Please select user.
There are no topics yet.
Hi, I would like to perform a BIA analysis based on the Advisera form. I have read your article - How to define activities when implementing business continuity according to ISO 22301. He's great and translates a lot. However, I have a problem with the approach to analysis in my case.
The company has a department which comprises 40 locations. They carry out the same activities but independently. An average of 100-150 people in one location.
1. Should I analyze the entire department at once and sum up the effects of losses (qualitative and financial) from all 40 locations?
2. Should I choose the largest location and analyze only one?
3. Or maybe I should complete 40 questionnaires?
I would like my approach to be in line with good business continuity practices.
How to conduct a risk analysis in this case? I understand that I need to analyze the risks for 40 locations?
Hope you are doing well.
I bought your toolkit, but I still have some issues with the SMSI documents preparation.
For instance :
- The Document of the scope
The company has around 120 employees, has 2 sites, and 3 different activities: IT Solution integration, Training, and Cloud service provider.
One site contains the IT Solution integration and training Divisions with the HR & Commercial Departments, the other site contains the Cloud Division.
The company wants to certify only the Cloud Activity, but I want to check if we should include in the Scope the HR and Commercial departments to respond to the A.7 requirements and the security of customers personnel information & customers Contracts.
- The Business Continuity
Should we also prepare all the documents related to A.17 requirements even if the company doesn't plan to include the SMCA and business continuity certification in this scope ?
Thanks in advance for your support.
I have a question for you about the Statement of Applicability. I’m doing an ISO 27001 implementation at a software company and the shareholders have given us only a couple of months. So I want to do a minimal project, doing only all the necessary policies, with the idea that we can expand on that in the coming years. So I looked at what documents are mandatory and which ones are not. But now I wonder how that translates into the SoA.
Example. We have a SaaS solution, so all information from customers is on very secure cloud systems from our suppliers. We don’t have very much information that is very exciting on Sharepoint servers. If the classification policy is not mandatory and if it’s not a risk coming out of risk analysis that we need to control, does this mean we can say No on A.8.2.1 and following controls, or can I say Yes and fill in the limited measures we have, like the secure data center and so on. How would you go about this?
If the organization has remote work for all employees, it does not have a physical environment and all processes are worked in the cloud, do these controls apply to the organization?
A.11.2.1 Equipment siting and protection
A.11.2.2 Supporting utilities
A.11.2.3 Cabling security
Thank you in advance.
Another question. I think we know the answer, but just double check.
Q2 – We produce hardware and software that sale to our customers. The software is based on licences.
2.1 - Do the ISO controls apply in any way to these products? I think not. That once they are acquired by the customer the responsibility in terms of ISO27001 falls under them. Am I right?
2.2. - Does the ISO indicate controls for SDLC (Secure Development Life Cycle?)? And for hardware?
2.3 - If we provide some sort of support service (maintenance, improvement, patching, etc), How does this affect us in term of the ISO? If we just intervene in the systems and leave without collecting any data, I guess that we have nothing to do for ISO, but if we collect some data (logs, record, etc) and store it in our systems then this data become our responsibility and thus is affected by the ISO. Is this assumption right? What controls would affect this logs/records/info?
How does BC strategy fits into an ISO 9001 certified company? What is the impact on QMS Supply chain CRISIS, sales, training and communication, etc, if you have or not BC strategy ? How should I convince my CEO on its importance/ (to my knowledge we don't have a documented BC Plan) Thank you for clarification and presenting this topic.
First at all, thank you very much for your help. It is helping me to understand how to do things in a better and simpler way.
Q1 – HR department has most of systems they use externalized with 3rd parties. These covers our official web site, personnel information, Payroll and other tools. The 3rd parties do the technical management, and our HR use the systems maintaining the information. My guess is that these systems aren’t assets we need to protect, because are out of our control, but the information belong to us.
How should treat this case in terms of assets, risk assessments and controls?
I am currently researching on the topic of ISO 27001 as our number of institutional clients is increasing.
I would be interested in some information regarding the standard so I would be very grateful if you could take some time to help me with the questions:
1. I looked at the phases of standards from Planning, Implementation, Verification and Further Improvements. I wonder how long on average full implementation and verification takes?
2. Where are and what are our potential financial costs?
3. At what stage would the Auditor come and is this something you could do for us? (Also, I'm interested in the fee for that)
4. Any PDF resource would be great, which could describe the whole process in more detail. So if you have something similar, please send it to me.
5. Since we are just starting to look at the standard, we do not have too much prior knowledge, so please add anything that you think is important and I failed to ask
We have started with the listing of our assets and need some assistance as I think that we might be on the wrong path here. We have listed most of our hardware / systems that we use and have started with the business impact analyses questionnaires. My question is: Do we list all hardware or systems that we use as activities within the business impact analyses questionnaires or is this questionnaire purely used to document the actual process covered by the individual assets.
Please see attached list of assets and we have created a questionnaire for each of these assets. Is this correct?
Just wondering, after giving the awareness workshops, there should be a survey to be filled in by the attendees, would you tell me what questions to be asked and how the results or statistics would help me later on. In other words, why I am conducting a survey, how should it help me to determine my next steps . also, in case if I am doing a report for management, what should it include for decision making?