Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Not implementing 8.2
Theoretically, it is possible to accept any kind of risk.
By the way, the risks are accepted (or not accepted) by only analyzing the risks, not by analyzing associated controls. Usually, the risks that would require classification are related to confidential information.
If you handle some confidential information from your clients, usually the risk is that people handling those information won't know the rules for protecting such confidential information. Therefore, in such cases classification and associated rules for protection are the best way to resolve such risk - so in most cases controls from A.8.2 are found applicable. -
Business continuity certifications for individuals
These certifications are each based on different methodology - CBCI is based on BCI' Good Practice Guidelines, CBCP on DRII's Professional practices, while Lead Implementer/Lead Auditor are based on ISO 22301 standard.
Currently it is not clear which certification can bring you more benefits because BCI and DRII are established in the market for a very long time; however ISO 22301, similar to other ISO standards, is becoming more and more predominant, so I expect that in couple of years certifications related to ISO 22301 will have the best perspective.
See also this article: Lead Auditor Course vs. Lead Implementer Course Which one to go for ? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
Treating server as a single asset or viewing it separately for hardware and soft
Like this:
Asset 1: Application
Asset 2: server on which the application runs
or
Asset: Application / server
Answer:
ISO 27001 allows you to do it both ways. First approach you mentioned is better if you want to get more precise results during the risk assessment, whereas the second approach is probably better for smaller companies where you want to finish your risk assessment quickly. -
Assessing consequences in risk assessment
Thanks for that explanation.
It was very helpful for me. -
ISO 27001 risk methodology and corporate guidelines according to ISO 31000
Whether you will change your information security Risk assessment methodology or not, this depends on what you will write in your enterprise risk management (ERM) documents (per ISO 31000). So if your corporate ERM documents allow greater freedom for risk management in particular areas, then you probably won't have to change your ISO 27001 risk methodology, and vice versa.
See also this article: ISO 31000 and ISO 27001 How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Context of the organization in ISO 27001
Yes, you are right, it is not necessary to have a document for the clause 4.1, but the auditor can request you evidences of implementation. If you want to know the list of mandatory documents of the standard, please see this article "List of mandatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Difference between A.8.1.3 and A.8.2.3
A.8.1.3 is a general control aiming at rules for acceptable use of assets - those rules can range from physical protection of the laptop all the way to password complexity. See a note about the Acceptable Use Policy in this article: How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
A.8.2.3 is a control where you have to describe the protection of your information assets based on classification. The general principle is: the higher the classification level, the more protection you need. See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Sharing a server cabinet - is this compliant with ISO 27001?
ISO 27001 does not mention anything about sharing a server cabinet; however it does require you to assess the risks, and apply appropriate controls.
In other words, if you share a server cabinet with a business unit that is not within the scope of your ISO 27001 implementation, you have to treat such business unit as an external party, and regulate your relationship with them through an agreement. See also this article: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Therefore, if you resolve this situation with strict agreement with this business unit, you will still be compliant with ISO 27001. -
ISO 27001 Risk Management
The problem is: is it necessary to be a clear link between a particular risk and a particular Annex A control? I mean; each Annex A control (if we choose to implement it) can be tracked down to a particular risk? And if its the case, then what kind of risks lead us to controls such as A.5.1.1, A.5.1.2?
Answer:
Yes, it is necessary to link particular risks with controls from Annex A because you have to show this relationship in the Statement of Applicability (clause 6.1.3 d) - you have to provide justification for inclusions of particular controls.
Regarding A.5.1.1 (Policies for information security) - basically you can select this control for any risk that is related to organizational issues; A.5.1.2 (Review of the policies for information security) - you can select this control whenever you have a risk related to documentation that is not updated. -
Difference Between ISO 22301 & ISO 22316
ISO 22316 is not published yet - currently it's status is "Under development" - see official ISO website here: https://www.iso.org/standard/50053.html
It is difficult to say what the standard will contain before it reaches the "DIS" status (the official draft).