Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • More information about the SOA


    Answer:
    I am sorry but I am not sure what you mean. Anyway, the SOA is an important document –and a mandatory document- in the implementation of the ISO 27001. This document simply includes the 114 controls of the Annex A of ISO 27001:2013, establishing the applicability of each control (and the justification of each applicability). If you need more information about the SOA, this article can be interesting for you “The importance of Statement of Applicability for ISO 27001” : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    And our online course can also give you detailed information about the SOA “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

    Finally, our template can be useful for you to implement the SOA in your organization, so you can see a free version clicking on “Free demo” tab here “Statement of Applicability” : https://advisera.com/27001academy/documentation/statement-of-applicability/

  • Template for the context of the organization


    Answer:
    Yes, you can use our templete for this (you can see a free version clicking on “Free demo” tab) “Procedure for Identification of Requirements” : https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/

    And this article can be also interesting for you “How to identify interested parties according to ISO 27001 and ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

    Finally, our online course can be also interesting for you because we also give more information about the identification of interested parties “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Specific requirements about the qualifications of an internal auditor?


    Answer:
    There is no specific requirements about the qualifications of an internal auditor, but ISO 27001 requires from the organization to select auditors to perform the internal audit. And generally, companies want - and need - auditors with experience and knowledge about ISO 27001.

    If the person is ISO 27001:2013 certified, I mean, is a Lead Auditor accredited by a company, it can be very good, but it is not mandatory, although you need to demonstrate your experience and knowledge, and for this a course can be a good option. For more information about the qualifications about an internal auditor, this article can be interesting for you “Qualifications for an ISO 27001 Internal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

    And our online course can be also useful for you, because can help you to obtain all necessary knowledge required for the internal auditor “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/

  • Best practice for residual risk?


    No - there is no best practice because each company needs to determine their acceptable level of risk based on the methodology, based on the industry they are in, based on the management intention, etc. This article may help you: Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

    However, I noticed some inconsistencies in your calculation of risk: asset value is basically the same thing as the impact, so you calculate the same value twice in your risk which is unnecessary; further, you calculate both likelihood and vulnerability, however vulnerability is (together with the threat) part of calculating the likelihood - again you have duplication.

    Thi s article will help you with defining the formula: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

  • What if supplier refuses to apply security measures?


    Answer: This depends on your reaction - if you initiated certain corrective actions, for example: warning letter to the supplier, applying some penalties, searching for a new supplier, etc. then the certification auditor will see that you manage the situation. If you stay passive, then you will have a problem with the certification.

  • Initiating failover to the secondary site


    Answer:

    I'm not sure if I understood your question correctly, but your RTO has to be calculated in such a way to provide maximum time of disruption that you can sustain for particular system, process, or part of the company. Therefore, the moment that you get disrupted (i.e. the moment when the incident strikes), the clock for your RTO starts ticking.

    The point is - you have to be very careful if you calculate very short RTO like 30 minutes - what will be the cost to prepare to be able to achieve such short recovery time? Maybe it would be better to accept higher risk and decrease the costs.

    See also this art icle about calculating the RTO: How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

  • Project Plan

    That is probably a mistake because the project plan was in the folder 00 in previous version of the toolkit so we probably delivered you previous version of "How to start using the toolkit info". Thank you for the feedback

  • Quality Policy

    No, this is not usually included in the Quality Policy but it should be documented. Information about the scope and location are usually documented in Quality Manual or in document about the QMS scope. Here is the free preview of our document: Scope of the Quality Management System https://advisera.com/9001academy/documentation/scope-of-quality-management-system/

  • Difference between problem ticket and major incident


    Answer:
    Problem ticket is a record where all details about particular problem are recorded. Problem has task to find out a root cause of one or more incidents (what caused them). On the other side, major incident is an incident (malfunction or unavailability of a service) with higher impact and urgency. Meaning, once the major incident is resolved - a problem will be opened in order to find root cause and prevent future incidents (of that kind) to occur.
    Learn more about this here:
    "ITIL and ISO 20000 Problem Management – Organizing for problem resolution" https://advisera.com/20000academy/blog/2014/07/29/itil-iso-20000-problem-management-organizing-problem-resolution/
    "ITIL Problem Management: getting rid of problems" https://advisera.com/20000academy/blog/2013/08/05/itil-problem-management-getting-rid-problems/
    "Major Incident Management – when the going gets tough…" https://advisera.com/20000academy/knowledgebase/major-incident-management-going-gets-tough/

  • Questions on Risk treatment table


    Answer: You should copy only those risks that are not acceptable - if you're using our Risk assessment methodology, the risks with values 3 and 4 are not acceptably.

    And for certain risks, can we have same control? Like I have few assets with the risk of Disclosure/Leakage of Information, can I apply Confidentiality or disclosure agreements control for that risks?

    Answer: Sure, you can apply some controls for several risks, while other controls will be applied only for one risk; further, you should apply several controls for one risk, just to make sure that risk is decreased.
Page 1012-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +