Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Incident Handling Procedure and Business Continuity Plan
If an incident occurs and need to resolve a danger immediately, execute the Incident Handling Procedure. After that, if there is a business disrupt, execute the Business Continuity Plan.
In accordance with the official definition of the ISO 22301-Business Continuity Management Systems, an incident is a situation that might be, or could lead to, a disruption, loss, emergency or crisis. On the other hand, in the standard there is no official definition for disaster, but we can consider that is the same or similar to a crisis or emergency. So, an incident can result in a disaster.
Generally, Disaster is related to the concept Disaster Recovery (technology), which is not the same that "Business Continuity" (whole organization). If you want to know the differences about this, please read this article Disaster recovery vs Business Continuity": https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/ -
Difference between Incident and Disaster
In accordance with the official definition of the ISO 22301-Business Continuity Management Systems, an incident is a situation that might be, or could lead to, a disruption, loss, emergency or crisis. On the other hand, in the standard there is no official definition for disaster, but we can consider that is the same or similar to a crisis or emergency. So, an incident can result in a disaster.
Generally, Disaster is related to the concept Disaster Recovery (technology), which is not the same that "Business Continuity" (whole organization). If you want to know the differences about this, please read this article Disaster recovery vs Business Continuity": https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/ -
ISO 27001, Alcance de la implementacion
Los términos y definiciones están incluidos en la ISO 27000 (no en la ISO 27001), y no existe una definición oficial para el término "organización", pero lo importante aquí es el alcance de la ISO 27001, el cual puede afectar a toda la organización o sólo a una parte. Por tanto, sí, se puede definir el alcance de la ISO 27001 para sólo una parte.
Por último, si quieres definir el alcance de la ISO 27001, este artículo te resultará muy útil:
https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Business Continuity Plan
Sure, we have useful information in our blog that you can use to develop a Business Continuity Plan. Look at this:
- How to write Business Continuity Plans: https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
- Business Continuity Plan: How to structure it according to ISO 22301: https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
And finally, you can use our templates. We have specifically documents for the development of the Business Continuity Plan, and you can download a free version if you click on the Free Demo tab: https://advisera.com/27001academy/iso22301-documentation-toolkit/ -
SOA Template
Absolutely, our SOA template include implementation method for each control. You can find details of the template in a free version demo in the Free Demo tab at this URL: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Also if you are interested about control objectives, and you want to adapt them to your company, you can read this article ISO 27001 control objectives Why are they important?: https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
Relationship between Risk Treatment Plan and SOA
Both concepts are related with the same thing: risks. Let me explain the relation:
What is the SOA? Is a document that includes the applicability of all controls (basically each control can apply or not)
What is the risk treatment? Basically is a plan that include actions to reduce risks.
The actions that you need to include in the risk treatment, are related to the security controls, but What security controls? Only the controls that apply to the organization, and What controls can apply? Depends on the SOA. So, in other words, the Risk Treatment Plan is the "implementation plan" for the Statement of Applicability.
Also you can read this article where you can find more information about this: https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Operating procedures for IT Management
There are some domains of control that are not related to IT. Example: A.7 Human Resource Security and A.15 Supplier relationships. But A.12 is directly related with IT because has controls about backups, malware, monitoring, technical vulnerabilities, etc.
Remember that there are a list of documentes that you need to be compliant with ISO 27001, and one of this is related to the control A.12.1.1 Operating procedures for IT management. To see this list, please read this article (you also can see a list of Non-mandatory documents) List of mandatory documents required by ISO 27001 (2013 revision): https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Context and interested parties
You can do it in the same document (recommended), although you also can do it in different documents. The standard does not establishes that both paragraphs have to be defined in the same document, only establishes that you have to define them. If you need more information about how to define the scope, please read this article How to define the ISMS scope: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Also you can read this article Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization): https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/ -
Get your managements approval
Answer:
There is no official rules to do this, but you can talk with the top management about the benefits of ISO 22301. Please, read this article, I hope help you ISO 22301 benefits: How to get your managements approval for a business continuity project : https://advisera.com/27001academy/knowledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/ -
Protect utility programs
Answer:
Keep in mind that the control A.9.4.4 is for utility programs (any software that you need for your activity in the organization and you install it in the system operative), so the first step is to identify them in your organization. Next step: There are unnecessary utility programs? If yes, delete them. Next step: There are some utility program which can access any people? If yes, is necessary to establish a password. There are systems with password that access different people? If yes, it is necessary to establish different users (not unique user administrator or root for all ).
In your case, my recommendation is: segregate functions, create a new group and include on it users that do not need administrator access, it should be only for 1-2 people (administrator systems). If it is necessary that other users have administrator privilegies, you can create another group, but independent of the administrator group.