ISO 27001 & 22301 - Expert Advice Community

RTO and MBCO and MTPOD - Business continuity concepts

1. What is the relation between RTO and MBCO and MTPOD?
2. If my customer has 10 project people working, are looking for RTO of 3 Days, MBCO is 40% on Day 1, MBCO is 80 % on Day2, and MBCO is 100% on Day 3. MTPOD is 3 days. So, does that mean the RTO that I can mark as achieved during any simulation drill will be if I am able to provide 4(40% of 10) associate within 24 hours. 8 associate within 48 hours of crisis and all 10 associates within 72 hours of crisis.

BIA: longest disruption time in BIA questionnaire

Greetings!

The BIA questionnaire in 22301 Document Toolkit lists disruption periods of 2 hours, 4 hours, 24 hours, 48 hours and 1 week. There are some processes that are, although fundamental in company's operation, prone by their nature to prolonged periods of disruption. And although disruption of those for one week has been valued as 3 (high impact) by the top management, the impact still wouldn't be catastrophic.

The question I have is: do I need to tweak the questionnaire to include longer periods of disruption, like 1 month, so that we actually define at what point the consequences are considered to become catastrophic for the company, of we can leave them be, because they are still valued as 3, so non-acceptable by nature, so it doesn't really matter whether it's 3 or 4, the Business Continuity Strategy wouldn't change from that?

Course supporting material

ISO 27001:2013 Lead Implementer CourseModule 9 - Implementation of a management system Introduction & suggested reading -points to https://advisera.com/14001academy/knowledgebase/deciding-which-procedures-to-document-in-the-ems/ - what is the corresponding ISMS document and can someone update the link on the course module?

Annex A Policies list

May I know please why the policies list inside 08_Annex_A_Security_Controls Folder not listed under 3.2 Project Results in Project Plan Document?

ISO 27001 helping in implementing ISO 22301

We have worked in the iso 27001 and we see preference of one of our clients in the ISO 22301. What can we rescue from the 27001 that contemplates the 22301?

Ways to define ISMS scope

What are the concrete methods and ways to define a good ISMS scope and what steps need to be taken while identifying the risk and while writing the policies itself?

Position and Function of an information security specialist

I would like to know the position/function that a graduate in information security can play and if ISO 27001 has a requirement in this regard.

SaaS products

I was wondering if you had previous comments on scoping ISO 27001 for SaaS products.

Say a company is in the business of providing SaaA cloud-based solutions, with developers in house utilizing cloud infrastructure, what would be SO 27001 certification look like? The processes/ Datacenter used for the development of the SaaS application is ISO 27001 certified? the product might have multiple releases.. so stay away from calling out product as scope? and focus on people, process, site and dev, test, prod environments as scope?
And if the products are from multiple locations?

Filling templates

A quick question as I am writing my company templates.
 

1. Document Owner, Document Approver, and Document Reviewer: are they normally the same person?
2. When should the name be noted and when the role/dept. ?  ( want to make dropdowns)
3. Should Owner, Approver, Reviewer… all be on de Document? Or only author and owner?

A.7.3 Human Resource Security

I have been going through the documentation but it seems to be incomplete. I started looking at Human Resource Security and it appears that A.7.3 is missing? It is listed in the Statement of Applicability but missing from the document area A.7 (A7.1 and A.7.2 are there, but not A.7.3) I haven't checked other areas as yet but are there likely to be other gaps?