” “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Finally, our online course can be interesting for you because we give more information about the risk assessment & treatment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Context of the organisation and design and development
Answer:
In order to meet requirements regarding context of the organization you need to identify all internal and external issues that can affect ability of your company to deliver quality product and achieve customer satisfaction.
Internal issues, or internal context includes organizational culture, organizational structure, communication channels in the company, competence of employees, condition of the equipment and facilities, etc. Basically anything that can have effect on your business performance and comes from within the organization.
External context includes relevant legislation, conditions on the market, competition, suppliers, customer requirements, etc.
In order to meet requirements regarding the context you do not need to document every single detail but it is better if you have some procedure or record about it in order to facilitate demonstration of compliance to the requirements to certification body. For more information, see How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
Design and development is one of the clauses that can be excluded form the scope of QMS if it is not applicable to the type of business that company performs. You only need to document justification for the exclusion. If you do perform a design and development process you need to address all the requirements from this clause. For more information, see: The ISO 9001 Design Process Explained https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/