ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • IS Incident Management Procedures

    Hi Dejan, I am actually drafting some ISO 27001 mandatory procedures, Regarding the Information Security Incident Management Procedures, I have noticed that there is 3 procedures : - Reporting IS weaknessess & Events - Responding to IS Reports - Collection of evidences Can I decscribe all this procedures in one general procedure "Information Security Incident Management Procedure" or I should build each procedure separatelty, what is the most convenient? Thanks in advance
  • ISO 27001 Lead Auditor training

    I am planning to go for ISO 27001 course, and I need some help in it. When I searched for a training center, some training centers were IRCA certified and some were TUV accredited. So, just confused on which one to prefer?
  • 9001 & 27001

    Dear Dejan if acompany have already 9001, should I add any comment in to quality policy anything about 27001? and which documents will be related? by the way I already read your great article about 9001 and 27001 but some subject still vague for me.   Thank you for your great support
  • Using the results from BIA Questionnaire for calculating MTPD

    I've received this question:    In the following example on BIA, MTPD   2 hrs 4 hrs 24 hrs 48 hrs 1 week 2 weeks a. Impact on people, health & safety 1 1 1 1 2 3 b. Impact on environment 1 1 2 3 3 3 c. Impact on reputation 1 1 1 2 2 3 d. Impact on service performance delivery 1 1 2 2 3 4 e. Business impact 1 1 2 2 3 4    1= marginal impact, 2=acceptable impact, 3=high impact, 4=catastrophic impact MTPD = 36 hours (?) – this will be used to work on RTO with consideration also on dependencies. What about the rest of the MTPD under the other items, a, c, d, e?  Are they taken into consideration with the overall MTPD?   Answer: Yes, judging from this BIA Questionnaire, MTPD for this activity will be between 24 hours and 48 hours because in question b. this is where the assessment "3" has appeared for the first time. Whether it will be closer to 24 hours or closer to 48 hours is a matter of discussion with the responsible person from this activity.  The rest of the answers (a, c, d and e) are not relevant because they are not so time critical - you always have to take the answers that are the most time critical.
  • Is ISO 27001 risk assessment good enough for BCM?

    When the risk assessment for the BCM will performed by the ISRM (Information Security Risk Management) Department according to ISO 27001 for the BCM department followed the ISO 22301 and GPG (Good Practice Guide), some adjustments are necessary. Isn't it?
  • Do I have to purchase ISO standard for the certification?

    Do i have to purchased ISO Code of Practice to show the auditor on stage 1 or the requirement document?
  • Which documentation to show to certification auditor

    I would like to check with you if we show all mandatory documents to auditor is it okey or do we have to show all documents as mentioned in toolkit.
  • risk assessment and controls

    for risk assessment if I identify the threat and vulnerability but i already applied control then do I have to mention that risk? example asset(server) threat (no electricity) vulnerability (no ups) but I already have UPS , so do I have to add that record in the assessment table and put the likelihood "low"? or I will not add it because there is no vulnerability?
  • Business countinuity plan

    my manager asked me to build Business continuity plan to insure the continuity of the business "in the primary location"because the incident could be solved in that location and no need to switch to another location, by clustering or restoration. and another document which is the "disaster recovery plan" to insure the continuity of the business at the alternative site after the disaster, but the templates are all about disasters . how can I build the first document that will insure "Business continuity plan" in the primary location in the cases that the alternative site is not needed.
  • Making mistakes in documents because of an auditor

    One of my colleague also told me to do some mistake in documents so the auditor should pick if everything will be perfect the inspector doesn't expect everything should be fine, please suggest.