Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Consequence and Likelihood after Risk Treatment
We are developing our Risk Register using the Advisera Templates. We have to mention the values of Consequence and Likelihood after the Risk Treatment i.e. Residual Risk. Will application of a control reduce the “Consequence” as well.
For example “Unauthorized Physical Access to data Center” may have a “High” consequence and “Medium” likelihood. After application of controls like CCTV/Door Lock we can reduce likelihood to “low” but will it reduce the “Consequence” as well.
Even after the control is applied if there is a breach it will have the same Consequences.
-
Internal audit after certification
Dear Advisera team, greetings. Just some clarification on the topic of the Internal Audits that one needs to do after the certification. Do we need to audit aspects of ISMS on the IA (like Leadership & Commitment (5.1))? I ask because the external auditors on the surveillance audit will for sure check the ISMS level of implementation on the business, but can I just check on annex A controls? What is mandatory (and what would you recommend)? Many thanks in advance.
-
Assets detail level and segregation of duties
We ordered your ISO27001 toolkit to prepare ourselves to XYZ audit. Our company XYZ is XYZ employee company developing and licensing own software as SaaS. Dev ops infrastructure is hosted internally but all SaaS services are provisioned from AWS cloud. Employees in our company are divided into two groups sales/marketing and developer. Developers have several roles because they are developing software, administering the production system and to some extent provide customer support. Most of the admin processes (finance and payroll) are outsourced. Typical arrangements in companies that are about our size.- I am struggling with 10.1 Risk assessment table level of details listing. Does the standard defines details assets or more importantly what is required in an audit. The catalog examples in the toolkit varies to very detailed to more general ones. For example can one asset be development operations system or do we need to break it down more in details like (eclipse as IDE, Git for version control, Jenkins for continues integration, Jira as task management, etc.). Similar question is our SaaS service can I describe it as one asset even though it has several technical components inside.
- Second question I have related to the separation of duties because we simply do not have enough development people to make strict roles between people because same people do make development and deploy version in production. Of course, there is well defined process to test and accept release candidate to be put in production.
-
ISO 27001 data center control requirements
I have a question, what ISO 27001 data center control requirements for facilities and operations?
-
Implementing ISO 27001 in different countries
We have a company with locations in 3 countries: Germany, Italy and the UK. Of course, we registered our company under 3 different legal names based on the country. So the main-name is always the same, but based on the country the name has a different name extension and therefore is slightly different in each country. We want to get ISO 27001 certified in all 3 locations/countries. Do we need to make 3 audits now in each country? Or is it enough to implement in all 3 locations and only do 1 audit which will cover all 3 locations? What possibilities do we have? / Any advice? -
Screening requirement
Can I used sampling method to meet the personal screening requirement ISO 27001:2013?
-
ISO 27001 data center control requirements
I have a question, what ISO 27001 data centre control requirements for facilities and operations?
-
RTO and MBCO and MTPOD - Business continuity concepts
- What is the relation between RTO and MBCO and MTPOD?
- If my customer has 10 project people working, are looking for RTO of 3 Days, MBCO is 40% on Day 1, MBCO is 80 % on Day2, and MBCO is 100% on Day 3. MTPOD is 3 days. So, does that mean the RTO that I can mark as achieved during any simulation drill will be if I am able to provide 4(40% of 10) associate within 24 hours. 8 associate within 48 hours of crisis and all 10 associates within 72 hours of crisis.
-
BIA: longest disruption time in BIA questionnaire
Greetings!
The BIA questionnaire in 22301 Document Toolkit lists disruption periods of 2 hours, 4 hours, 24 hours, 48 hours and 1 week. There are some processes that are, although fundamental in company's operation, prone by their nature to prolonged periods of disruption. And although disruption of those for one week has been valued as 3 (high impact) by the top management, the impact still wouldn't be catastrophic.
The question I have is: do I need to tweak the questionnaire to include longer periods of disruption, like 1 month, so that we actually define at what point the consequences are considered to become catastrophic for the company, of we can leave them be, because they are still valued as 3, so non-acceptable by nature, so it doesn't really matter whether it's 3 or 4, the Business Continuity Strategy wouldn't change from that?
-
Course supporting material
ISO 27001:2013 Lead Implementer CourseModule 9 - Implementation of a management system Introduction & suggested reading -points to https://advisera.com/14001academy/knowledgebase/deciding-which-procedures-to-document-in-the-ems/ - what is the corresponding ISMS document and can someone update the link on the course module?