Now I'm in the Statement of Applicability, but I have some doubts about it, for example, who has to fill the information of the SoA? The CISO or the departments involved? For example, for the controls of the item A.7 Human Resource Security is with the Human Resources Department? And, is necessary to establish the maturity level of those controls?
Glossary of Terms about BCP
I want to know where can i find a list of term ... as a Glossary to training...???
Why does Annex A folder in the Toolkit include A.6-A.16 and not A.1-A.5?
Is there a reason why A.1 through A.5 are not included in the folder?
Project Planning - does the calculator results implementation time for all of th
e selected controls?The calcutor estimated that my project would take 26 months based on my organization. Does that estimate include implementation time for each control selected as part of the Risk Treatment Plan or is it just the time from project start to creation of the Risk Treatment Plan?
This is my first ISO270001 project, but I have significant Information Security experience and if it is "just" the time required to identify assets, assess risk, and build the plan the control environment then 26 months seems very long (I would estimate 6-9 months only).
Statement of Applicability for network security
Within ISO 27001 we have an SOA which states the controls for IS. Does an SOA for Network Security Exist?
Narrow ISMS scope and an Information Security policy for the whole organization
We are working towards the transition to ISO 27001:2013 , but they are having problems trying to understand this: We are writing a new Information Security Policy to be used for the whole organization, but I like to keep the ISMS scope just for one system, the one thats is required to be certified ISO 27001. Is this possible?, Can we have a narrow ISMS scope but an Information Security policy for the whole organization? The SoA is extended to include all controls in the annex A, here is my problem, I like to keep the SoA aligned with the scope and they want to all controls marked as applicable even if they are not used in the system in the scope.
What will the ISO 22301 certification auditor check?
When I want to certify my company on ISO 22301, the auditor will check only the mandatory documents (apendix B of your book) or the total list of documents (mandatory and non-mandatory)?
What RTO means ?
We've received the following question:
#1. The Recovery Time Objective (RTO) - is a maximum amount of time within which an activity needs to be resumed at the MBCO level (Minimum business continuity objective), or
#2. The Recovery Time Objective (RTO) - is a maximum amount of time within which an activity needs to be resumed at the full capacity.
The recovery time objective is the target time set for resumption of product, service or activity delivery after an incident. RTO is determined during the business impact analysis (BIA), and the preparations are defined in the business continuity strategy, so this means that option #1 is the correct one.
How to document System Secure Engineering Principles
We've received the following question:
I want to know how to document System Secure Engineering Principles? What is the Content for that?
System Secure Engineering Principles refers to the set of security techniques in all architectural layers business, data, applications and technology you are using in your organization. Those principles shall be documented in a policy and regularly reviewed.
As an example you should look on the Software Development LifeCycle phases and define the set of security techniques in each phase:
- Project initiation and planning;
- Functional requirements definition;
- Systems design specifications;
- Build (develop) and document
- Transition to production (instalation)
These set of considerations shall also be applied to outsourcers where applicable, using contracts and other binding agreements between parties.
Hope it helps
How much of business continuity to implement in ISO 27001
I've received this question: When implementing ISO 27001, how deep we have to go in Business Continuity (16)?. Is it the same as implementing a hole Business Continuity Project, or something lighter?.
Answer: When implementing business continuity according to ISO 27001, you could implement a "lighter" version that would focus only on developing a disaster recovery plan (for recovering your IT infrastructure), and a recovery plan for your information security functions. This means you do not have to implement the whole business continuity project according to ISO 22301.
However, I would argue that it would make much more sense to implement a full business continuity project according to ISO 22301 as part of your ISO 27001 project - this is because of the following:
1) This would add perhaps only 10% of additional effort to your ISO 27001 project
2) You would implement two standards (both ISO 27001 and ISO 22301) with only little additional cost
3) You can ensure the continuity of your business operations only by doing this full business continuity project - complying wi th the minimum that is set in ISO 27001 wouldn't be enough.
You can find out more in this webinar: ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001-iso-22301-better-implement-together-free-webinar/
By the way, ISO 27001:2013 defines the controls for business continuity in Annex A, section A.17.