Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 22301 certification
There is a difference between accreditation bodies and certification bodies: certification bodies issue certificates to companies, while accreditation bodies are government agencies which give approvals (accreditations) to certification bodies.
Therefore, UKAS provides accreditations not only for ISO 9001 but also for ISO 22301 and other standards. You should check https://www.ukas.com to see which certification bodies have they accredited.
In the United States the accreditation body is ANAB https://www.anab.org. -
Status of controls
ISMS manual is not a required document; however ISO 27001:2013 clause 6.1.3 d) requires you to identify the status of each control in your Statement of Applicability.
These articles will help you:
Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
A clarification on risk assessment/ treatment
ISO 27001:2013 does not require you to comply with ISO 31000, nor with ISO 27005 when performing your risk assessment - basically, you have to create your own risk assessment methodology (compliant with ISO 27001) that suits your company.
See also these articles:
How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
ISO 31000 and ISO 27001 How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
What is cybersecurity?Interpreting the control A.8.1.1
You'll find the answer here: https://community.advisera.com/topic/iso-27001-2013-amended-version/ -
What is cybersecurity?
Although this distinction is not yet clearly established, I would say that cybersecurity deals only with digital information, while information security deals also with information in other media (e.g. paper).
See also this article: What is cybersecurity and how can ISO 27001 help? https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/ -
ISO 22301 Implementation
You can implement ISO 22301 without ISO 27001 rather easily - although these two standards are highly compatible, they can be implemented separately without bigger problems.
These materials will help you:
article 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
webinar ISO 22301: An overview of BCM implementation process https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar/ -
Asset Identification
William,
ISO 27005 is not a mandatory standard, it is only a guideline that you may or may not choose to follow; the only relevant requirements for risk assessment are those written in ISO 27001.
ISO 27001 does not require classification in primary and secondary assets, and in our view such classification may be misleading - this is why we did not recommend such approach in our templates. For instance, I do not think that your core software is more important as an asset than your system administrator - they are both very valuable for the company, and they both carry very high risks.
To answer your question, I think that you should identify threats and vulnerabilities for all of your assets, no matter how you classify them. However, ISO 27001 does allow you the flexibility to define your own methodology, which means that in theory, you could use some simplified risk identification method for "secondary" assets. -
Regarding NC
ISO 27001 certification auditor is auditing against ISO 27001, therefore he/she does not raise nonconformities against ISO 27002. ISO 27002 is only a guidance, this is not a standard against which you can get certified.
See also these articles:
ISO 27001 vs. ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/ -
Regarding "information security objectives and planning to achieve them
In accordance with the clause 5.2 b) "Top management shall establish an information security policy that includes information security objectives (see 6.2) or provides the framework for setting information security objectives", you can include objectives in the Information security policy.
And yes, you can have an unique document for all objectives (general and specific security objectives), but it is not our recommendation because they are different type of objectives and we think that it is better separate them in different documents (policy for general and SoA for specific).
Finally, remember that you can use our templates: Information Security Policy https://advisera.com/27001academy/documentation/information-security-policy/ and the Statement of Applicability https://advisera.com/27001academy/documentation/statement-of-applicability/ -
ISO 27001-2013 - Amended Version
A.8.1.1 - Inventory of Assets - has changed from
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained
To
Information, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained
Are you able to advise what this change means please ?"
Answer:
This amendment has corrected the mistake that only assets associated with information and IT need to be identified; however you should identify some other assets as well (e.g. human resources) so this is the reason for this change.