Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Business Continuity Plan Template
Standards like ISO 22301 or ISO 27001 do not prescribe whether you will have your continuity procedures as part of a single document, or will you separate them in several documents.
From my experience, the optimal structure for mid-sized and for large companies is the following: write a top-level document called Business continuity plan, a separate Incident response plan for describing how you would respond to different incidents, and finally Recovery plans that describe how to recover each of your processes/departments/projects in case of a disruption. For smaller companies you could have all the mentioned in a single document called the "Business continuity plan".
So if you are a mid-sized or a large company, you could write a recovery plan for each of your projects.
The detailed recovery steps for the IT should go into the "Disaster recovery plan" which is nothing else but a more detailed Recovery plan. -
Convincing top management about the ISMS implementation
No matter if the ISMS is mandatory by the law, you still have to convince the top management about the business benefits of such implementation - this article will help you: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
2. How define which are our organizations actives and their owners during risk assessment when this organizations makes technical supporting (all of the other organizations servers are with us and also IT stuff, netflow etc.) to ministry and other organizations as well. I'm asking this question because I'm the organization's infosec manager which supports other oranizations technically and also other organizations have their infosec manager as well so how define which are our actives on the certain p rocesses when we are supporting to other organizations processes technically.
Answer:
If you are managing assets from other organizations, then these other organizations need to define their asset owners and risk owners. You can define asset owners and risk owners only for your own assets.
This article may help you: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
ISO 27002 clarification
First of all, ISO/IEC 27002:2013 is not a management standard - ISO 27002 is only a guideline on how to implement the security controls from ISO 27001. See also this article: ISO 27001 vs ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
ISO 27001:2013 is a management standard, and it is the only management standard in the ISO 27k series. This 2013 revision of ISO 27001 had a predecessor (2005 revision of ISO 27001), so this might have caused the confusion.
See also this article: Infographic: New ISO 27001 2013 revision What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/ -
BS 31000
You're probably asking about ISO 31000, which in the British version is BS ISO 31000. This standard gives you guidelines on how to organize risk management in a company - this is important for security because security management is nothing else but mitigation of security risks.
These articles will also help you:
ISO 31000 and ISO 27001 How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Interested Parties and Their Requirements
1. Can I just group them instead of address them one by one specifically? By group, I mean it's like: supplier, customer, internal working unit, goverment agencies, etc..
2. About their requirements, do I have to quote it precisely (from contractual agreement, for instance) or can I use my own words?
Answers:
1) ISO 27001 does not say you need to identify each interested party individually, so yes - you can group them, as long as each interested party in a group has the same requirements.
2) Sure, you can use your own words. -
Do we need to place camera for server room?
ISO 27001 does not prescribe what you need to place in the server room or what you should avoid - what ISO 27001 says is that you need to assess your risks, and install security controls accordingly. Therefore, if you have risks of unauthorized access to your server room, then it is a good idea to install the video surveillance.
This article will also help you: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Not implementing 8.2
Theoretically, it is possible to accept any kind of risk.
By the way, the risks are accepted (or not accepted) by only analyzing the risks, not by analyzing associated controls. Usually, the risks that would require classification are related to confidential information.
If you handle some confidential information from your clients, usually the risk is that people handling those information won't know the rules for protecting such confidential information. Therefore, in such cases classification and associated rules for protection are the best way to resolve such risk - so in most cases controls from A.8.2 are found applicable. -
Business continuity certifications for individuals
These certifications are each based on different methodology - CBCI is based on BCI' Good Practice Guidelines, CBCP on DRII's Professional practices, while Lead Implementer/Lead Auditor are based on ISO 22301 standard.
Currently it is not clear which certification can bring you more benefits because BCI and DRII are established in the market for a very long time; however ISO 22301, similar to other ISO standards, is becoming more and more predominant, so I expect that in couple of years certifications related to ISO 22301 will have the best perspective.
See also this article: Lead Auditor Course vs. Lead Implementer Course Which one to go for ? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
Treating server as a single asset or viewing it separately for hardware and soft
Like this:
Asset 1: Application
Asset 2: server on which the application runs
or
Asset: Application / server
Answer:
ISO 27001 allows you to do it both ways. First approach you mentioned is better if you want to get more precise results during the risk assessment, whereas the second approach is probably better for smaller companies where you want to finish your risk assessment quickly. -
Assessing consequences in risk assessment
Thanks for that explanation.
It was very helpful for me.