Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 22301 toolkit - audit procedure
With the help of the ISO22301 documentation set from Advisera, I am currently preparing an internal audit procedure for the business continuity management system. The checklist includes the following questions: 6.1 Has the organization identified the risks and opportunities relating to the effectiveness of the management system? 6.1 Does the organization plan to deal with the identified risks and opportunities? 6.2 Are the business continuity objectives measurable; are they monitored and updated? 6.2 Are there steps to achieve goals, responsible persons, deadlines, necessary resources? In which documents from the ISO22301 package does the organization address these questions and meet the requirements of clause 6.1 and 6.2 of the standard? -
10.3 Appendix 3 Internal Audit Checklist
I'm currently working on the 10.3 Appendix 3 Internal Audit Checklist which contains both ISO 27001 checklist but also ISO 22301. I haven't been working with ISO 22301 at any time throughout this project. Is it best practice to audit for 22301 even though this isn't a standard we've paid any attention to? Or should I just delete from the checklist? Afterall it's just a template. I guess I should just remove the ISO 22301 part from the document, but I just wanted to make sure that an auditor does not expect this part as well. -
Key management template
In the toolkit purchased, there is no policy template for control A.10.1.2 (Key management). I would appreciate it if a document were provided. Thank you. -
Vendor security clauses
One question – the vendor security clauses indicate a bunch of items that need to be included in the vendor agreement. Do you have a template/example of an agreement that I can red-line with all of the relevant clauses included? -
Question about BIA form
We started from ISO 22301 based on the documentation we received from you. I have a couple of doubts about filling out BIA forms. That you do not have a randomly filled out form because some fields are not clear to me, and I do not have any instructions for filling in the form itself. -
Define Locations if all staff are remote
I am unsure how to define/explain a location if all staff are working from home in the Scope. Would you simply state locations as 'Various remote locations' or something different? -
Scope definition
Hi Dejan, thank you for the Webex on Defining the Scope yesterday. It was very informative. I raised a question about defining the Scope if you are an MSP / the Cloud and Infrastructure is shared and you said you would ask your team and get back to me. To summarise, I’ve tried to explain the question a bit clearer below. We established customers are interested parties in the ISMS. I understand that. My question is; if you then share the underlying infrastructure for example; a physical server that is running a virtual machine that the MSP owns, and a virtual machine of the customer. The MSP has a responsibility to the customer as defined in the contract to keep the virtual machine available that resides on that physical server. Then as far as the MSP is concerned with regards to ISO 27001 the physical server will be within scope as it is MSP owned along with the virtual machine that resides on the physical host because it is MSP owned. This means the MSP has a physical host and a virtual machine that is in scope but the virtual machine that belongs to the customer is out of scope since it is only the MSP and not the customer that is looking for certification. In addition the MSP can’t be responsible for certifying all its customers. So how do you define the Scope in this situation? The customer virtual machine and MSP virtual machine on the same physical host are separated logically. I’ve also been looking at your Conformio product. The problem we have is given the nature of our business MSP / ISP; I think we would need some additional support more so than just email. Some one that understands our business and who we can speak to to ask questions. A combination between Consultant and your product. Do you offer anything like this? Would there be an opportunity to work something out with Advisera to achieve this that meets our needs? Thank you P.S: I found your book Secure and Simple along with your website very helpful and well written. So thank you for that. -
Question on ISO 27001
I do indeed have very specific question, I can not answer or I do not find the right articles in ISO 27001. I have a pretty hard discussion with a supplier, who will not send us Service Tickets to our Service-E-Mail, but only to dedicated persons. His rationale is this: "ISO 27001, Annex A9.2.1 requires user ID's to be restricted to real people so that these accesses can be restricted and logged." It is just, that I do not have ANY clue what he is referencing. In my opinion, 27001 Annex A 9.2.1 states the following: 9.2.1 Registration and deregistration of users Measure A formal process for the registration and deregistration of users is implemented to enable the assignment of access rights. Can you help me and do you maybe know, what he is referencing at ? -
CMMC guidance
What I am looking for now is guidance regarding CMMC, and how registrars and auditors can become CMMC certified. Any direction that you can provide along these lines would be greatly appreciated. -
Operational Security Objectives
We are confused on this section, Decreasing or Increasing, what if we don't have any incidents for the year, we can't decrease it. We don't have ISO yet and haven't had issues with onboarding customers, would it help in increasing revenue?