ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • BIA questionnaire

    Hello Dejan, What´s the objective of the "Time after which the resource is necessary" in the part 2 (Resources required for recovery)?
  • How to implement all policies and procedures for stage 2

    I've received this question: We have passed Stage 1, Could you please suggest how to implement all policies and procedures for stage 2 and what exactly they check on Stage 2. Answer: At Stage 2 audit, the certification auditors will check if you really operate according to your policies and procedures - so for example if you have written that you will perform backup every 2 hours, then the auditor will check if this is really done so. So the answer to your question is: you have to observe all the rules you have documented.
  • Change in risk assessment methodology in ISO 27001:2013

    In the new ISMS Standard, is there any change in the methodology of calculating Risk to be adopted?
  • Process approach in ISO 27001:2013

    ISO 27001: 2013 is said to no longer be used the process approach. Based on that, it means that the ISMS is to apply to the whole organization, or I can continue implementing an ISMS to a specific company process as long as you define (as always should be) the scope where you will deploy.
  • Reasonable prices for ISO 27001:2013 and ISO 27002:2013?

    I saw on the ISO website that these two standards have been published. Could you please tell me where can I purchase/ receive copies for my personal reference at reasonable prices. ISO offers them at exorbitant prices…
  • Appendix_List_of_Statutory_Regulatory_Contractual_and_Other_Requiremen ts_EN

    How specifically is this list used? I am having a difficult time trying to ascertain what should be listed?
  • IS Incident Management Procedures

    Hi Dejan, I am actually drafting some ISO 27001 mandatory procedures, Regarding the Information Security Incident Management Procedures, I have noticed that there is 3 procedures : - Reporting IS weaknessess & Events - Responding to IS Reports - Collection of evidences Can I decscribe all this procedures in one general procedure "Information Security Incident Management Procedure" or I should build each procedure separatelty, what is the most convenient? Thanks in advance
  • ISO 27001 Lead Auditor training

    I am planning to go for ISO 27001 course, and I need some help in it. When I searched for a training center, some training centers were IRCA certified and some were TUV accredited. So, just confused on which one to prefer?
  • 9001 & 27001

    Dear Dejan if acompany have already 9001, should I add any comment in to quality policy anything about 27001? and which documents will be related? by the way I already read your great article about 9001 and 27001 but some subject still vague for me.   Thank you for your great support
  • Using the results from BIA Questionnaire for calculating MTPD

    I've received this question:    In the following example on BIA, MTPD   2 hrs 4 hrs 24 hrs 48 hrs 1 week 2 weeks a. Impact on people, health & safety 1 1 1 1 2 3 b. Impact on environment 1 1 2 3 3 3 c. Impact on reputation 1 1 1 2 2 3 d. Impact on service performance delivery 1 1 2 2 3 4 e. Business impact 1 1 2 2 3 4    1= marginal impact, 2=acceptable impact, 3=high impact, 4=catastrophic impact MTPD = 36 hours (?) – this will be used to work on RTO with consideration also on dependencies. What about the rest of the MTPD under the other items, a, c, d, e?  Are they taken into consideration with the overall MTPD?   Answer: Yes, judging from this BIA Questionnaire, MTPD for this activity will be between 24 hours and 48 hours because in question b. this is where the assessment "3" has appeared for the first time. Whether it will be closer to 24 hours or closer to 48 hours is a matter of discussion with the responsible person from this activity.  The rest of the answers (a, c, d and e) are not relevant because they are not so time critical - you always have to take the answers that are the most time critical.