Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 22301 for a part of my organization
I'm currently trying to implement ISO 22301 for part of my organization. I already have a BCM policy for the whole organization. How do I create the policy required by ISO 22301?
Do I create the policy as separate from the existing one, or as an annex to it?
Answer:
You can maintain the BCM Policy for the whole organization (as a best practice), although the requirements of the ISO 22301 will be mandatory only for the part involved in the scope of the system. If you have a scope limited, our recommendation is that in the future you expand it to all the organization, due to generally on this way is more easy the management.
This article can be interesting for you “The purpose of Business continuity policy according to ISO 22301” : https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/
And this article can be also interesting for you (although is related to ISO 27001, the most of the article can be also applied to ISO 22301) “Problems with defining the scope in ISO 27001” : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
MAD, MTD and RTO
The answer to this question is here: https://community.advisera.com/topic/mad-mtd-rto/ -
Auditors are not allowed to audit their own work
Am I allowed to lead and manage the internal audit, despite that I am the one who writes the ISMS documentation and am the project manager of the whole ISO 27001 implementation?
I ask because of the sentence: "Internal auditors must be selected in such a way as to ensure objectivity and impartiality, i.e. to avoid conflict of interest, because auditors are not allowed to audit their own work."
Answer:
No I am sorry, your approach is not ok for the standard. The recommendation is that the internal audit be performed by a person who is not related to the implementation of the ISMS (on this way, you can ensure the objectivity and impartiality). One option is to search an external company, but another option is that the internal audit be performed by an internal employe of your company. This employee need to have knowledge about ISO 27001 (maybe you can train him) and of course, he need to be not related to the implementation of the ISMS. Furthermore, this article can be interesting for you "Dilemmas with ISO 27001 & BS 25999-2 interna l auditors" : https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
And also our toolkit related to the internal audit can be interesting ISO 27001/ISO 22301 Internal Audit Toolkit : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
Finally, can be interesting for your company our online course ISO 27001:2013 Internal Auditor Course : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Who should be part of BCM team
I would like to ask another query about Develop Roles & Responsibilities and who should be the part of BCM team to facilitate the Business Continuity programs in terms of Testing Exercising and so on.
Answer:
Generally the BCM is composed by the responsible of the BCM (or Chief Business Continuity Officer), people related to the execution, maintenance and testing of the BCP, DR, etc. and people related to the top management.
By the way, as you know the implementation of the BCMS is composed by documents, and you can define in each one the roles and responsibilities (it is our recommendation).
Finally, this ebook can be also interesting for you, because the roles and responsibilities are explained in detail "Becoming Resilient: The Definitive Guide to ISO 22301 Implementation" : https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
And also this article can be interestin g for you "Roles and responsibilities of top management in ISO 27001 and ISO 22301" : https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/ -
Puntos relevantes de un BCP ya generado
QUE ASPECTOS O PUNTOS RELEVANTES DE UN BCP YA GENERADO (HACE UNOS 5 AÑOS) DEBO TENER EN CUENTA PARA OBTENER UNA NUEVA VERSION ACTUALIZADA Y ALINEADA CON LA NORMA 22301?? Y QUE SOPORTE UNA AUDITORIA DE CUMPLIMIENTO?
Respuesta:
Generalmente la mayoría de BCP cumplen con los requerimientos de la ISO 22301, aunque puedes comparar tu BCP con nuestra plantilla, la cual cumple con ISO 22301 (puedes ver una versión gratuita pulsando en la pestaña "Demo gratis") "Plan de continuidad del negocio" : https://advisera.com/27001academy/es/documentation/plan-de-continuidad-del-negocio/
Finalmente, este artículo también te puede resultar interesante (en inglés) Business continuity plan: How to structure it according to ISO 22301 : https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/ -
Identify people as asset by their role
How do you integrate employees as assets in the process, by position, by name, by level? Are the typical risk associated things like resigning, death, intentional damage to other assets, etc?
Answer:
From my point of view, the best is to identify people as asset by their role (or position): system administrator, head of IT department, etc. Regarding typical risk associated, you can consider unavailability of each person (due to any reason), frequent errors (due to lack of training), etc. This article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ and also this one ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Remember that for the identification of the risk associated with each asset, you need to identify threa ts and vulnerabilities related to them, so this article can be also interesting for you because is a catalogue of common threats and vulnerabilities Catalogue of threats & vulnerabilities : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Finally, our online course about ISO 27001 can be also interesting for you ISO 27001:2013 Foundations Course : https://advisera.com/training/iso-27001-foundations-course/ -
Companies approved by IRCA in India
Could you please suggest me whether SGS Group at india is IRCA approved certification body for ISO 27001 Lead auditor course. And should i enrols myself there.
Answer:
Yes, SGS Group is accredited by IRCA at India for the ISMS Lead Auditor Course, although there are other companies that can be also interesting (Bureau Veritas, BSI, etc.), and my recommendation is that you request a proposal to various entities. Anyway you can find this information in the official website of IRCA : https://members.irca.org/IRCA/train***********************************
By the way, this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
And maybe can be interesting for you our online course ISO 27001:2013 Internal Auditor Course : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Actions to be taken after BCM implementation
Would you please send me the actions which needs to be taken from BCM team after implementation on day to day basis and below ;
Annual Actions?
Monthly Actions?
Quarterly Actions?
Weekly Actions?
Answer:
Most of actions have an annual frequency (review the risk assessment, perform internal audit, perform management review, perform corrective actions, etc), although there are actions that can be performed monthly/quarterly: operate the BCMS, monitor and measure the system (for example, if you have defined an indicator on a monthly/quarterly basis), meetings, etc. and on a day-to-day basis you can perform activities described in your policies and procedures. This article can be interesting for you, although is about ISO 27001 but can apply also to a BCMS because there are many similarities between both systems How to maintain the ISMS after the certification : https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/ -
Information security job titles
for now my question is about job titling and responsibilities, is there any list of information security job titles for example: info sec manager, info sec officer, info sec-???
Answer:
The most important job title about information security is the Chief Information Security Officer (CISO) (it can be also known as Information Security Officer, or Security manager), etc. This article can be interesting for you:
What is the job of Chief Information Security Officer (CISO) in ISO 27001? : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
And also this one "Chief Information Security Officer (CISO) - where does he belong in an org chart?" : https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
Finally maybe can be also interesting for you our online course:
ISO 27001:2013 Foundations Course : https://advisera.com/training/iso-27001-foundations-course/ -
Policy for utility programs
Would like to ask you an question about ISO:27002:2013 section 9.4.4. Use of privileged utility programs. Can explain what kind of policy we must make to conform to the standard?
Answer:
First you need to identify any software that you need in your organization for the activity of the business (generally installed in the system operative). Next step is to establish some rules related to the utility programs:
Delete (or not install) unnecessary utility programs
The installation of new utility programs can be only performed by authorized personnel
Create user/password for those utility programs where can access any people
Utility programs which have user/password: Create different users/password for different people (not unique user administrator or root for all
You can include these rules in an Access Control Policy, so maybe can be interesting for you our template Access Control Policy : https://advisera.com/27001academy/documentation/access-control-policy/
Finally, maybe can be interesting for you our online ISO 27 001 course "ISO 27001:2013 Foundations Course" : https://advisera.com/training/iso-27001-foundations-course/