Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk Management Methodology 27001:2013
How is the good practice and formulate risk assessment ? According to new version, now risk assessment refer to ISO 31000 however can we still use others methodology such NIST or 27005. Thanks -
ISO 27031 vs ISO 22301
I am starting a BCP/DR effort here. I have not seen the ISO 27031. Our implementation would be mostly around a SaaS cloud services environment. We just passed our ISO 27K Stage 2 audit. Should I use ISO 22301 or ISO 27031 for BCP/DR guidance? Is there much difference in the two docs? -
Documented information by organization as being necessary for effectiveness of t
he ISMSWe've received the following question:
About clause 7.5.1, what is the meaning of "documented information by organization as being necessary for the effectiveness of the isms".
Answer:
ISO 27001 version 2013 reduced the number of mandatory documents in the ISMS, compared with the ISO 27001:2005 version. But, from an experienced ISMS management point of view further documentation is required in order to help the ISMS implementation and management. The required documentation may be different from one organization to other depending on size, type of activity, products, services or processes.
Here you can find some examples of aditional documentation to the mandatory documentation of the standard: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
As a personal experience I can share that to address A11.1 Secure Areas I usually promote the usage of facilities layouts maps using a color code identifying the different security perimeters, and the definition of policies, processes and procedures in accorda nce with the security perimeters. This is not required but it is very useful for the organization.
Hope it helps -
To have or not have a Disaster Recovery Plan
If I have a HA architecture for my Database between primary Datacenter and the secundary Datacenter and if I had a problem with first node of primary datacenter, so then, the second datacenter should follow giving the service without disruption of services for customer. I understand that must do a DRP for when we have a disruption of the services of IT that affect the business in them critical process. Therefore, in the last example we won´t have a DRP plan, yes or not?. I believe not because the FailOver process will be automate thanks to HA technology. The technology is doing the DRP plan for avoid the human recovery. -
ISMS Implementation using ISO 27001 version 2005 or 2013
In order to start with a new ISO27001 implementation, can make sense to begin using old 2005 methodology and then migrate to the 2013 new set of controls? My question is due to the fact that can be easier performing analysis and checklists in the old and well known way, instead of learning the new method at all. During the conversion phase, analists can take more confidence with the new standard and with its differences with the 2005 release .... -
Preparation plan as part of Business continuity strategy
In the Preparation plan template, there is 1 column on method for evaluation of results and i would need your advice on what would be the recommended /suitable methods for the evaluation of results. -
Quantity and quality of ISO 27001 documentation for certification audit
I have a question about certified process ISO 27001. I got the list of documents and register mandatory. However, I want to know your feedback regarding certified process. An certifier could evaluate the quality of these documents and register? Or only he evaluated the completeness and quantity? I always have had this question. The process wants both things?. what should I have in consideration for this process? -
Query regarding Server access and related Risks
Hi, One of our customer is asking access to Server to access source code. Our Networks team suggested opening Port 22 to give access to servers. Wanted to understand the Risks with this approach and is it good practice to give access to source code. -
Is clause 7.2 Competences of personnel mandatory in ISO 22301?
I have been reading your book Becoming Resilient. ISO 22301 . and I am enjoying it but I have a doubt: Why is in List of mandatory documents the clause 7.2 Competences of personnel? I believe the 7.2 clause is non-mandatory because it is within Awarness and Training Plan. I checked it and also the 7.2 clause is in non-mandatory list. Which is the reason for this clause being in two lists? -
ISMS scope in Quality Manual
Does ISMS scope document should have own document or can combine with quality manual if they have already implemented ISO 9001.