Buy the ISO 27001 Documentation Toolkit and
get the ISO 27001 standard in PDF
get the ISO 27001 standard in PDF
for free
Limited-time offer – valid until October 31, 2020
Could you please clarify the mapping between Asset value “CIA “ and the information classification because is not clearly defined in the Advisera asset classification page and we have to mentioned a mapping in the information classification policy.
The link between CIA and the information classification.
Thank you for your generosity . There are 4 questions after I finished "ISO 27001 Risk Management in Plain English" and I will appreciate if you respond them:
1- Should we bring any possible risk and treatment? what about some risks we do not consider (and consequently no treatment for them)? for example if we do not bring cloud security , (but it is really a risk in our company) , will auditor make it as misconformity or since we have not brought it in our consideration , he will not consider it as misconformity?
2- should we include some assets which have money value but may not cause loss in confidentiality, integrity, and/or availability, e.g a laptop without valuable data?
3- There are some risks that have already been treated via some controls (existing controls). Should we bring them in our document but mention that they have already been treated, or we only bring risks that have not been treated?
4- will the Statement of Applicability be revised after the DO phase? (during CHECK phase)?
As ISO27001 states it is about protecting the confidentiality, integrity and availability of our information and data, all our Document Management Systems are in our ISMS scope. Therefore, I am struggling to understand why in the Procedure of Document and Records Control it only refers to documents and records as information and data are not just in documents and records. Information and data are also within content held on pages that we have on Confluence. So, in my mind, the Procedure for Document and Records Control should be the Procedure for Document, e-content pages and Records control.
I have chosen the use of e-content pages as a term here for the sake of creating something in the absence of knowing an alternative, but that may not be the most recognised/or best term to use. What would you propose? e-page? e-content page? information e-page?
My understanding is that information and data held within content on a Confluence page, is not a record as the information provided within the e-content on the Confluence page can be added to and edited. It is not a document as it is not in a recognised document format such as word, pdf, excel, PowerPoint.
I’m watching Advisera quite a while and keep trying to convince my management to get a funding for an ISO27K certification. In between there are some projects involving a TISAX certification requirement at the horizon. Looks like a great opportunity to build a business case. Well, as far as I learned TISAX adapts ISO27K by adding a strict scope and more required details, almost like IATF16949 vs ISO9K1. Do you have experiences, or, if not, would you be interested, in supporting a combined TISAX/ISO27K implementation? What kind of a budget does it need to get a ISO27K certification?
Looking forward to get some insight, thanks a lot in advance
1 - Can we take the ISO 27001 certificate with a master's degree in general management in organizational strategy and 4 months of experience as a business intelligence consultant?
2 - Can we work remotely as an aid in audit or iso 27000 implementation projects under these conditions?
1 - A question on ISMS scope and 3.3 Locations in your toolkit template. Due to covid we no longer have a physical office, it may be that we never return to having one as we mainly all worked remotely in any case. We have 6 people in our business, but 4 remote working locations.
For the purposes of ISO27001, are those 4 remote working locations to be in scope for our ISMS? I think the answer is no because we are a SAAS company and your webinar on ISMS scope said that SAAS cloud companies did not need to look at HW or SW, just their data.
2 - However, what about operational controls to ensure information and data such as passwords are not left lying around? An imposter could in principle log on and get into our system. Would we need a tidy desk policy or something like that so that no paper passwords or client data/information is on note pads or left out. How would you actually enforce that with remote working? Perhaps a risk you chose to acknowledge but not do anything about as you can’t enforce a locked room in someone’s home. Not sure what other companies are doing on this point now that everyone is working from home.
Should we be saying that employees log out when they go away from their computer? Should we be keeping a record of when an employee signs in and signs out of their device or applications on that device? We value our flexibility and don’t want to upset our culture by having a big brother approach to how we work and operate.
What I am looking for is something that would help me draft law regarding disposal of assets
1 - A further point to the below on when a document can become a record.
This is the principle in the document change history section of documents, that I’ve been basing our document version control journey on:
V0.1, v0.2, v0.3, v0.4 = Drafts
V1.0 = Approved version based upon v0.4
V1.1, V1.2, V1.3 = Updates to the v1.0. Draft status.
V2.0 = Approved version based upon v1.3
V2.1, V2.2, V2.3, V2.4 = Drafts
V2.4 is reviewed and approved
V3.0 = New approved version.
I had thought that as soon as a document has approved status then it becomes a record. At that point the document which is now in the record log, is subject to the controls re assigning an owner that must check the content on a given review date to ensure that the information and data contained with the document is accurate, current and relevant.
From the advice you have given, I realise I have miss-understood what a record can be and also the control that applies to records. The above example of a document, from what you are saying, is not to be considered a record. However, the quality control still needs to take place to review all documents that have information and data in for their accuracy and relevance etc.?
2 - Records cannot be edited or amended and they have retention periods, whereas documents are only required up until the point that they are useful to the business. Therefore, all previous versions of documents can be archived or deleted. Is this a correct statement?
3 - A secondary point, is the above example of version control a good practice approach or am I leading our team down the wrong path?
In reference to Dejan Kosutic webinar "Developing business continuity strategy according to ISO 22301" i want to ask 2 questions.
When searching information about Business Impact Analisys I found the video material from PECB where tutor said that IT processes are not implement during BIA. Are you agree with this statement or we should analyse IT operational processes too?
Second thing. How to start BIA if we have about 200 processes in organisation? Is it necessery to go trough BIA template for everyone or there is a smart hint how to filter these processes before we get started?
May I ask if change management is required by ISO 27001? If yes, could you please share your resources with me?
