In my opinion, in addition to the four documented procedures which you had mentioned, an organization shall document and implement controls needed for the identification, storage, protection, retrieval, retention and disposition of records. While elaborating the controls, it will become mandatory to document the activities, responsibility, authority, time frame etc. Eventually it results in documenting and implementing a procedure for control of records.
Is the latest 2013 revision of ISO 27001 finalized?
Can you please tell me if the latest revision of the standard is finalised. If yes, the a company who wishes to implement ISMS should follow the latest revision i.e. ISO 27001 - 2013 or the old one.
4 questions related to ISMS
1) Is the ISMS Manual required for the certification? Can you add clauses for the ISMS in the existing IMS Manual?
Performing risk assessment for both ISO 27001 and ISO 22301
How I can perform risk assessment for ISO27001 and ISO22301? Should I perform this separately?
Responsibility for identification of requirements
About "Procedure for Identification of Requirements" - who usualy in small companies is responsible for Identification of requirements and interested parties - COO, or CISO, or someone else?
Benefit of perfoming BIA for a single department
Could you please tell me the benefit of performing BIA for single department using documentation template? I'm trying to perform BIA for all department but some area cannot be covered in the new sheet.
Statement of Applicability/Annex A Documents
Currently I am working on the Statement_of_Applicability document to properly fill out the different sections, and more specifically A.15 Supplier relationships area. In the Scope document, we specifically excluded suppliers for the initial certification process, but we fully intend to revist that process at a later date.
Knowing that "Suppliers" are excluded from the scope, how would we specifically approach Internet Service Provider, Firewall Management Vendor, service agreement vendors, point to point network connectivity services to our DR and satelite office in another city? Would we exclude these external services/outsourced processes, or include them but specifically include the particular vendors for Information Services, as this is our main focus for the initial certification.
Suppliers to a container shipping company, such as ourselves, would include any equipment, supplies, maintenance products for our vessels and offices aquisitioned through our co rporate purchasing department or overseas in various ports around the world, so I wanted to see if and where would be the line drawn in the preverbial "sand".
Thanks in advance for the assistance.
List of legal regulatory and contractual requirements
List of legal regulatory and contractual requirements, should be for all organization or just security function? Or IT AND SECURITY?
When identifying risks, do we have to take into account those risks that are obvious and are already solved? Like for example:
- electricity cut, if the organization has already a generator and it enters in activity automatically?
- disk back up if it connects automatically?
- internet cut, if we have a two providers and when one has problems we use the other one?
Steering committes for a smaller company
Is it ok to combine the ismc (info sec mgmt committee) with the itsc (IT steering committee) in one doc as the company is small?