Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
NonConformities and Potential Imrovements
Yes, you can do it! Although as you know, preventive actions are not mandatory in the new version (ISO 27001:2013) -
Differences in BCM 2005 and 2013 revision of ISO 27001
In your case the update will be no critical, because the ISO 27001:2013 no has important changes. If you have implemented a BCM in your organization, then the implementation of the domain A.17 Information security aspects of business continuity management is basically the same way that it was for the ISO 27001:2005.
You'll learn more in this article: How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ -
Using scales for calculating risk
If you are using scale as High, Medium and Low for impact and Likelihood, syou can use a table like this:
Low Medium High
Low LOW LOW MEDIUM
Medium LOW MEDIUM HIGH
High MEDIUM HIGH HIGH
In the table you just cross the impact with the likelihood (for example, columns are the impact, and rows are the likelihood), and in this way get the result of the risk. For example: I= High and L=High; Risk= HIGH, I=Medium and L=High; Risk=HIGH
Alternative (and simpler) way would be to use the following values: Low = 0, Medium = 1, and High =2; and addition as a way to calculate the risk. So if the I = 2, and L = 1, th en the Risk = 3.
Also this article can help you: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/ -
Pandemic - BCP scenario
The justification could be: Each year you need to review your BIA and your Risk Assessment, and in the last, you identify that the loss of staff is very important, so you need to include it in your BCP. It can be the same with another situation that you identify in the last BIA/Risk Assessment.
Read also this article: Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
And to respond to that client's question, do we have to add pandemic scenario to our BCP? And currently, we dont include loss of staff in our risk register.
Answer:
It should depe nd on the BIA and Risk Assessment, but the pandemic scenario is very usual in a BCP, so we recommended you to include it. -
ISO 27001 measurement
Basically you need to measure the achievement of the objectives of security, and the effectiveness of the security controls. To do this, you need metrics, and you can define each one with these fields: Name of the metrics, description, calculation formula, threshold value, objective value, measuring frequency, source, and responsible for the manage of the metric.
You'll find these materials helpful:
Article ISO 27001 control objectives Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Webinar ISO 27001 and ISO 27004: How to measure the effectiveness of information security? https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/ -
Incident Log
Answer:
ISO 27001 does not prescribe who should do this; best practice is that this is done by a person who coordinates the information security in a company - i.e. Chief Information Security Officer, Information security manager, or similar. -
ISO 27001 risk assessment
Risk assessment methodology is a document that describes the rules for your risk assessment - therefore, you should write this methodology before starting to perform the risk assessment. It would be better to choose only the qualitative analysis in your methodology because quantitative is much more difficult, and it is not mandatory.
There materials will help you:
article ISO 27001 risk assessment & treatment 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
article How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
webinar The basics of risk assessment and treatment ac cording to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Information asset in ISO 27001:2013
Yes, with the ISO 27001:2013 you can continue doing the risk assessment based on hardware, software, documents, infrastructure and people.
If you choose to continue using the asset-based risk assessment, then you cannot exclude hardware, infrastructure and people from the risk assessment because those are very important assets.
My recommendation: maintain these types of assets, but please keep in mind that the important here is the identification of threats/vulnerabilities that can affect to the organization (and the risk), and you can define the types that you need in your business. In the ISO 27005 you can see an example of type of assets.
This article will also help you: What has changed in risk assessment in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/ -
ISMS Feasibility
Before you start implementing ISO 27001, you have to make sure your project will succeed - get the support of the top management, introduce project structure, etc. - this article will help you: ISO 27001 project How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
Once you start implementing ISO 27001, you have to make sure you implement all the elements in the right sequence - read this article for details: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Asset Identification for Contact Centers
The key question here is who is in charge of this Client's database - are you controlling the database (i.e. setting the rules, administering it, etc.), or is the client controlling it and you simply have the access to it?
If you are controlling the database, then it should be included in your ISMS scope, and you should perform the risk assessment (and treatment).
See also this article: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/