ISO 27001 & 22301 - Expert Advice Community

Appendix_1_Risk_Assessment_Table - vs. - A.8.1_Inventory_of_Assets

I have a question regarding asset list/inventory. We are creating the list of assets for the Risk Assessment and Risk Treatment process. Once that list is complete and we come up with threats and vulnerabilities for each, is there any need for a separate list of assets as in A.8.1 Inventory of Assets?

I know that you have stated that "assets are not only the information in electronic and paper form, but also software, hardware, services, people, facilities, and everything else that provides value to an organization.", so I have a question on that as well:

Our company is using a consulting group that has an online tool for managing all records and policies, but it seems to define assets stictly as devices. Also, risks are listed separately and are linked only to "category type" not to a specific detail asset.

BCP and DR: ISO 22301

Our company has different department like

1) HR

2) Finance

3) IT

4) Facility Management

5) Admin

6) Operation

7) legal

BC Plan

Hi 
I have implemented BCMS with one department/business unit as the scope and got certified as well. Now I am increasing my BCMS scope and I am done with the BIA with another dept. and now I am ready to make the strategy and plan for them. I need clarification on below points. I have initially made the BC strategy document for the business unit and is specific to them

Do I need to edit the same BC strategy document and add BC strategy for a new business unit or can I create a new BC strategy document for each department?
Do I need to write the workaround of the processes/activities which I recognise in BIA conducted with the departments, in the BC plan?

Can I have a single document of both the BC strategy and plan in a single document for each business unit?

Please advice

Thanks

Adoption of ISO 27001

1. We have been told by a client (a bank) that we need to become ISO27001 accredited as a company to meet their security standards.
But we are only a small organisation and do not have in-house IT people.
Would you recommend we contract an IT consultant for some time and use your framework?

2. How do you work with clients like us? I’m not sure where to start.

Template content

We need some guidance in understanding and applying one section of your template for the Acceptable Use Policy, §3.14 — E- mail and other message exchange methods.

The final paragraph of that section requires that “Each e-mail message must contain a disclaimer, except messages sent through communication systems determined by IT Manager. Should a user post a message on a message exchange system (social networks, forums, etc.), he/she must unambiguously state that it does not represent the organization's viewpoint.“

It is not clear to us the intended purpose or scope of this requirement. Does it apply to both business and personal messages?  We state elsewhere that only business communications may take place over the organization’s information exchange systems. Is it referring to postings on social mediatalking about the company which should state that it does not represent the organization's viewpoint? Can you give us examples of the kind of disclaimer that is intended here? I find no direct reference to this within ISO 27001.

Is this really two separate requirements?  One for all e-mail communications stating privacy requirements that we often see at the bottom of incoming e-mails, and another requirement stating that someone's personal opinion does not necessarily represent the organization’s viewpoint. Can you please help us understand this requirement so we can establish the appropriate controls.

Developing documents

How to develop documents to meet the below audit requirements and also the best way to provide answers to each of the requirements during an audit.1 Management commitment including policy, Roles, Responsibilities & Authority 2. Cl: 7 Support including competence, awareness and control of documented information.3. Business continuity strategy including resources requirement4. Context of organization.

Roles and Responsibilities document

Where would we include a listing of Roles and Responsibilities? Should it be included on one of the mandatory documents, or in a separate document? Or, is it even neccesary at all?

BIA and RTO

So, I would like to ask you some questions about BIA:

1. How to determine RTO? It is clear for MTPD.
2. Who determines RTO? Department responsible for critical activities or Department responsible for resources supporting critical activities (IT, logistics, …)?
3. About your example during the webinar, if RTO of IT is 8 hours and RTO of one critical activity is 4 hours and this one depends on IT. So which RTO will be considered?

Procedure for Document and Record Control

This question is regarding document scope, especially as it pertains to section 3.2 Document Approval.

In our very small organization, all ISMS specific documents would be reviewed and approved by two individuals. That I understand, no problem. But for client work/project related documents that are created such as project plans, creative files, copy decks, etc., often times there is no review and approval process needed. Documents are created by the employee and sent to the client.

How would that be described in section 3.2? Do I describe an "exemption" for review and approval of client project work files?

Cyber-attack contingency plan template