Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
BCP template
Looking for BCP template preview.
I want to implement the basic business continuity and recovery planning and implementation of ISMS practices.
i have gone through the ISMS domain and controls applicable in 27001:2013, trying to see what I can added up as per the standards (based on the current practices we have in the organization).
Answer:
You can implement only a Disaster recovery plan as a minimum to be compliant with A.17.1.2 and A.17.2.1 of the ISO 27001:2013, remember that the Business Continuity Plan and the Disaster Recovery are not the same, please read this article Disaster recovery vs. Business continuity : https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
Anyway, here you can find a template for the BCP, you can see a free version clicking on Free Demo tab : https://advisera.com/27001academy/documentation/business-continuity-plan/ and for the Disaster Recovery Plan : https://advisera.com/27001academy/documentation/disaster-recovery-plan/
Also here you can find an article that wil l help you to write a BCP for your organization How to write business continuity plans? : https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/ -
Audit ISO 27001:2005
I have audited (Compliance audit and not certification audit) a client in Feb 2015 for ISO 27001 : 2005 standard. I also indicated all 2005 version certificates are expiring by 30th Sep 2015. My client was explaining old standard doesn't expire and as long as he wishes, he can comply to old standard and it is not must to upgrade to 2013 version. Is this correct?
Answer:
I am afraid that it is not true. This year all certification bodies in the world have to update to ISO 27001:2013, which means that all companies with a certificate of ISO 27001:2005 needs to adapt to ISO 27001:2013. If not, they can lost the certificate, although can maintain the ISMS implemented.
Anyway, there are no main changes in the new revision, so I think that there are no excuses for no updating. Here you can find more information about the transition How to make transition from ISO 27001 2005 revision to 2013 revision : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ -
Security board/council
What I was wondering in a few occasions in general is Security Board/Council mandatory for certifications by ISO Standards or just best practice?
Answer:
If you mean with Security Board/Council a group of people to manage the ISMS (I have seen this name in some organizations: Security committee"), it was mandatory in the old version of the standard ISO 27001:2005, but in the current version ISO 27001:2013 it is just a best practice.
Finally, I think that can be useful for you to know the list of mandatory documents (and non mandatory) so please see this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Tema de Tesis: ISO 27001
En realidad yo quiero usar la ISO 27001 PARA UN TEMA DE TESIS y espero pueda ayudarme con algunas dudas.
Respuesta:
Claro que sí, puedes preguntarnos todas tus dudas. En cualquier caso, este trabajo académico relacionado con la implementación de un SGSI (soy el Director de dicho trabajo, desarrollado por uno de mis alumnos), puede ser interesante para ti: https://openaccess.uoc.edu/webapps/o2/bitst******************************************
También puede ser interesante este artículo (en inglés) "The biggest shortcomings of ISO 27001" : https://advisera.com/27001academy/blog/2011/03/21/the-biggest-shortcomings-of-iso-27001/ -
The Manual
During the implementation of ISO 9001, ISO 14001, OHSAS 18001 etc. as a main document one has to write the Manual which contains general information about the company, overview of procedures and records, and maybe an org chart. Please answer me how to write the ISMS Manual as a top-level document. Also I'm interested which type of documents are the documents from Annex A (procedures or something else)?
Answer:
It is not necessary by the ISO 27001 to have a manual, so we recommend you to not develop this document, and please read this article Is the ISO 27001 Manual really necessary? : https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
Regarding documents from Annex A, there can be procedures, and technical instructions, but also can be policies, and plans, but keep in mind that it is not necessary to have a document for each control. Here you can find a list of mandatory documents List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Certification bodies
When it comes to getting certified against ISO 27001 there are different certification bodies available.
Which one is generally best and on which factors can they be compared.
Will you like to share some personal experience or pinpoint me to right direction.
Answer:
Absolutely, it is an important decision and there are many companies available, and there are various parameters that you need to consider. This article can help you to choose the best certification body for your organization How to choose a certification body : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
ISO 27001 for a power plant
The documents and information you provide is very helpful.
Furthermore, I would ask, how could we approach in auditing and implementing ISO27001 for a thermal power plant, and how could we calculate its worth/cost?
Thermal power plant is a new practice to me.
Answer:
There is no specific plan to implement the ISO 27001 for a specific business, although this is one of the best points of the standard, because is developed for any type of business. Our templates are also developed for any type of business, so you can implement and certify the ISO 27001 in your organization. For the implementation, this article can be interesting for you ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding the auditing, I suppose that you mean the certification of the standard, if so, this article can be interesting How to choose a certification body : https://advisera.com/27001academy/knowledgebase/how-to-choose-a-certification-body/
Finally, this article can help you t o calculate costs "How much does ISO 27001 implementation cost?" : https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/ -
ISO 27001 for data center
If the 2 exits are controlled from unauthorized access, there is no problem with the standard, so you need a policy of control access. I think that can be also very interesting to install video cameras in these 2 exits.
In all other respects there is no problem to implement and certify the ISO 27001 in your organization, because it is for the protection of the information of any type of business. Our templates are also developed for any type of business, and also you can have our support. If you are interested, you can see a free version of each template cl icking on Free Demo tab here: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
To start a project of this type, the first thing that you need is a project plan, so this article can be interesting for you ISO 27001 project How to make it work : https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
Finally I think that this article can be very interesting for you ISO 27001 Case study for data centers: An interview with Goran Djoreski : https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ and also this article "Physical security in ISO 27001: How to protect the secure areas" : https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/ -
Economic resources
We offer the toolkit with all templates that you need to implement the ISO 27001, and it has a cost but is very cheap in comparison to other options, so I think that it is the best option for you. Furthermore you can see a free version of all documents clicking on Free Demo, and of course you can ask us any doubt that you have related to the implementation of the ISO 27001 in your organization.
Regarding the internal audit of systems and control methods, we do not have such policy (we do have an internal audit procedure that covers the whole audit process in general), but you can develop your own checklist for technical items reading this article: How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Secure development
1. A.14.2.1 Secure development policy =does this control still applicable for organization that fully outsource their development process?
2. A.14.2.2 =does this control only for during development process (i.e. coding, bug fixing), or does it includes changes when system is put into operations (i.e. new requirements, enhancement)? How does it differ from A.12.1.2? Does operating system patching/updating part of A.14.2.2 or A.12.1.2?
3. A.14.2.5 =is this only applicable for inhouse development? Is this applicable when analyzing system requirements and system design?
Answer:
Point 1:
Yes, you can apply this control, but in this case you need to request a secure development policy to the external company
Point 2:
You can consider this control for development process and also for changes in systems when you put them into operations. The control A.12.1.2 is more general (for all changes related to information security: organization, business processes, information processing facilities, etc.), and the control A.14.2.2 is specifically related to changes to systems within the development lifecycle. I think that operating system patching/updating is more related to the control A.14.2.2
Point 3:
Yes, but here you can also demand a secure system engineering principles to an external company, and yes, you can apply this control when analyzing system requirements and system design.