Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Basic requirements and documents of ISO 22301
I would really like to know what the basic requirements and document set is if I was going to go for ISO22301 certification.
Answer:
The basic requirements about ISO 22301 basically are established from clause 4 to clause 10 in the standard. These clauses are:
4.- Context of the organization
5.- Leadership
6.- Planning
7.- Support
8.- Operation
9.- Performance evaluation
10.- Improvement
For more detailed information about the requirements, you need to see the standard. And article that can give you more information about ISO 22301 is "What is ISO 22301" : https://advisera.com/27001academy/what-is-iso-22301/
Regarding the documents, you can see a list of mandatory documents in this article Mandatory document required by ISO 22301 : https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
Finally, this article about the implementation of ISO 22301 can be also interesting for you "17 steps for implementing ISO 22301" : https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/ -
Appendix 4: Examples of disruptive incidents scenarios
What is the meaning of Appendix 4: Examples of disruptive incidents scenarios?
Answer:
The purpose of the Appendix 4 is to present the most likely incidents and their impacts to the organization. This appendix is directly related to the paragraph 3.2 Risk management of the document Business Continuity Strategy, because for all risks/incidents identified it is necessary to prepare event scenarios which describe how much incidents could affect to the organization.
You can find the template of the Business Continuity Strategy here (you can see a free version clicking on Free Demo tab) Business Continuity Strategy : https://advisera.com/27001academy/documentation/business-continuity-strategy/ -
Difference between information asset and IT asset?
what is the different between information asset and IT asset? information asset what is that? I want to take asset inventory, what are the thing i have to look in?
Answer:
Information asset is a term used in ISO 27001 and it is related to the assets of type information, but IT asset is not used in ISO 27001, although from my point of view is related to IT, and there are some type of assets related to this, mainly hardware and software. So, an information asset can be the information included in databases, files in PDF, word, excel, etc. But also the information included in paper and other forms.
For the asset inventory first it is important to establish type of assets (information, hardware, software, infrastructure, people, outsource services), and based on this, identify all assets that you have in your business, those that have value to the organization, and are included in the scope of the ISMS. This article can be very interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Difference between total risk and residual risk
difference between total risk and residual risk?
Answer:
I am sorry but ISO 27001 uses the term risk and residual risk (total risk is not used). A risk is the effect of uncertainty on objectives, while residual risk is the risk remaining after the risk treatment. So, basically before implement the security controls you have risks related to information security in your business (you need to reduce them), and after implementing controls the reduced risk is the residual risk (keep in mind that generally you cannot eliminate absolutely the risk).
Maybe this article about the residual risk can be interesting for you Why is residual risk so important? : https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/ -
Standard for protection of personally identifiable information
Any standard or guidelines by ISO for protection of personally identifiable information (PII) other than 27018 i mean not for cloud
Answer:
The standard ISO with guidelines about the protection of personally identifiable information is ISO 27002. This standard has the control "18.1.4 Privacy and protection of personally identifiable information, which is exactly what you need. You can download and buy the standard from the official site of ISO.org : https://www.iso.org/standard/54533.html
Finally, keep in mind that most of countries in the world have laws related to the protection of personal data, so maybe this list of laws and regulations on information security in most important countries can be interesting for you Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
ISO 27001 - Document Control on non-ISMS documentation
In accordance with the clause "7.5.3 Control of documented information" : "Documented information required by the information security management system and by this International Standard shall be controlled...". So it is not necessary that non-ISMS documents follow the control of documented information, although from my point of view can be a best practice. So, "document coding", "classification", "Change history block", "distribution", etc. are not strictly necessary for non-ISMS documents, but can be useful and a best practices for your business.
This article can be interesting for you "Document management in ISO 27001 & BS 25999-2" : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
Data center as secure area
Just a quick one on the Physical Security aspect of the policy - specifically with regards to "Procedures for Working in Secure areas". The only secure area is actually the data centre location where our server is located. Should that be listed as a secure area? If so, it's a little different to the template as access is generally only to data centre staff who actually manage the facility and these are not direct employees. Or do we not need such procedure in this scenario?
Answer:
Yes, from my point of view you can list the data centre as secure area, and in your scenario the procedure is necessary, although is not mandatory to be documented. This article about the list of mandatory documents can be interesting for you List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
And also this article abou t the physical security Physical security in ISO 27001: How to protect the secure areas : https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/ -
Interested party and BIA
Can you assist me with these two quick questions:
1. How do you determine the relevant external parties within capture too much and their interest (is this directly to the company)?
2. As it relates to the BIA was are the critical focus of that evaluation?
Answers:
1.- To determine interested parties you need to ask your top executives, and/or heads of departments about who is important for the business, taking into account that an interested party can be an employee, owners of the business, regulators, clients, etc. To determine their interests you can also ask to each top executives and/or heads of departments, and yes, this is directly to the company. This article can be interesting for you How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
2.- I am not sure if I have understood your question, but during the BIA basically you need to collecting information from the responsible persons of each activity (some information: impact assessment, assessment of RPO/Maximum Data Loss, Minimum Business Continuity Objectives, etc), after this, with all information acquired you need to make decisions. I think that this article can be very interesting for you How to implement business impact analysis (BIA) according to ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
By the way, for the collection of information you can use our questionnaire (you can see a free version clicking on Free Demo tab) Business Impact Analysis Questionnaire : https://advisera.com/27001academy/documentation/business-impact-analysis-questionnaire/
You can also download our "ISO 22301 Business Impact Analysis Toolkit" : https://advisera.com/27001academy/iso22301-business-impact-analysis-documentation-toolkit/ You can download a free demo of this toolkit, and you can find the questionnaire template in the folder "Business_Impact_Analysis_Toolkit_Preview_EN". -
Template simple and functional for the BCP
Gostaria de desenhar o PCN qual é a melhor forma para mininizar erros e fazer um plano suscinto e consistente? Não quero me perder no preciosismo de detalhes e fazer algo simples e funcional.
Answer:
You can use our template, which is simple and functional. You can see a free version clicking on Free Demo tab here Plano de continuidade de neógcios : https://advisera.com/27001academy/pt-br/documentation/plano-de-continuidade-de-negocios/
And this template can be also interesting for you "Plano de recuperaçao de desastre" : https://advisera.com/27001academy/pt-br/documentation/plano-de-recuperacao-de-desastre/ -
We need ISO 27001?
why we need ISO 27001 and how to make documentations and list of documents we need
Answer:
ISO 27001 can give to your business some benefits: compliance, marketing edge, lowering the expendes, putting your business in order, so ISO 27001 can be very interesting for any type of business. Please read this article Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Regarding the list of documents, here you can find the list of mandatory documents List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
And it is important to know that we have a toolkit with all necessary documents (and best practices) for the implementation of ISO 27001, you can see a free version of each document clicking on Free Demo tab here ISO 27001 Documentation Toolkit : https://advisera.com/27001academy/iso-27001-documentation-toolkit/