Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Pandemic - BCP scenario
The justification could be: Each year you need to review your BIA and your Risk Assessment, and in the last, you identify that the loss of staff is very important, so you need to include it in your BCP. It can be the same with another situation that you identify in the last BIA/Risk Assessment.
Read also this article: Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
And to respond to that client's question, do we have to add pandemic scenario to our BCP? And currently, we dont include loss of staff in our risk register.
Answer:
It should depe nd on the BIA and Risk Assessment, but the pandemic scenario is very usual in a BCP, so we recommended you to include it. -
ISO 27001 measurement
Basically you need to measure the achievement of the objectives of security, and the effectiveness of the security controls. To do this, you need metrics, and you can define each one with these fields: Name of the metrics, description, calculation formula, threshold value, objective value, measuring frequency, source, and responsible for the manage of the metric.
You'll find these materials helpful:
Article ISO 27001 control objectives Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Webinar ISO 27001 and ISO 27004: How to measure the effectiveness of information security? https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/ -
Incident Log
Answer:
ISO 27001 does not prescribe who should do this; best practice is that this is done by a person who coordinates the information security in a company - i.e. Chief Information Security Officer, Information security manager, or similar. -
ISO 27001 risk assessment
Risk assessment methodology is a document that describes the rules for your risk assessment - therefore, you should write this methodology before starting to perform the risk assessment. It would be better to choose only the qualitative analysis in your methodology because quantitative is much more difficult, and it is not mandatory.
There materials will help you:
article ISO 27001 risk assessment & treatment 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
article How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
webinar The basics of risk assessment and treatment ac cording to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Information asset in ISO 27001:2013
Yes, with the ISO 27001:2013 you can continue doing the risk assessment based on hardware, software, documents, infrastructure and people.
If you choose to continue using the asset-based risk assessment, then you cannot exclude hardware, infrastructure and people from the risk assessment because those are very important assets.
My recommendation: maintain these types of assets, but please keep in mind that the important here is the identification of threats/vulnerabilities that can affect to the organization (and the risk), and you can define the types that you need in your business. In the ISO 27005 you can see an example of type of assets.
This article will also help you: What has changed in risk assessment in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/ -
ISMS Feasibility
Before you start implementing ISO 27001, you have to make sure your project will succeed - get the support of the top management, introduce project structure, etc. - this article will help you: ISO 27001 project How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
Once you start implementing ISO 27001, you have to make sure you implement all the elements in the right sequence - read this article for details: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Asset Identification for Contact Centers
The key question here is who is in charge of this Client's database - are you controlling the database (i.e. setting the rules, administering it, etc.), or is the client controlling it and you simply have the access to it?
If you are controlling the database, then it should be included in your ISMS scope, and you should perform the risk assessment (and treatment).
See also this article: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
ISMS Scope Document
Each company has to define for itself which organizational units to include in its ISMS scope - the recommendation is to include the whole company in the scope, or if this is not possible, then the departments that handle the most sensitive data (e.g. IT department, Sales department, HR department, R&D, etc.). This way it is ensured that the information security rules are applied to the most important information.
See also this article: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Monitoring of third parties
In my view, you can perform the monitoring of third parties in the following ways:
Receiving regular reports from the third party - these reports are prepared by this third party, and they are the least reliable.
Using some kind of automated reporting system or software - this way you can get more detailed and more precise info about what and when is done by the third party.
Second party-audit - you can send your auditors to the third party so that they could check if they comply with the agreement.
Generally, you can manage your suppliers and other third parties like explained in this article: 6-step process for hand ling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
ISO 27001 clauses applicable for Cloud Security
This article will give you the answers: Cloud computing and ISO 27001 https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/
Please keep in mind this article was written before the 2013 revision of ISO 27001 was published, so the numbering of controls has changed - here you'll find a mapping of old and new controls: https://www.bsigroup.com/Documents/iso-27001/r*********************************************