Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
identification of applicable legislation
Hello, One of the controls that needs to be implmented is 15.1.1 'Identification of applicable legislation' How can we implment this and what kind of document (procedure) shall we have to define the applicable laws and regulations related to information security. Many Thanks -
MAO
Maximum Acceptable Outage) classificationsWe've received the following question: Question: "I would like more information on MAO classifications. Does 22301 require the use of "MAO by Activity" including, Marginal Impact, Acceptable Impact, High Impact and Catastrophic Impact?" Answer: Yes, ISO 22301 requires the use of MAO (Maximum Acceptable Outage) for each activity when conducting the Business Impact Analysis. The classifications: Marginal Impact, Acceptable Impact, High Impact and Catastrophic Impact are suggestions, not mandatory, others classifications and different levels can be used. Classifications should be used in conjunction with the duration of the Outage. A possible approach should be: You define a table with time duration eg. (2 hours; 4 hours; 8 hours, 24 hours, 48 hours and 1 week) in columns and lines with some questions than could reflect the impact of the outage for each time duration. Then fill the answers in each intersection with impact classification bellow time duration. Example of questions: How will your clients react to a disruption? Wh at will be the impact to other activities? How difficult will it be to catch up on the backlog of work? etc. So with this approach you can address the MAO requirement in each activity. You can also have a look in the following link: Benefit of perfoming BIA for a single department https://community.epps.eu/forum/iso-27001-iso-22301-suppor********************************************************* Hope it helps. Thanks -
Scope definition on customer assets
We've received the following question: "We are running network and operation services (Network Service Desk) for clients. But i want to certify only my Network Service Desk for ISO 27001. Do all information assets including servers, application belongs to clients will come under scope or only those assets which are required to support Network desk service from my office premises. " Answer: The scope shall include assets and facilities you control and/or you need to provide your services. In your particular case, since the customer assets are not in or premisses neither you have complete control on them, you should not include them in the scope. But you include in scope the information you need to access those customer assets. Hope it helps Thanks -
Risk Owner and Asset Owner
We've received the following question: "I also would like to ask you about the asset owner and risk owner concepts in 27001:2013. Do you know any cases when the asset owner and risk owner is not the same person? Would you elaborate a bit on this? And can I assign this ownership on a top level ? for example to deputy CEOs only? What is the risk?" Answer: According with the version 2013, you need to identify risk owners for each of your risks, but you still need to identify ownership for your assets as requested in A.8.1.2. Asset ownership is more close to operational control and risk ownership is more in relation with business risk. Answering your question, yes you can have different owners for assets and risks. With the new Risk Owner concept the responsibility is pushed to a higher level, which means that the Deputy CEO is a good candidate. But you should explain the concept and get the approval from top management on the best owner for each risk. Please ha ve a look on the following: https://blog.iso27001standard.com/2013/10/14/how-to-make-a********************************************************** Hope it helps Thanks -
Leaving belongings on the entrance
We've received the following question: "...Company will implement ISO27001 and we must leave mobile phone on a box with a key ...We must also leave jackets , home keys, mobile , documentation and all of this in the box. What told ISO27001 about this? Answer: ISO 27001 does not specify those particular requirements. Your company can implement those procedures as security measures if they think there is a realistic need, but by doing so they must be compliant with your local legislation. Thanks -
Introducing ISO 22301 to Top Management
What are the critical areas/aspects in ISO 22301 should the Executive be made aware of in introducing them to this standard? Bear in mind there is a mix of appreciation of BCP amongst the senior team.... -
Records of training, skills, experience & qualifications
We've received the following question: "...What do we actually look for in terms of evidence for Records of training, skills, experience & qualifications 7.2 in the ISO 27001:2013? Answer: Regarding trainning and skills, you should look on the trainning certificates, duration, and their content. For experience you should look on customer reference letters from activities provided by employees. Regarding qualifications you should look on the academic qualifications and certifications. Trainning, Skills and qualifications records shall be in accordance with each the role profile. It is common to find those records as part of the employees process in the Human Resources Department. -
Roles and Responsibilities"
Is there a Template for the document "Definition of Security roles and responsibilities?" -
ISO 27001:2006
We've received the following question: "... ISO 27001 certificate was produced against ISO 27001: 2006, cant find any reference of this standard. Could you provide some context, is this different from 2005 version?" Answer: The official standard ISO 27001 issued by ISO/IEC (International Organization for Standardization (ISO) and the International Electrotechnical Commission) was published in 2005, but some countries made their own publication of the standard, usually translated to the country language. Each country member of the ISO committee has a National Normalization Organization and perhaps the standard you are referring to is a National version of the standard issued in 2006. If you are certified in ISO 27001:2006, it seems that you are certified against a National Standard based on the ISO 27001:2005. Both version should be the same. Thanks -
Controls in Statement of Aplicability
We've received the following question:
".... for the transition to ISO 27001:2013, my plan aims to have all done in one year but my boss is looking for the reduction of the amount of controls selected as applicable, I like to confirm my ideas, all controls selected in the risk assessment are the ones in the SoA. This is true?"
Answer:
"It is true that risk assessment and treatment determines which controls will be selected as applicable in the Statement of Applicability, however your top management must decide which is the acceptable level of risk.
Therefore, if they set the acceptable level of risk lower, this means that you won't have to implement some of the controls because the related risks will be acceptable. This also means your top management will be responsible if these risks materialize, which is usually not a very wise decision.
Saying that, the SoA shall include at least all the controls from Annex A either applicable or not. Justification must be included to the controls that are not applicable. The justification for not applicable controls is based on risk that your organization is assuming and your top management must be aware of that during the external audit. Auditor needs to be convinced with the justification you provide to each excluded control. Each control in SoA needs to be identified in what risk, or risks is/are applicable.
If you are interested in learning more on Statement of Applicability, see this article: https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/"
Thanks