Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
BIA in a ISO 27001 implementation?
Could you kindly confirm me that for obtaining the ISO 27001 CERTIFICATION for organization Business impact analysis and BCP document aligned to IT service and recovery is mandatory.
Answer:
The Business Impact Analysis is not mandatory in the implementation of an ISO 27001 (although can be a best practice), regarding the BCP document, yes, is mandatory to have Business continuity procedures, and you can include on this a Business Continuity Plan, or a Disaster Recovery. You can also use ISO 22301 for the implementation of business continuity in ISO 27001, so this article can be interesting for you How to use ISO 22301 for the implementation of business continuity in ISO 27001 : https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
And there is a list of mandatory document, you can see it here List of mandatory documents required by ISO 27001 (201 3 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Stage 1 audit - Internal audit performed?
For the stage 1 audit, should there be an internal audit performed? Or is having the documention available ok?
Answer:
Yes, should be performed. In accordance with the clause 9.2.3.1.1 g) of ISO 17021 (Requirements for bodies providing audit and certification of management systems) : "The stage 1 audit shall be performed to evaluate if the internal audits and management review are being planned and performed ..
Regarding the documentation, it is not mandatory to have a procedure in your ISMS for the internal audit (although can be a best practice), and it is mandatory to have the internal audit report (and the internal audit program). On this article you can see the list of mandatory documents of ISO 27001:2013 List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article can be also interes ting for you How to get certified against ISO 27001? : https://advisera.com/27001academy/blog/2010/02/15/how-to-get-certified-against-iso-27001/ -
BCP or DRP?
https://www.theverge.com/users/custom_write -
Risk management based on assets?
Assets are usually used to perform the risk assessment although not mandatory by ISO 27001:2013
How will i take risk assessment ? I mean based on what . Can I do implement ISo27001 with out asset management and risk assessment ?
Answer:
The recommendable is to have a risk management based on assets, although you are right, it is not mandatory. Another approach is to base your risk management in process, but generally it is for big companies. So, you can implement ISO 27001 without a risk management based on assets, although it is not recommendable (most of methodologies are based on assets). Anyway, the asset management is an important issue in ISO 27001, and you can do it independently of the risk management. Furthermore it is mandatory to have a document for the inventory of assets.
You can see here the list of mandatory documents List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
And this article can be also interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
How works ISO 27001?
some question in my minds please clear me how is works 20001 & 27001 and what is the benefits after taking and what about the profits after implementation
Answer:
ISO 27001 works establishing requisites for the implementation of an Information Security Management System (ISMS), so basically here it is important to identify risks and reduce them, for the protection of the information. For more information, please see this What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/
Regarding 20001 I am sorry but it is not a standard. You mean ISO 20000-1 or ISO 22301?
Regarding benefits and profits after implementation, generally you can consider 4: compliance, marketing edge, lowering the expenses and putting your business in order. For more information about this, please read this article Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And this free webinar can be also interesting for you ISO 27001 benefits: How to obta in management support : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
Perform the risk assessment
1. How do you carry out risk assessment?
2. Can you recommend further reading on ISO27001?
Answers:
1.- There are some steps that you need to perform during the risk assessment, we can resume these steps in 6, you can find more information here ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
2.- Sure, you can find many information in our blog, for example What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/ , you can also read our recent articles : https://advisera.com/27001academy/blog/ or you can also see our webinars : https://advisera.com/27001academy/webinars/ , or you can also see our section of free downloads : https://advisera.com/27001academy/free-downloads/ -
Checklist for a self audit
Is there a checklist available that can be used when performing a self audit?
Answer:
Yes, you can use this Internal Audit Checklist Internal Audit Checklist : https://advisera.com/27001academy/documentation/internal-audit-checklist/ , although every company is different, and you can also develop your own checklist following this article How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
How many papers to get certified?
How many papers i have to pass to get certified?
Answer:
Generally you need to pass an unique exam to get certified, so this free webinar can be interesting for you ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/
And maybe this article can be also interesting for you How to learn about ISO 27001 and BS 25999-2 : https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
And also this article Lead Auditor Course vs. Lead Implementer Course Which one to go for? : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
The best for you would be to contact some of the certification bodies in your country that provide such services, they will give you more detailed information about the course. Biggest certification bo dies are usually DNV, SGS, Bureau Veritas, and BSI - I'm sure at least one of them will be present in your country. -
Obligatoriedad de cumplimiento
Favor aclarar sobre la obligatoriedad de cumplimiento de algunos aspectos de esta norma para proveedores de alguna empresa que la esté adoptando..
Respuesta:
Si has implementado ISO 27001 en tu negocio, todas las obligaciones y requerimientos de ISO 27001 son para tu negocio, pero puedes establecer y acordar requerimientos con tus proveedores (por ejemplo a través de SLAs), y también puedes solicitar a tus proveedores que implementen y certifiquen ISO 27001.
Este artículo puede ser interesante para ti (en inglés) 6-step process for handling supplier security according to ISO 27001 : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Activities, MAO and RTO
1/ How to includes all activities which support the provision of key products and services.
2/ How to defines maximum tolerable periods of disruption (maximum acceptable outages) for each activity and sets recovery priorities accordingly.
3/ How to defines the recovery time objective for each activity.
Answers:
I suppose that you mean how to define activities , if so, there are basically two options: a.- Determine your activities based on process, or b) Determine your activities based on organizational units. If you need more information, please read this article How to define activities when implementing business continuity according to ISO 22301 : https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/
Regarding the Maximum Tolerable periods of disruption and the Recovery Time Objective, there are various ways to define them and set recovery priorities, but basically you need to analyze how the disruption of each activity affect to your busin ess, so you can make some questions like How will your clients react to a disruption?, What will be the impact to other activities?, etc. Here you can find more information How to implement business impact analysis (BIA) according to ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ And this article can be also interesting for you Five tips for Successful Business Impact Analysis : https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/