Difference between Risk Treatment Plan and Risk Assessment Report
I understand the difference between the Risk Assessment and Treatment plan V the Risk Treatment Plan but what is the difference between the Risk Treatment Plan and Risk Assessment Report
10.8.5 Business Information systems
I would like to know how to implement the control 10.8.5 Business Information Systems, is there any procedure that we should create, is it about the interconnection (data exchange) between systems?
Questions about ISO 27001 & ISO 22301 Premium Documentation Toolkit
First and foremost I was thinking there would be a separate templates solely for ISO 22301 instead of what I have now as the ISO 27001 control BCP templates.
ISO 27001 - must you implement all the 133 controls?
I would like to do next question about ISO27001. when you are developing ISO 27001, must you be implementation all controls of ISO 27001?, the 133 controls?...or only the controls that apply?
Risk analysis tool
Could you tell me if you use a risk analysis tool? Which? could you recommend me some? Has anyone used PILAR maybe??
Preventive actions in ISO 27001
The old version of the std was referring to preventive actions and the new one no longer (chapter 10).
Clause to requires status of control in 27001:2013 SOA
I am not sure whether in the new 27001:2013 SOA really required status of each control instead of just yes or no in 2005; Where is the cause in standard state that we need to add "status of implementation" in 27001:2013 SOA? Thank you
Does the scope exclusions allow in 27001:2013
Does the scope exclusions still allow in 27001:2013's scope?
In "IRCA Technical Review Briefing Note ISO 27001"
Page 6 4.3 say that no exclusions allow
Thank you very much
Risk Acceptance Criteria and Residual Risk
I have a question if you can help me. I'm establishing the Risk Methodology and I have established the risk levels and the Risk Acceptance Criteria, my question is: the residual risk is explicity in the risk acceptance criteria?? Or how I can establish the Residual Risk in my methodology? and its treatment??
Thank you so much
Which are better ways to test the BCP?
I have to comply with ISO 27001 requirements related with BCP, and one of this requirements is to test every year the plan, my doubt is the following: In big organizations with thousands of people and a lot of locations, which are the better ways to test the BCP, as far as I know it could be tested through real test, walkthrough and checklist... Which one is better?