Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Business Continuity Assessment
Answer:
We have a webinar about how to conduct an internal audit according to ISO 22301, which I think that can be useful for you, but you need to buy one of our toolkit to see it. I give you the following URL if you are interested in the purchase Internal audit: How to conduct it according to ISO 27001 and ISO 22301/BS 25999-2": https://www.iso27001standard.com/webinar/internal-audit-how-t************************************************************ -
Include controls in the SOA
We included a set of controls from 2005 version, but our SOA apparently didn't have strong justification for inclusion. And now we don't want to exclude those controls in 2013 version but sadly we cant find the strong justification.
Answer:
If there are another purpose for the inclusion of a control, you can include it in the SOA. For example, if you have controls added by ISO 27001:2005, and you dont want to exclude them, you can include as justification: Included by ISO 27001:2005 -
ISO 27001 mandatory documents
Basically you are right, although the new ISO 27001:2013 is more simply in some points (for example in the risk assessment). To know in detail how to make a transition from ISO 27001:2005 to 2013 revision, please read this article How to make a transition from ISO 27001:2005 revision to 2013 revision": https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
Also if you want to know in detail what has changed in the risk assessment, you can read this article What has changed in risk assessment in ISO 2 7001:2013" : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/ -
Disciplinary actions
There are a couple of documents related to this:
Incident Management Procedure: https://advisera.com/27001academy/documentation/incident-management-procedure/ (If you have our toolkit you can find this document in the folder: 08 Annex AA.16 Information security incident management)
Statement of Acceptance of ISMS Documents: https://advisera.com/27001academy/documentation/statement-of-acceptance-of-isms-documents/ (If you have our toolkit you can find the document in the folder: 08 Annex AA.7 Human resource security)
Also, you can see which template covers which control in the document Statement of Applicability template: https://advisera.com/27001academy/documentation/statement-of-applicability/ (If you have our toolkit you can find the document in the folder: 06 Statement of Applicability)
Finally, keep in mind that it is one of the activities that the CISO of the o rganization needs to perform and it is related to the Human resources management (to know more about this, please read this article: What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/). -
Big asset inventory
My question is: Is it required to create one big asset inventory file or it is ok to keep them separately?
Answer:
Both options are ok for the standard, but I think that you can keep each inventory files of each department/section and also you can integrate them in a unique file that you can keep separately. In this way I think that will be more easy for you for the risk assessment, because for me is more easy to work with an unique file (in the risk assessment) that with different files. -
Lograr la certificacion en la norma ISO 22301
Como ya sabes, antes de la certificación tienes que implementar la ISO 22301 en tu organización, y hay muchas cosas importantes que son necesarias para hacer esto: Plan de proyecto (recursos necesarios, fechas, costes, etc), definición del alcance para la ISO 22301, implementación del PDCA (este es similar al PDCA de otras ISOs como por ejemplo ISO 9001, ISO 27001, etc), e implementar los elementos de la Continuidad de Negocio: BIA, Análisis de Riesgos, Estrategia de Continuidad de Negocio, Plan de Continuidad de Negocio, etc.
Para mayores detalles sobre la implementación de la ISO 22301, puedes leer este gran libro (en inglés): Becoming Resilient: The Definitive Guide to ISO 22301 Implementation": https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
También puedes leer este magnífico artículo, el c ual te ayudará en la implementación de la ISO 22301 (también en inglés) "17 steps for implementing ISO 22301": https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/ -
Purchase the ISO 27001 standard
Unfortunately, we do not sell the ISO standards themselves, we provide the documentation that is necessary for the implementation of ISO standards - see the details here: https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/
You can purchase the ISO standard directly from ISO https://www.iso.org/home.html or from the standardization body in your country. -
What is the ISO 27001 standard
The International Standard that establishes a Information Security Management System is the ISO 27001, which is related with the ISO 27002 (code of best practices of information security). If you need more information about the ISO 27001, please read this article What is the ISO 27001 : https://advisera.com/27001academy/what-is-iso-27001/
Also if you need more information about specific controls (related to computers), maybe will be very interesting for you the ISO 27002, which has controls related to access control. Also remember that the standards ISOs are more related for companies and business. -
Scale of BIA to determine RTOs and RPOs
I have a scale of (1-Low Impact, 2-Medium Impact, and 3-High Impact) so:
In assessing RTO/RPO for an asset what is the meaning of the impact of 1, 2, or 3?
am I correct if I say for RTO:
- Impact of 1: No user reaction at all
- Impact of 2: Some users will start calling.
- Impact of 3: Most users will be affected by unavailability of the asset in this time frame.
and for RPO:
- Impact of 1: loss of data is acceptable and data can be recreated easily.
- Impact of 2: some data loss is acceptable and missing data can be recreated easily.
- Impact of 3: no data loss is acceptable and missing data is difficult to recreate.
Answer:
Yes, you are right, I think that it is very easy and useful for you. If you need more information about how to perform the BIA please read this article How to implement business impact analysis (BIA) according to ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
Aspects in A 14.2.5
1.- You can read in the "Implementation guidance" of the control 14.2.5 the following: "Security should be designed into all architecture layers (business, data, applications and technology) balancing the need for information security with the need for accessibility". So, this control is related to the large information system design, which also include the development of software.
2.- You can use our template to implement this control in your organization (you can see a free version if you click on ³Free Demo² tab) "Secure Development Policy": https://advisera.com/27001academy/documentation/secure-development-policy/. And also you can use this template related to IT procedures "Operating Procedures for Information and Communication Technology" : https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
3.- The auditors will search the documents mentioned above and their records as evidence of implementation.