Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Poslovnik ISMS kao generalni dokument
Prilikom implementacije ISO 9001, ISO 14001, OHSAS 18001 i sl. kao glavni dokument, izra?uje se Poslovnik koji sadri opte informacije o privrednom subjektu, pregled procedura i zapisa, eventualno, shemu organizacione strukture. Molim Vas da mi odgovorite kako izraditi Poslovni ISMS kao krovni dokument. Tako?e me interesuje u koju vrstu dokumenata spada dokumentacija iz Anex-a A (procedure ili neto drugo). Unapred zahvaljujem. -
ISO 22301 in the world
Answer:
Keep in mind that the standard is new and it is necessary time to expand to all companies of the world, but the companies interested in the standard is increasing daily, and I am sure that in the next years there will be many companies certified -
Two big doubts
Question 1: According to standard 31000 external issues can be: Setting cultural, social, political, legal, financial, technological, etc. But what information about those items I need to be in compliance with section 4.1 of ISO 27001?
Question 2: Which document should I put this information?
Answer:
Point 1: It is also the same applicable to ISO 27001, anyway this article can help you Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
Point 2: At the end of the article of the point 1, you have a link for the document Procedure for identification of requirements : https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/. You can see a free version of this template clicking on Free Demo tab, and you can use it for the clause 4.1 of the standard. -
Crucial component in any IS procedure
The crucial component of a procedure maybe be the adequate description of each activity. For example, if you have a procedure for the backups, it is very important that it describes all related activities (schedule, number of normal tapes, number of recycled tapes, etc). I think that is also very important the control of changes, to manage the modifications in the procedure.
Finally these 2 articles can be interesting for you:
How to structure the documents for ISO 27001 Annex A controls : https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
How detailed should the ISO 27001 documents be? : https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/ -
Some questions about ISO 27001
Q1) 'There is no policy or procedure in place listing the controls for documents of external origin.'
So I need to work on the document control proc(or any doc which talks about doc mgmt.) and include topics on how to handle n manage the docs which are NOT prepared by my client.
I tried to list few documents of external origin:
Customer prints
Industry regulations
ISO Standards
References used for your documentation
Corporate guidance documents
Can you tell me what exactly is required when its said 'documents of external origin'?
Q2) How can I help the Management review to include
(A) Changes in external & internal issues that are relevant to ISMS
(B) Feedback on InfoSec performance on fulfillment of information security objectives as required by ISO 27001:2013)
Q3) On clause 4.2, have tried discussing the same with Alan,..
@Alan : Please follow up on this one too
Answer:
Point 1: You are ok, furthermore can be external documents: reports of external auditors, project plans of your clients, and any document external to your organization (where the ISMS is implemented). Anyway, I suggest you that the control of external documents is almost the same as the control of internal documents. For more information, please read this article "Document management in ISO 27001 & BS 25999-2" : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
Point 2: (A) You need to request to any change to external/internal issues and you can develop a report with conclusions about this, (B) You can develop a report of conclusions of the risk assessment & treatment. Also these articles can be interesting for you:
Why is management review important for ISO 27001 and ISO 22301? : https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
How to perform monitoring and measurement in ISO 27001: https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
Point 3: Sorry but I do not understand this question. Can you reformulate it? Anyway, this article about interested parties can be interesting for you How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Basic information about ISO 27001
Sure, we have many interesting articles for you:
What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/
The basic logic of ISO 27001: How does information security work? : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Overview of ISO 27001:2013 Annex A: https://advisera.com/27001academy/iso-27001-controls/
ISO 27001 implementation checklist: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Documentation for cloud services
Answer:
Our templates are developed for any type of business so lots of our clients are cloud companies, anyway if you are interested in cloud computing and information security, this article can be interesting for you Cloud computing and ISO 27001 / BS 25999 : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/ -
Risk assessment for Information security
There are many similarities between ISO 27001 and PCI-DSS, it can be useful for you. According to the requirement 12.2 of PCI-DSS, you need to implement a risk assessment process, so I suppose that you have a risk assessment methodology based on ISO 27005, OCTAVE, or similar. On this case, you can use the same methodology for the implementation of the ISO 27001 (for the risk assessment & treatment), but thinking on assets related to information security (taking into account the scope of the ISMS). You can read these 2 articles about ISO 27001 and PCI-DSS PCI-DSS vs. ISO 27001 Part 1 Similarities and Differences : https://advisera.com/27001academy/knowledgebase/pci-dss/ and PCI-DSS vs. ISO 27001 Part 2 Implementation and Certification: https://advisera.com/27001academy/knowledgebase/pci-dss/
Regarding to the risk register, if you want, you can try our methodology, there are templates for that you want (you can see a free version of all templates clicking on Free Demo tab): https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/ -
ISMS Plan
Hi, I have been asked to write a ISMS plan for my organization. My organization wants me to include dependencies, resources, risk sections along with the timelines? Is there any templates for this? can you help me in this?? Thanks, Vijay -
SCope Documnet, ORg.Chart & Roles and Responsibilities Roles and Responsibil
Sure, you can merge these documents in an unique document, there is no problem with the standard, although we recommend you to have different documents because there are different things. Also I think that it is very important to not duplicate documents, so for example, if you have a security policy in the Manual, it is not necessary to have another independent document with the same content.
Anyway, this article can be interesting for you Is the ISO 27001 Manual really necessary? : https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/