Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001:2006
We've received the following question: "... ISO 27001 certificate was produced against ISO 27001: 2006, cant find any reference of this standard. Could you provide some context, is this different from 2005 version?" Answer: The official standard ISO 27001 issued by ISO/IEC (International Organization for Standardization (ISO) and the International Electrotechnical Commission) was published in 2005, but some countries made their own publication of the standard, usually translated to the country language. Each country member of the ISO committee has a National Normalization Organization and perhaps the standard you are referring to is a National version of the standard issued in 2006. If you are certified in ISO 27001:2006, it seems that you are certified against a National Standard based on the ISO 27001:2005. Both version should be the same. Thanks -
Controls in Statement of Aplicability
We've received the following question:
".... for the transition to ISO 27001:2013, my plan aims to have all done in one year but my boss is looking for the reduction of the amount of controls selected as applicable, I like to confirm my ideas, all controls selected in the risk assessment are the ones in the SoA. This is true?"
Answer:
"It is true that risk assessment and treatment determines which controls will be selected as applicable in the Statement of Applicability, however your top management must decide which is the acceptable level of risk.
Therefore, if they set the acceptable level of risk lower, this means that you won't have to implement some of the controls because the related risks will be acceptable. This also means your top management will be responsible if these risks materialize, which is usually not a very wise decision.
Saying that, the SoA shall include at least all the controls from Annex A either applicable or not. Justification must be included to the controls that are not applicable. The justification for not applicable controls is based on risk that your organization is assuming and your top management must be aware of that during the external audit. Auditor needs to be convinced with the justification you provide to each excluded control. Each control in SoA needs to be identified in what risk, or risks is/are applicable.
If you are interested in learning more on Statement of Applicability, see this article: https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/"
Thanks -
Risk Management Methodology 27001:2013
How is the good practice and formulate risk assessment ? According to new version, now risk assessment refer to ISO 31000 however can we still use others methodology such NIST or 27005. Thanks -
ISO 27031 vs ISO 22301
I am starting a BCP/DR effort here. I have not seen the ISO 27031. Our implementation would be mostly around a SaaS cloud services environment. We just passed our ISO 27K Stage 2 audit. Should I use ISO 22301 or ISO 27031 for BCP/DR guidance? Is there much difference in the two docs? -
Documented information by organization as being necessary for effectiveness of t
he ISMSWe've received the following question:
About clause 7.5.1, what is the meaning of "documented information by organization as being necessary for the effectiveness of the isms".
Answer:
ISO 27001 version 2013 reduced the number of mandatory documents in the ISMS, compared with the ISO 27001:2005 version. But, from an experienced ISMS management point of view further documentation is required in order to help the ISMS implementation and management. The required documentation may be different from one organization to other depending on size, type of activity, products, services or processes.
Here you can find some examples of aditional documentation to the mandatory documentation of the standard: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
As a personal experience I can share that to address A11.1 Secure Areas I usually promote the usage of facilities layouts maps using a color code identifying the different security perimeters, and the definition of policies, processes and procedures in accorda nce with the security perimeters. This is not required but it is very useful for the organization.
Hope it helps -
To have or not have a Disaster Recovery Plan
If I have a HA architecture for my Database between primary Datacenter and the secundary Datacenter and if I had a problem with first node of primary datacenter, so then, the second datacenter should follow giving the service without disruption of services for customer. I understand that must do a DRP for when we have a disruption of the services of IT that affect the business in them critical process. Therefore, in the last example we won´t have a DRP plan, yes or not?. I believe not because the FailOver process will be automate thanks to HA technology. The technology is doing the DRP plan for avoid the human recovery. -
ISMS Implementation using ISO 27001 version 2005 or 2013
In order to start with a new ISO27001 implementation, can make sense to begin using old 2005 methodology and then migrate to the 2013 new set of controls? My question is due to the fact that can be easier performing analysis and checklists in the old and well known way, instead of learning the new method at all. During the conversion phase, analists can take more confidence with the new standard and with its differences with the 2005 release .... -
Preparation plan as part of Business continuity strategy
In the Preparation plan template, there is 1 column on method for evaluation of results and i would need your advice on what would be the recommended /suitable methods for the evaluation of results. -
Quantity and quality of ISO 27001 documentation for certification audit
I have a question about certified process ISO 27001. I got the list of documents and register mandatory. However, I want to know your feedback regarding certified process. An certifier could evaluate the quality of these documents and register? Or only he evaluated the completeness and quantity? I always have had this question. The process wants both things?. what should I have in consideration for this process? -
Query regarding Server access and related Risks
Hi, One of our customer is asking access to Server to access source code. Our Networks team suggested opening Port 22 to give access to servers. Wanted to understand the Risks with this approach and is it good practice to give access to source code.