Couple of questions for you, as Im trying to gather as much information as possible before we have the templates.
1. What level of assets do we need to go down to on the Inventory of assets. E.g computers, servers, phones etc.
2. What is the breakdown required on the List of risks?
3. Do you have any recommendations on where to find the list of legal, regulatory, contractual and other requirements.
Answers:
Point 1: The standard does not establish the level of assets that you need to go down (and in the new ISO 27001:2013 is not necessary the identification of assets in your methodology, but we recommend you to keep this approach). You can identify them by categories (Hardware, Software, etc), and I think that this article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Point 2: The same that the previous point: The standard does not establish t he level of detail for the list of risks. Here you will find 6 easy steps to perform the risk assessment & treatment ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Point 3: Yes, sure. You can start with the identification of interested parties, and to do this, you can read this article How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// After of this, you need to identify all laws that apply in your country, especially those related to IT. To do this, you can use this list about laws and regulations on information security and business continuity Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
Comment as guest or Sign in
Jan 12, 2016