Example: dental hygienist

The ISO27k FAQ - ISO27k infosec management …

The ISO27k FAQ Answers to Frequently Asked Questions about the ISO/IEC 27000-series information security standards This is a static PDF offline version as of August 2017. The online version at is updated from time to time. This FAQ provides explanation and pragmatic guidance for those implementing the ISO/IEC 27000-series ( ISO27k ) standards, including a sprinkling of implementation tips to get you off to a flying start. ISO27k FAQ Copyright ISO27k Forum 2017 Page 2 of 94 Contents Introduction, scope and purpose of this FAQ .. 5 Basic questions relating to ISO27k .. 6 FAQ: The titles of the ISO27k standards mention Information Technology -- Security Techniques.

The ISO27k FAQ Answers to Frequently Asked Questions about the ISO/IEC 27000-series information security standards This is a static PDF offline version as of August 2017. The online version at www.ISO27001security.com

Tags:

  Iso27k, The iso27k faq

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of The ISO27k FAQ - ISO27k infosec management …

1 The ISO27k FAQ Answers to Frequently Asked Questions about the ISO/IEC 27000-series information security standards This is a static PDF offline version as of August 2017. The online version at is updated from time to time. This FAQ provides explanation and pragmatic guidance for those implementing the ISO/IEC 27000-series ( ISO27k ) standards, including a sprinkling of implementation tips to get you off to a flying start. ISO27k FAQ Copyright ISO27k Forum 2017 Page 2 of 94 Contents Introduction, scope and purpose of this FAQ .. 5 Basic questions relating to ISO27k .. 6 FAQ: The titles of the ISO27k standards mention Information Technology -- Security Techniques.

2 Does this mean they are IT-specific? .. 6 FAQ: Where can I obtain [insert name of ISO27k standard here]? .. 7 FAQ: I want to become an ISO27k consultant. I m looking for books or courses that teach ISO27k . Is there an exam? .. 7 FAQ: Are there any qualifications for ISO27k professionals? .. 8 FAQ: Where else can I find answers on ISO27k and information security? .. 10 FAQ: What does ISO mean? And what about ISO/IEC ? .. 12 FAQ: What do WD , CD , FDIS and those other acronyms prepended to draft ISO standards really mean? .. 12 FAQ: Aside from International Standards, what are TRs and PASs and .. ? .. 13 FAQ: What is meant by JTC/1 SC 27 and what are WG s ?

3 14 FAQ: How can I keep up with developments in ISO27k ? .. 16 FAQ: How can I get involved in the development of security standards? .. 16 Get going on your ISO27k FAQ: How do we engage our management , persuading them that the ISMS program has to be established? .. 17 FAQ: Should we aim for ISO27k conformance, alignment, compliance or certification? .. 18 FAQ: How many man-years (or man-months) are needed to implement an ISMS? .. 20 FAQ: Is it necessary to appoint an Information Security Manager to implement and run an ISMS? If so, what qualifications should he/she possess? .. 21 FAQ: When creating an ISMS, is it absolutely necessary to include members from non-IT parts of the business (business owners, finance, legal, HR, etc.)

4 ? .. 23 FAQ: How do we define the scope of our ISMS? .. 24 FAQ: Is it possible to restrict the scope of the ISMS to just one department or business unit, at least initially? If so, how do we treat information risks that go beyond the scope of our ISMS? .. 27 FAQ: Why do some organizations restrict the scope of their ISMS? .. 28 FAQ: We need an inventory of our information assets. How do we do that? .. 30 ISO27k FAQ Copyright ISO27k Forum 2017 Page 3 of 94 FAQ: What/how much detail should our information asset inventory include? .. 32 FAQ: Should the risk assessment process cover all our information assets? .. 34 FAQ: Is control X mandatory [for various values of X]?

5 34 FAQ: I m struggling to make sense of and apply ISO 27002 s generic security recommendations to my organization. Any guide or advice? .. 36 Information risk Q: What is information risk management ? .. 37 FAQ: We are just starting our ISO27k program. Which information risk analysis method/s could we use? .. 39 FAQ: How do we choose a risk analysis tool or method? .. 42 FAQ: Is it OK to determine and multiply threat, vulnerability and impact ratings to calculate our information risks? .. 44 FAQ: We have taken over operations for a data center which belongs to and was previously operated by our client. We have expanded our information asset inventory to include not just our own assets but also the data centre assets belonging to our client.

6 How should we handle risk-assessing our client s information assets?.. 46 FAQ: What is the difference between risk assessment and audit? .. 47 FAQ: Is threat assessment, threat modeling, threat analysis, vulnerability assessment, vulnerability modeling, penetration testing, business impact analysis, threat-vulnerability analysis, IT auditing .. or whatever .. the same as risk analysis, risk modeling, risk assessment .. or whatever .. ? .. 48 FAQ: How should management define the organization s risk appetite? .. 50 FAQ: Which compliance obligations are relevant to information security and ISO27k ? .. 51 FAQ: How should we handle exceptions?

7 53 FAQ: Is there a published list of information security threats? .. 54 FAQ: Our third party penetration testers recently found 2 medium risk and 7 low risk vulnerabilities. I disagree with the ratings and want to challenge the medium risks (some old software) before they report to the Board. What do you think? .. 55 FAQ: I m confused about residual risk . For example, after risk assessment there are 3 risks (A, B and C): risk A is acceptable, B and C are not acceptable. After risk treatment, B becomes acceptable but C is still not acceptable. Which is the residual risk: just C? Or B and C? .. 55 ISM documentation ..57 FAQ: What format and style is appropriate for ISMS documentation?

8 57 FAQ: What are the differences between the Statement of Applicability (SoA), Risk Treatment Plan (RTP) and Action Plan (AP)? .. 58 ISO27k FAQ Copyright ISO27k Forum 2017 Page 4 of 94 FAQ: I would like an RTP example, with one or two risks managed, please .. I would give anything to see a little part of I don't know how to I recently finished my risk analysis and I'm really stuck .. 58 FAQ: What should we cover in our [information] security policy? .. 59 FAQ: Do we need an ISMS manual .. 61 FAQ: I am trying to put together a document for working in secure areas. How much information should it contain is this just a one pager or a full manual?

9 61 ISMS Maturity ..63 FAQ: What Content management System should we use for our ISMS? .. 63 FAQ: Should we roll our own Policy management System or buy one? .. 63 FAQ: Which laws and regulations do we need to comply with, according to ISO/IEC 27002? .. 65 FAQ: How can we generate a culture of security ? .. 66 FAQ: What can the ISMS implementation project manager do to ensure success? .. 68 FAQ: Our organisation is planning to implement metrics to measure the effectiveness of both information security and management controls. What is the starting point and process? What metrics should we use? .. 69 ISMS audit and certification.

10 71 FAQ: I work for an Internal Audit function. We have been asked by the ISMS implementation project team to perform an ISMS internal audit as a prelude to an external/third party certification audit against ISO/IEC 27001. They are asking for a load of things from us and expect us to do the audit within a tight timescale defined on their plans. Is this information really needed? Are we (as an independent audit team) forced to give them such information? Should we perform a quick Internal Audit or take the time necessary although the certification would be postponed? Are there ISMS Audit Programme/Plan templates we can use and what other considerations should we take into account for the ISMS internal Audit?


Related search queries