Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Business Continuity Plan


    Sure, we have useful information in our blog that you can use to develop a Business Continuity Plan. Look at this:

    - How to write Business Continuity Plans: https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/

    - Business Continuity Plan: How to structure it according to ISO 22301: https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

    And finally, you can use our templates. We have specifically documents for the development of the Business Continuity Plan, and you can download a free version if you click on the “Free Demo” tab: https://advisera.com/27001academy/iso22301-documentation-toolkit/

  • SOA Template


    Absolutely, our SOA template include implementation method for each control. You can find details of the template in a free version demo in the “Free Demo” tab at this URL: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    Also if you are interested about control objectives, and you want to adapt them to your company, you can read this article “ISO 27001 control objectives – Why are they important?”: https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  • Relationship between Risk Treatment Plan and SOA


    Both concepts are related with the same thing: risks. Let me explain the relation:
     
    What is the SOA? Is a document that includes the applicability of all controls (basically each control can apply or not)
     
    What is the risk treatment? Basically is a plan that include actions to reduce risks.
     
    The actions that you need to include in the risk treatment, are related to the security controls, but What security controls? Only the controls that apply to the organization, and What controls can apply? Depends on the SOA. So, in other words, the Risk Treatment Plan is the "implementation plan" for the Statement of Applicability.
     
    Also you can read this article where you can find more information about this: https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

  • Operating procedures for IT Management


    There are some domains of control that are not related to IT. Example: A.7 Human Resource Security and A.15 Supplier relationships. But A.12 is directly related with IT because has controls about backups, malware, monitoring, technical vulnerabilities, etc.
     
    Remember that there are a list of documentes that you need to be compliant with ISO 27001, and one of this is related to the control A.12.1.1 “Operating procedures for IT management”. To see this list, please read this article (you also can see a list of Non-mandatory documents) “List of mandatory documents required by ISO 27001 (2013 revision)”: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Context and interested parties


    You can do it in the same document (recommended), although you also can do it in different documents. The standard does not establishes that both paragraphs have to be defined in the same document, only establishes that you have to define them. If you need more information about how to define the scope, please read this article “How to define the ISMS scope”: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
     
    Also you can read this article “Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)”: https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

  • Get your managements approval


     

    Answer:

    There is no official rules to do this, but you can talk with the top management about the benefits of ISO 22301. Please, read this article, I hope help you “ISO 22301 benefits: How to get your management’s approval for a business continuity project” : https://advisera.com/27001academy/knowledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/

  • Protect utility programs


     

    Answer:

    Keep in mind that the control A.9.4.4 is for utility programs (any software that you need for your activity in the organization and you install it in the system operative), so the first step is to identify them in your organization. Next step: There are unnecessary utility programs? If yes, delete them. Next step: There are some utility program which can access any people? If yes, is necessary to establish a password. There are systems with password that access different people? If yes, it is necessary to establish different users (not unique user “administrator” or “root” for all ).
    In your case, my recommendation is: segregate functions, create a new group and include on it users that do not need administrator access, it should be only for 1-2 people (administrator systems). If it is necessary that other users have administrator privilegies, you can create another group, but independent of the administrator group.

  • Scope of ISO 27001 for a software project


    You can include in the scope of the certification the activities related to your software project, processes related to your software project, department that works on this project, or you can certify all activities related to the whole company. However, you cannot certify only the project itself - the point is that your organization is certified, not your product. 

    For more information about the definition of the scope, you can read this article: “How to define the ISMS scope”: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  • Personal computer in the Inventory of assets


    Basically this is not recommendable, because there can be a risk which the organization cannot control (who updates the software?, who buys the anti-virus?, who makes the backups?).

    To mitigate such risks (for the equipment that are not included in your scope, i.e. not in your asset inventory), you should develop a policy for the use of personal equipment of the personnel, it is known usually as “BYOD” (Bring Your Own Device).

    You can use this template for the development of this policy “Bring Your Own Device (BYOD) Policy”: https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/

  • Auditor findings - Opportunities for improvement


    It is not true. The Opportunity of Improvement are recommendations of the auditor, and never will be a Non-Conformity. However an observation yes, this can become a Non-Conformity if the organization do not resolve it.

    For the internal audit the situation is the same, but in this case is would be interesting that you include in your procedure of internal audit the definition of each finding (Non-Conformity Major, Non-Conformity Minor, Observation, Opportunity of Improvement).

    If you need information for the development of the procedure of Internal Audit, you can see our video tutorial “Documentation Tutorial: How to write ISO 27001/ISO 22301 Internal Audit Procedure and Audit Program”: https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/
Page 1085-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +