Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Documents and records


    The first thing is that you have to differentiate between documents and records, they are not the same thing. A document can be a procedure, a methodology, a plan, etc. A record can be result of internal audit, result of management review, logs, etc. So, the difference is that a document describes actions, whereas a record is the result (and evidences for auditors) of actions performed.
    Second thing, you have to read this article to know what are the list of mandatory documents and records that you need in the ISO 27001 (also you can see Non mandatory documents) “List of mandatory documents required by ISO 27001 (2013 revision)”: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Program Source Code

    The control is not only for program source code, is also for associated items, such as designs, specifications, verifications plans and validation plans. It means that you need to control the access to them. This can be achieved by controlled central storage of such code (assigning privileges in a network folder, or in a file server, or in a repository of code with user/password). Also you have to be careful with the libraries, which should not be held in operational systems (furthermore you need also control access to them).

  • ISO 27001:2013 Asset Based Risk Assessment


    If you have Asset based RA, I suppose that you have implemented the ISO 27001:2005 (old version). If so, you current methodology is accepted by the new version ISO 27001:2013, therefore you do not need to make changes. You can see the main changes of the ISO 27001:2013 at this article “What has changed in risk assessment in ISO 27001:2013”: https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
     
    Also, if you need to develop a new methodology accepted by ISO 27001:2013, I recommend you to read this article “How to write ISO 27001 risk assessment methodology": https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

     
    Finally, you can use our “ISO 27001/ISO 22301 Risk Assessment Toolkit”. Remember t hat you can download a free version if you click on the “Free Demo” tab: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

  • Interested parties


    Effectively, you have to identify all interested parties (employee, customers, but also suppliers and partners, shareholders, etc) affected by the scope of the ISO 27001. To do this task, this article will be very useful for you, please read it and if you have another question, ask us “How to identify interested parties according to ISO 27001 and ISO 22301": https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

  • Incident Handling Procedure and Business Continuity Plan


    If an incident occurs and need to resolve a danger immediately, execute the Incident Handling Procedure. After that, if there is a business disrupt, execute the Business Continuity Plan.
     
    In accordance with the official definition of the ISO 22301-Business Continuity Management Systems, an incident is a situation that might be, or could lead to, a disruption, loss, emergency or crisis. On the other hand, in the standard there is no official definition for “disaster”, but we can consider that is the same or similar to a crisis or emergency. So, an incident can result in a disaster. 
     
    Generally, Disaster is related to the concept “Disaster Recovery” (technology), which is not the same that "Business Continuity" (whole organization). If you want to know the differences about this, please read this article “Disaster recovery vs Business Continuity": https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

  • Difference between Incident and Disaster


    In accordance with the official definition of the ISO 22301-Business Continuity Management Systems, an incident is a situation that might be, or could lead to, a disruption, loss, emergency or crisis. On the other hand, in the standard there is no official definition for “disaster”, but we can consider that is the same or similar to a crisis or emergency. So, an incident can result in a disaster. 
     
    Generally, Disaster is related to the concept “Disaster Recovery” (technology), which is not the same that "Business Continuity" (whole organization). If you want to know the differences about this, please read this article “Disaster recovery vs Business Continuity": https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

  • ISO 27001, Alcance de la implementacion


    Los términos y definiciones están incluidos en la ISO 27000 (no en la ISO 27001), y no existe una definición oficial para el término "organización", pero lo importante aquí es el alcance de la ISO 27001, el cual puede afectar a toda la organización o sólo a una parte. Por tanto, sí, se puede definir el alcance de la ISO 27001 para sólo una parte.

    Por último, si quieres definir el alcance de la ISO 27001, este artículo te resultará muy útil: 

    https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  • Business Continuity Plan


    Sure, we have useful information in our blog that you can use to develop a Business Continuity Plan. Look at this:

    - How to write Business Continuity Plans: https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/

    - Business Continuity Plan: How to structure it according to ISO 22301: https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

    And finally, you can use our templates. We have specifically documents for the development of the Business Continuity Plan, and you can download a free version if you click on the “Free Demo” tab: https://advisera.com/27001academy/iso22301-documentation-toolkit/

  • SOA Template


    Absolutely, our SOA template include implementation method for each control. You can find details of the template in a free version demo in the “Free Demo” tab at this URL: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    Also if you are interested about control objectives, and you want to adapt them to your company, you can read this article “ISO 27001 control objectives – Why are they important?”: https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  • Relationship between Risk Treatment Plan and SOA


    Both concepts are related with the same thing: risks. Let me explain the relation:
     
    What is the SOA? Is a document that includes the applicability of all controls (basically each control can apply or not)
     
    What is the risk treatment? Basically is a plan that include actions to reduce risks.
     
    The actions that you need to include in the risk treatment, are related to the security controls, but What security controls? Only the controls that apply to the organization, and What controls can apply? Depends on the SOA. So, in other words, the Risk Treatment Plan is the "implementation plan" for the Statement of Applicability.
     
    Also you can read this article where you can find more information about this: https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Page 1084-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +