Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
mandatory backup policy?
https://community.advisera.com/topic/do-we-need-to-document-each-control/
What is your list of mandatory documents based on? Why do you thing some documents are not required to implement? Referring to your example, that no policy / procedure for backup is necessary, 27001 Annex A.12.3.1 clearly states: Backup copies ... shall be taken ... in accordance with an agree backup policy."
This is only an example - generally speaking I am interested in the basis for your decision on whether documents are necessary in order to fulfill Annex A control objectives.
Answer:
Word "policy" in ISO standards does not mean that it has to be documented, i.e. written down. For example, policy can we also verbal, but it could also be a policy that is included in an information system.
A document must be written only if you see a word "documented" in ISO standard - for example, ISMS scope must be documented, whereas Backup policy does not have to be documented.
See here a list of mandatory document required by ISO 27001: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Who can access the Business continuity plan?
* All employees?
* Only those involved ? This document contains procedures, phone numbers, sensible info...
* Third parties: For contract for instance, they need to know all content? or only that we have a system in charge.
Answer:
You should follow the Need-to-know basis rule - only those people (internal or external) that need to see a document should have the access to it.
Further, if you already don't have the Classification policy you should develop it and then classify your Business continuity plan accordingly. Here's an article that will help you: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Which comes first in risk assessment: threat or asset?
ISO 27001 does not prescribe any method for risk assessment, which means your method is acceptable and you should use it if you feel comfortable with it.
However, with such approach you might miss some very specific threats related to some "smaller" assets, which could bring higher risks - for example, smart phones.
Therefore, you could perhaps choose this method: first list all the threats you can think of and include them in the catalog in the Risk assessment table; once this is finished you can start listing all the assets and connect related threats and vulnerabilities with those assets.
This article can also help you: ISO 27001 risk assessment: How to match as sets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Regarding ISO 27001
I'm not sure if I understood your situation correctly, but here are the answers:
If a location has changed, this means you have to change your ISMS scope.
For any significant change a risk assessment has to be performed/reviewed, which will most probably result with new required controls.
The fact that the third party service provider is ISO 27001 certified doesn't change much - still a risk assessment must be performed, and risks related with a third party must be addressed in the agreement.
These articles will help you:
ISO 27001 risk assessment: How to match assets, threats and vulnerabilities ISO 27001 risk assessment: https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Security Policy Information
Yes, you are correct - if you reviewed the policy and no changes were needed, then there is no need to republish such a document. This is basically true for any of your policies and procedures.
However:
1) I find it quite difficult to believe there would be nothing to change in a document after a one-year period.
2) Even if there is absolutely nothing to change, you should have some kind of a record that particular person has reviewed the policy and that the conclusion is there were no changes needed - this could also be done through email.
By the way, 2005 revision of ISO 27001 is not valid any more - currently 2013 revision of ISO 27001 is published, but basically the requirements about reviewing the policies and procedures remained the same. See also: A first look at the new ISO 27001 (2013 draft version) https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/ -
Business Continuity Question
I'm not really sure what is required by SOC 2, but in ISO 22301 the Business continuity policy has a very different function from the Business continuity plan, and therefore these two documents are normally separated.
However, merging those two documents is not forbidden in ISO 22301 - therefore you could theoretically do it although it would be a bit strange and impractical.
See also this article: The purpose of Business continuity policy according to ISO 22301 https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/ -
Need guidence on IT Sec
These articles can help you:
How to learn about ISO 27001 https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Chief Information Security Officer (CISO) - where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
Regarding online classes, you can take a look at our live online trainings via webinar: https://advisera.com/27001academy/webinars/ -
Do we need to document each control?
You do not need to document each control - otherwise you would end up with numerous documents which would become an overkill for you. For instance, you could choose backup as applicable control, and define in the SoA that you will perform backup every 24 hours, but you do not need to write a policy or a procedure for it.
Click here to see which documents are mandatory: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Why write policies before the risk assessment
You need to define the scope before your risk assessment, because you need to know for which areas/departments of your company you need to perform the risk assessment.
Regarding policies, you will write only the top-level Information security policy before the risk assessment, all the other policies you need to write after the risk assessment.
See also this article: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Enterprise risk management and ISO 27001
2. The revised standard expect to incorporate the information security risk with the other enterprise level risk framework
Given the above two expectation, can you pls elaborate how we could integrate the asset base approach and enterprise level risk?
Answer:
First of all, ISO 31000 is not mandatory for ISO 27001:2013 - see this article: ISO 31000 and ISO 27001 How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
Second, information security risks are only a subset of enterprise risks - therefore, you cannot cover all the enterprise risks with information security risk assessment.
Therefore, in my opinion the bes t solution is to use more detailed methodology (e.g. asset based or similar) for information security risk assessment, and use some other methodology for other risks in your company.