Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Referencing to security controls in policies and procedures
Answer:
It is true that we did not reference to particular controls within the text of each security rule, because this is not required by ISO 27001 - sometimes one security rule covers several controls, and sometimes the same control is covered within several security rules, so referencing to the particular control in the text of each security rule would be rather difficult. -
Clause 9.1 - measurement in ISO 27001 toolkit
Answer:
In our documentation toolkit there are basically two levels of measuring: first is on the level of the documents - in the last section of most of our documents, you'll find a sentence: "When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:..." and then a couple of items to be measured.
The second level is for the controls - in the Statement of Applicability you should set the objectives for each control, and then you can measure up to which level those objectives have been fulfilled.
These two levels are applicable for smaller and mid-size companies - of course, for larger companies you might develop a more precise and more comprehensive systems like KPIs or Balanced Scorecards.
These materials will also help you:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- ISO 27001 and ISO 27004: How to measure the effectiveness of information security? https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/
- ISO 27001 Foundations Course: https://advisera.com/training/iso-27001-foundations-course/ -
Using ISO 27001 & ISO 22301 Toolkit for ISO 22301 implementation
Answer:
If you purchased the ISO 22301 Documentation Toolkit, then there are no information security documents in it. On the other hand, if you purchased the ISO 27001 & ISO 22301 Premium Documentation Toolkit, and want to implement ISO 22301 only, then you should do the following:
- Implement documents from folders Procedure for document and record control, Procedure for identification of requirements, and Risk assessment and treatment
- Then move on to core business continuity documents that you'll find in the folder A.17 Business Continuity
- At last, you should implement documents from folders Training and Awareness Plan, Internal Audit Procedure, Management Review Minutes and Procedure for Corrective Action
Risk assessment methodology, with focus on asset-based risk assessme nt is completely applicable to business continuity as well; in the Risk assessment table you'll find catalogs of threats and vulnerabilities where many of those are applicable to business continuity. This article will also help you: Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
By the way, in the "List of documents" that is included in the toolkit, you can see which documents are mandatory for ISO 22301 and which for ISO 27001. -
ISO 22301 for a part of my organization
I'm currently trying to implement ISO 22301 for part of my organization. I already have a BCM policy for the whole organization. How do I create the policy required by ISO 22301?
Do I create the policy as separate from the existing one, or as an annex to it?
Answer:
You can maintain the BCM Policy for the whole organization (as a best practice), although the requirements of the ISO 22301 will be mandatory only for the part involved in the scope of the system. If you have a scope limited, our recommendation is that in the future you expand it to all the organization, due to generally on this way is more easy the management.
This article can be interesting for you “The purpose of Business continuity policy according to ISO 22301” : https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/
And this article can be also interesting for you (although is related to ISO 27001, the most of the article can be also applied to ISO 22301) “Problems with defining the scope in ISO 27001” : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
MAD, MTD and RTO
The answer to this question is here: https://community.advisera.com/topic/mad-mtd-rto/ -
Auditors are not allowed to audit their own work
Am I allowed to lead and manage the internal audit, despite that I am the one who writes the ISMS documentation and am the project manager of the whole ISO 27001 implementation?
I ask because of the sentence: "Internal auditors must be selected in such a way as to ensure objectivity and impartiality, i.e. to avoid conflict of interest, because auditors are not allowed to audit their own work."
Answer:
No I am sorry, your approach is not ok for the standard. The recommendation is that the internal audit be performed by a person who is not related to the implementation of the ISMS (on this way, you can ensure the objectivity and impartiality). One option is to search an external company, but another option is that the internal audit be performed by an internal employe of your company. This employee need to have knowledge about ISO 27001 (maybe you can train him) and of course, he need to be not related to the implementation of the ISMS. Furthermore, this article can be interesting for you "Dilemmas with ISO 27001 & BS 25999-2 interna l auditors" : https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
And also our toolkit related to the internal audit can be interesting ISO 27001/ISO 22301 Internal Audit Toolkit : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
Finally, can be interesting for your company our online course ISO 27001:2013 Internal Auditor Course : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Who should be part of BCM team
I would like to ask another query about Develop Roles & Responsibilities and who should be the part of BCM team to facilitate the Business Continuity programs in terms of Testing Exercising and so on.
Answer:
Generally the BCM is composed by the responsible of the BCM (or Chief Business Continuity Officer), people related to the execution, maintenance and testing of the BCP, DR, etc. and people related to the top management.
By the way, as you know the implementation of the BCMS is composed by documents, and you can define in each one the roles and responsibilities (it is our recommendation).
Finally, this ebook can be also interesting for you, because the roles and responsibilities are explained in detail "Becoming Resilient: The Definitive Guide to ISO 22301 Implementation" : https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
And also this article can be interestin g for you "Roles and responsibilities of top management in ISO 27001 and ISO 22301" : https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/ -
Puntos relevantes de un BCP ya generado
QUE ASPECTOS O PUNTOS RELEVANTES DE UN BCP YA GENERADO (HACE UNOS 5 AÑOS) DEBO TENER EN CUENTA PARA OBTENER UNA NUEVA VERSION ACTUALIZADA Y ALINEADA CON LA NORMA 22301?? Y QUE SOPORTE UNA AUDITORIA DE CUMPLIMIENTO?
Respuesta:
Generalmente la mayoría de BCP cumplen con los requerimientos de la ISO 22301, aunque puedes comparar tu BCP con nuestra plantilla, la cual cumple con ISO 22301 (puedes ver una versión gratuita pulsando en la pestaña "Demo gratis") "Plan de continuidad del negocio" : https://advisera.com/27001academy/es/documentation/plan-de-continuidad-del-negocio/
Finalmente, este artículo también te puede resultar interesante (en inglés) Business continuity plan: How to structure it according to ISO 22301 : https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/ -
Identify people as asset by their role
How do you integrate employees as assets in the process, by position, by name, by level? Are the typical risk associated things like resigning, death, intentional damage to other assets, etc?
Answer:
From my point of view, the best is to identify people as asset by their role (or position): system administrator, head of IT department, etc. Regarding typical risk associated, you can consider unavailability of each person (due to any reason), frequent errors (due to lack of training), etc. This article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ and also this one ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Remember that for the identification of the risk associated with each asset, you need to identify threa ts and vulnerabilities related to them, so this article can be also interesting for you because is a catalogue of common threats and vulnerabilities Catalogue of threats & vulnerabilities : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Finally, our online course about ISO 27001 can be also interesting for you ISO 27001:2013 Foundations Course : https://advisera.com/training/iso-27001-foundations-course/