Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Regarding ISMS certification and accreditation
This article will help you: How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
As the last date for an organization to comply with ISO 27001:2013 version is September 2015, does I need to have ISMS 2013 certification prior to that? Please do let me know in case I need to renew my certification prior to its expiry.
Answer: No, there is no requirement for individuals to renew their personal certificates.
Please provide the link to go through the presentation which you have shared with everyone. I couldn't find the same. Thanks.
Answer: I'm not sure to which presentation you refer to, but here you'll find lots of free materials: https://advisera.com/27001academy/free-downloads/ -
KPI for IT Disaster Recovery
1. RTO
2. RPO
3. Training Workshops
4. DR Drills and improvements
Please advice on how to enhance these KPI's and what more needs to be define...
Answer:
The things you mentioned are not Key Performance Indicators, these are simple necessary elements to implement disaster recovery / business continuity; here are a couple of articles that will help you with those elements:
How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
You'll find quite good guidelines for testing & exercising in NFPA 1600 - see also this article: NFPA 1600 vs. ISO 22301 Similarities and differences https://advisera.com/27001academy/blog/2013/11/05/nfpa-1600-vs-iso-22301-similarities-and-differences/ -
Information Risk Management
For doing a consultant job, use this article: How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
Risk assessment in a manufacturing company is not different from risk assessment in other types of companies. These articles will help you:
How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
ISO 22301
Here's an article that explains the differences: https://www.corexchange.com/blog/disaster-r*******************************************
Regarding the main components of the business continuity plan, this article will help you: Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/ -
Confidentiality of Government Information
Jeffrey,
Every organization (even the government agency) has confidential information - e.g. passwords, client information, personal data like employee information, etc.
Further, ISO 27001/ISMS is not only about protecting the confidentiality of the information - it is also about protecting integrity and availability of the information. For instance, what would happen if this agency loses its data or if its data got corrupted?
All of these are the reasons to implement ISO 27001, even in a government agency. -
7.2 Competence
Itommy,
Example of necessary competence could be a training plan, while example of evidence of competence could be a certificate issued at the training.
See also this article: How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/ -
Advantages/Disadvantages of Asset Based Risk Assessment
Itommy,
It is true that many companies are still using asset-based risk assessment, although 2013 revision of ISO 27001 allows also other methods of risk identification.
If you want to avoid missing generic risks when doing the asset-based risk assessment, you should develop a list of generic threats and then make sure you check them against each asset.
Generally speaking, asset-based risk assessment is more precise than others because it focuses on each element that contains information (or could endanger the information), while on the other hand it is rather complex and lengthy. Other methodologies have still not proved themselves, so it will take couple of years more to show which will prove better in practice. -
User profiles in Access Control Policy
For instance, software engineers get access to production servers and related services as needed to perform their work.
Answer:
For very small companies it might be enough to define who has to access what based on their job titles, but if you have more than 20 employees it would become too difficult to define access rights by job title only - there will be too many different functions.
Therefore, if you're not a very small company I think it would make sense to develop at least one user profile that would be applicable to every employee (e.g. access to internal file server, email system, core application, etc.) and then you can define some privileges for particular employees as needed. -
ISO 17799/27001/27002?
ISO 17799 has changed it's name to ISO 27002 couple of years ago - therefore, these standards were the same.
Here you'll find an explanation of differences between ISO 27001 and ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
COBIT is a framework (not a standard) that is aimed at IT governance, therefore it is more IT related than ISO 27001. -
mandatory backup policy?
https://community.advisera.com/topic/do-we-need-to-document-each-control/
What is your list of mandatory documents based on? Why do you thing some documents are not required to implement? Referring to your example, that no policy / procedure for backup is necessary, 27001 Annex A.12.3.1 clearly states: Backup copies ... shall be taken ... in accordance with an agree backup policy."
This is only an example - generally speaking I am interested in the basis for your decision on whether documents are necessary in order to fulfill Annex A control objectives.
Answer:
Word "policy" in ISO standards does not mean that it has to be documented, i.e. written down. For example, policy can we also verbal, but it could also be a policy that is included in an information system.
A document must be written only if you see a word "documented" in ISO standard - for example, ISMS scope must be documented, whereas Backup policy does not have to be documented.
See here a list of mandatory document required by ISO 27001: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/