Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
BS 31000
You're probably asking about ISO 31000, which in the British version is BS ISO 31000. This standard gives you guidelines on how to organize risk management in a company - this is important for security because security management is nothing else but mitigation of security risks.
These articles will also help you:
ISO 31000 and ISO 27001 How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Interested Parties and Their Requirements
1. Can I just group them instead of address them one by one specifically? By group, I mean it's like: supplier, customer, internal working unit, goverment agencies, etc..
2. About their requirements, do I have to quote it precisely (from contractual agreement, for instance) or can I use my own words?
Answers:
1) ISO 27001 does not say you need to identify each interested party individually, so yes - you can group them, as long as each interested party in a group has the same requirements.
2) Sure, you can use your own words. -
Do we need to place camera for server room?
ISO 27001 does not prescribe what you need to place in the server room or what you should avoid - what ISO 27001 says is that you need to assess your risks, and install security controls accordingly. Therefore, if you have risks of unauthorized access to your server room, then it is a good idea to install the video surveillance.
This article will also help you: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Not implementing 8.2
Theoretically, it is possible to accept any kind of risk.
By the way, the risks are accepted (or not accepted) by only analyzing the risks, not by analyzing associated controls. Usually, the risks that would require classification are related to confidential information.
If you handle some confidential information from your clients, usually the risk is that people handling those information won't know the rules for protecting such confidential information. Therefore, in such cases classification and associated rules for protection are the best way to resolve such risk - so in most cases controls from A.8.2 are found applicable. -
Business continuity certifications for individuals
These certifications are each based on different methodology - CBCI is based on BCI' Good Practice Guidelines, CBCP on DRII's Professional practices, while Lead Implementer/Lead Auditor are based on ISO 22301 standard.
Currently it is not clear which certification can bring you more benefits because BCI and DRII are established in the market for a very long time; however ISO 22301, similar to other ISO standards, is becoming more and more predominant, so I expect that in couple of years certifications related to ISO 22301 will have the best perspective.
See also this article: Lead Auditor Course vs. Lead Implementer Course Which one to go for ? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
Treating server as a single asset or viewing it separately for hardware and soft
Like this:
Asset 1: Application
Asset 2: server on which the application runs
or
Asset: Application / server
Answer:
ISO 27001 allows you to do it both ways. First approach you mentioned is better if you want to get more precise results during the risk assessment, whereas the second approach is probably better for smaller companies where you want to finish your risk assessment quickly. -
Assessing consequences in risk assessment
Thanks for that explanation.
It was very helpful for me. -
ISO 27001 risk methodology and corporate guidelines according to ISO 31000
Whether you will change your information security Risk assessment methodology or not, this depends on what you will write in your enterprise risk management (ERM) documents (per ISO 31000). So if your corporate ERM documents allow greater freedom for risk management in particular areas, then you probably won't have to change your ISO 27001 risk methodology, and vice versa.
See also this article: ISO 31000 and ISO 27001 How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Context of the organization in ISO 27001
Yes, you are right, it is not necessary to have a document for the clause 4.1, but the auditor can request you evidences of implementation. If you want to know the list of mandatory documents of the standard, please see this article "List of mandatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Difference between A.8.1.3 and A.8.2.3
A.8.1.3 is a general control aiming at rules for acceptable use of assets - those rules can range from physical protection of the laptop all the way to password complexity. See a note about the Acceptable Use Policy in this article: How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
A.8.2.3 is a control where you have to describe the protection of your information assets based on classification. The general principle is: the higher the classification level, the more protection you need. See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/