ISO 27001 & 22301 - Expert Advice Community

PIMS

What is the best way to be adopted in an attempt to establish an effective PIMS based on ISO 27001 and ISO 27018 and perhaps consider ISO 27701

Risk owner

Assign ownership and accountabilities for strategic, aggregated, dynamic risks

Skipping certain blocks in the document templates

Dear Dejan,

We started working with Conformio, and first of all: I think it’s very useful! Thank you for it.

I just have a question: I noticed all document templates have a block with “code, version, date of version etc” and later on a block with “change history”. This doesn’t make sense to me, since we are already using Conformio as a document management system where these things are already properly documented for each file. Can I remove these in my documents?

I am asking this because I want to make our documents as short as possible, so our employees actually do read them (the more unnecessary info the more distraction and I’m afraid they will scroll rather than really read). Therefore, I would also like to skip the “reference documents”. Is that allowed too?

Thanks for your advice.

Assets and Risks

Is it a fairly standard procedure, when considering risk assessment to follow this idea:

List all the assets which will include buildings, Servers, Networks, HR data, payroll data, Pension data, training records etc

Apply a standard set of threats to each and every asset regardless of whether it's a physical asset or an information asset (e.g. Environmental, deliberate external asset compromise, deliberate internal, accidental internal, loss of staff etc.) (In this example we'd apply the 5 threats to each asset to generate the risks i.e. the 7 assets listed would yield 35 Risks 

Score the risks and generate the treatment plan

Is it overkill to least each data type? Should we just list the threats against the 3 or 4 data classification types as well as the physical assets.

Any advice greatly appreciated.

General criteria used to determine critical services

Trabajo para la ***, y ***, compañera de trabajo, me dio su correo. En el 2019, ella adquirió las plantillas de continuidad de negocios de su empresa.

Le escribo a ver si puede ayudarme con una consulta: Según su experiencia, ¿cuál es el criterio general que utilizan las empresas para determinar los servicios críticos, que son la base de la estrategia de continuidad de negocios? 

Por otro lado, si puede compartirnos el listado de cursos que ofrecen sobre el tema de continuidad de negocios.

Agradezco mucho su asistencia.

Separate Risk Assessment

I'm currently working for a bank and we have around 250 plus branches..
We have a requirement for all our branches to get complied with ISO 27001:2013.
What my question is how to approach this task?
We are currently in the process of certifying our head office..
Do we need to conduct separate risk assessments and asset inventory for each branch. Isn't there an easy way?

ISO 27001 implementation

Hope you are well.
I have bought the documentation toolkit with extended support.
1 - Frankly, I'm not quite sure to whom should I send my queries via email.
I have received detailed email explaining these things at the time of purchase, but I can't find it now.

2 - I'm planning to implement the ISO 22301 for our bank, which is a leading bank with more than 30 branches, and for now we are planning to certify only IT department operations.
my question is, do we need to include the branches in our scope or it's just our HQ office and our DR Site?
In each branch, we have some switches, firewalls that is used to connect to our centralized systems. All the equipment in the branches are managed centrally from the head office.

Scope as IT Department,

If I'm setting the scope as IT Department, should I include the branches as well in the scope.
In each branch I have some routers and switches to connect to the HQ where all systems are central and managed from the HQ.