Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Category of assets
So to clarify, in your example of asset categories if I have a grouped assets under application software (licensed) , I can perform my risk assessment based on this group if the threat and vulnerabilities applies to the group of assets.
So in my inventory of assets, all I need to do is complete the table with the same information I used in the risk assessment table:
ID
Asset category
Name of asset
Asset owner
Asset description
1
Applications and databases
application software (licensed)
IT
Licenced application software.
Would this be sufficient or would I need to list all licenced software?
Answer:
Yes, you are right, in your risk assessment you can have a group of assets (type software) and identify threats and vulnerabilities that applies to it (threats and vulnerabilities related to software), but in your case, I think that it will be better if you have 2 different groups of assets: Applications and Databases, because risks can be different. Only if after performing the risk assessment you see that they have the same risk, you can consider integrate them in an unique group.
Finally, keep in mind that additionally, in accordance with intellectual property legislation, you must to have a inventory of your licensed software. -
Measurement of the absolute risk
To evaluate the risk, you should take in consideration the security controls that exist in the organization for each asset. This approach is more real and more closer to the reality of your business, because considers the current controls. If not, you will have a point of view that not reflects the reality. So, our recommendation is the first approach, I mean, that you consider current security controls. -
Integrate policies
Why do you want to integrate them in an unique document? We think that it is better if you have a high level policy for the ISMS (with strategic intention, objectives, etc) and detailed policies for control access, backups, etc. If you have an unique document, it can be extensive and uncomfortable to read.
Finally, I think that this article can be very interesting for you "One Information Security Policy, or several policies?" :
https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
And also can be interesting for you this article: Information security policy how detailed should it be? : https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/ -
Methodology based on ISO 27001 and ISO 27005
Our Risk assessment methodology is based on ISO 27001 and ISO 27005, and is specially adapted for smaller and mid-sized companies. Further, it is compliant not only with ISO 27001, but also with ISO 22301 (the business continuity standard).
Here you can see a free version of our methodology clicking on Free Demo tab: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/ -
Group of assets
In the risk assessment table I can use a group/category of assets such as laptops in the asset name section, and identify the threats and vulnerabilities for that category correct? In the inventory of assets do I need to list each asset of the category then?
Example:
Category: laptops
Asset name: [name]-laptop
Or can I keep this section high level as well as example:
Category: ICT and Other equipment
Asset name: Laptops
Answer:
Yes, you can have an asset named laptops in your inventory of assets, and after in the Risk Assessment Table you need to identify threats/vulnerabilities related to it (related to all laptops that have the same threats/vulnerabilities). So, you can have this:
Category: ICT
Asset name: Laptops -
Business Continuity Policy
Really they are the same thing (although the term "Business Continuity Management System Policy" does not exist in ISO 22301), so think in an unique term, for example Business continuity policy. Please read this article, I think that can be very interesting for you The purpose of Business continuity policy according to ISO 22301 : https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/ -
Training and exam of Lead implementor
Also I found some material in this link. ( don't worry. I am comfortable with the resources from you. ) . It has very long list of documents. But our toolkit has this many?
https://www.itgovernance.co.uk/download/ISMS_27001-2013_ContentsList.pdf
Answer:
Both companies (BSI and PECB) are very good, therefore any of the 2 may be a well choice for the course of Lead implementer. Anyway, we have have free resources that you can use for gain good knowledge about the ISO 27001, you can find them here: https://advisera.com/27001academy/free-downloads/
We have created our ISO 27001 Documentation Toolkit for smaller and mid-sized companies - this is why we have optimized both the number of documents and their size - in our opinion if you had more documents this would create an overkill for smaller companies. Of course, our toolkit has all the mandatory documents required for the certification. -
Competences in ISO 27001:2013
Documenting the competences does not differ in 2013 and 2005 revisions of ISO 27001 - if you go for any trainings, you need to have some kind of a record (e.g. the certificate). On the other hand, you do not need any formal qualifications to manage the ISMS - if everything works well, this is a proof of your competence.
This article will also help you with the transition: How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ -
Risk management in BCMS and ISMS
There is no important difference, and you can use the same main technique for the risk management in a BCMS and in an ISMS, but you keep in mind that in the case of the ISMS you need to identify risks related to information security, and in the case of the BCMS you need to identify risks related to business disruption (it is the main difference).
Finally, I think that this article can be interesting for you Can ISO 27001 risk assessment be used for ISO 22301? : https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/. And also can be interesting this article How to organize initial risk assessment according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/04/29/how-to-organize-initial-risk-assessment-according-to-iso-27001-and-iso-22301/. -
Validate documents
Answer:
Sure, if you have purchased our Premium toolkit you can send us until 5 documents and we will review them