Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Policy Version Control
For your Information security incident management policy I think it would be better to continue from the old version number - this is because your policy is not a new one, it has a continuity from the old policy that existed before the merger with the QMS document. -
Difference between clauses 5.1.e and 6.1.1.a of ISO 27001:2013
Answer:
Both clauses you refer to have the same text, however clause 5.1 e) refers to the responsibilities of the top management, while clause 6.1.1 a) refers to anyone who performs the planning of the ISMS. -
Interpretation of A.14.2 : Security in development and support processes
Sub-section A.14.2 (Security in development and support processes) applies to any kind of development: software or other type. However, the controls in this sub-section suggest that this development must be related to information systems. So you might have some kind of a development of new products in your systems which do not require any software development. -
ISO 27001 Implementation
You'll find 2 case studies about the ISO 27001 implementation here:
ISO 27001 Case Study Lessons Learned from ISO 27001 Implementation https://advisera.com/27001academy/blog/2012/03/12/lessons-learned-from-iso-27001-implementation/
ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ -
A question about asset inventory
Yes, inventory of assets is a mandatory document (providing that you selected control A.8.1.1 as applicable.) The Asset inventory can be in form of an Excel sheet, or a software/database - you can select the form that suits you best. It does not have to be signed by the top management.
See also this article: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Taking into account the existing controls during the risk assessment
Answer:
Yes, when you assess the impact and the likelihood, you have to take into account the existing controls. In such cases, in the column "Existing controls" you can fill in just a plain description of the control, without referring to ISO 27001 or ISO 27002. -
Certificate validation
Answer:
ISO website has nothing to do with the certificates issued to companies; the purpose of ISO is only to publish the standards.
You should check whether your certification body has the license to issue certificates - i.e. you have to check whether they have the accreditation issued by your local accreditation body (this is usually a government agency). For example, accreditation body in the United Kingdom is UKAS. -
Difference in business continuity in 27001:2005 and 27001:2013
The difference in business continuity between 2005 and 2013 revision of ISO 27001 is the following:
2005 revision required the business continuity to be implemented in the whole scope of the ISMS
2013 revision requires the business continuity to be implemented only to the information security aspects of the ISMS - i.e. only for security processes and technology - therefore, the new revision requires less work to be done for business continuity
It is true that by implementing business continuity for ISO 27001 the company does not automatically get ISO 22301, however it is my opinion that it does make sense to implement both of this standards together. The reason for this is that ISO 27001 does not provide any methodology for the business continuity implementation, while ISO 22301 offers very good methodology for it; further, these two standards are high ly compatible, and the implementation of ISO 22301 as part of the ISO 27001 requires perhaps only 10% extra effort.
See also this webinar: ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
Information Asset: Business Applications and their Scope
I mean almost same what you wrote in your last sentence that if I include in my scope only hardware and the system software then I will left most important (business) data what is stored on those servers and which are important for company business processes. So that's why I think that in scope should be first most important business processes and during the risk assessment data center will be identified one of the important asset itself where where ISMS should spread on it and of course other assets which will be identified on the data center and outside of the data center as well. -
Business Continuity Plan Template
Standards like ISO 22301 or ISO 27001 do not prescribe whether you will have your continuity procedures as part of a single document, or will you separate them in several documents.
From my experience, the optimal structure for mid-sized and for large companies is the following: write a top-level document called Business continuity plan, a separate Incident response plan for describing how you would respond to different incidents, and finally Recovery plans that describe how to recover each of your processes/departments/projects in case of a disruption. For smaller companies you could have all the mentioned in a single document called the "Business continuity plan".
So if you are a mid-sized or a large company, you could write a recovery plan for each of your projects.
The detailed recovery steps for the IT should go into the "Disaster recovery plan" which is nothing else but a more detailed Recovery plan.