Set of ISO 27001 questions
1. Que es el etiquetado de datos? a qué activos aplica el etiquetado de datos?
Cuales son las buenas prácticas para el etiquetado de datos?
me pueden dar ejemplos de etiquetado de datos?
2. Que relación tienen la tasación de activos y/O identificar el nivel de importancia del activo con el análisis de riesgos?
Finalmente para que me sirve la tasación de activos?
3. El nivel de importancia de los activos calculado en la tasación de activos a partir del análisis de la confidencialidad, la integridad y la disponibilidad del activo es lo que se utiliza para estimar en el análisis de riesgos el impacto en el negocio si se materializa un riesgo?
4. Cuales son los procesos de seguridad de la Información que se deben documentar?
5. Cómo se pueden monitorear los riesgos de seguridad de la información, y el plan de tratamiento de los riesgos?
6. Qué plantillas puedo utilizar para monitorear los riesgos y el plan de tratamiento de Riesgos?
7. Cuando voy a recibir la actualización del toolkit con la nueva versión de iso 27001:2022
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. What is the data label? what assets does the data label apply to?
What are the best practices for data labeling?
Can you give me examples of data labeling?
A data label is any mean you can use to attribute information to an information asset. In the context of ISO 27001, a data label is generally applied to show the information classification.
The assets to which the data label applies to will depend on how you treat classified information. For example, all information classified as secret may require assets that contain them to be labeled.
ISO 27001 does not prescribe practices for data labeling, but some examples you may consider are:
- adopt physical and logical data labels (e.g., adhesive labels, electronic logos, etc.)
- place the data label in the locality of easy visualization (e.g., top of the page, top corner of a screen, etc.)
- place the data label in an asset container (e.g., an electronic folder, a box file, etc.), so people do not need to access the asset to see the label
For further information, see:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
2. What is the relationship between the classification of assets and/or identifying the level of importance of the asset with the risk analysis? Finally, what is the asset classification for me?
The risk analysis, along with the identification of legal requirements (e.g., laws, regulations, and contracts), is the main source of information for asset classification. The higher the risks related to an asset, the higher would be the asset classification.
The asset classification will help you to know how to treat information. Normally, the higher the classification, the more controls you will need to implement to protect the information.
3. The level of importance of assets calculated in the assessment of assets based on the analysis of confidentiality, integrity and availability of the assets is what is used to estimate the impact on the business if it materializes a risk?
Please note that the thinking process is the other way around. The impact of materialized risks over confidentiality, integrity, and availability of information is that will be used to estimate the classification level of an asset.
4. What are the information security processes that must be documented?
ISO 27001 does not require information security processes related to information classification to be documented, but in general, organizations document an Information Security Policy as a way to make the rules on how to classify, label, and treat information, clear to all personnel that handles information that needs to be protected.
5. How can you monitor information security risks, and the risk treatment plan?
Monitoring of risks will depend on their nature, so here are some examples:
- Monitoring of recorded incidents
- Monitoring of anomalous behaviors of information systems and networks
- Monitoring of KPIs (Key Performance Indicators) of processes related to relevant risks
Regarding the Risk Treatment Plan, since it defines resources and deadlines for each action, you can use this information to track the implementation progress.
For further information, see:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
6. Which templates can I use to monitor the risks and the risk treatment plan?
To monitor risks you can use the Risk Assessment Table, located in folder 05 Risk Assessment and Risk Treatment. In this table, you can include new risks or update the status of currently recorded risks.
To monitor the actions related to Risk Treatment Plan you can use the Risk Treatment Plan itself. Like in the Risk Assessment Table, you can include new actions or update the status of current actions to implement risk treatments.
7. When I receive the toolkit update with the new version of iso 27001:2022
All customers which bought their toolkits within 12 months from October 31st, 2022 are entitled to receive an updated toolkit. If this is your case you will receive your updated toolkit as soon as the Spanish version is released.
Comment as guest or Sign in
Apr 05, 2023