Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Regarding NC
ISO 27001 certification auditor is auditing against ISO 27001, therefore he/she does not raise nonconformities against ISO 27002. ISO 27002 is only a guidance, this is not a standard against which you can get certified.
See also these articles:
ISO 27001 vs. ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/ -
Regarding "information security objectives and planning to achieve them
In accordance with the clause 5.2 b) "Top management shall establish an information security policy that includes information security objectives (see 6.2) or provides the framework for setting information security objectives", you can include objectives in the Information security policy.
And yes, you can have an unique document for all objectives (general and specific security objectives), but it is not our recommendation because they are different type of objectives and we think that it is better separate them in different documents (policy for general and SoA for specific).
Finally, remember that you can use our templates: Information Security Policy https://advisera.com/27001academy/documentation/information-security-policy/ and the Statement of Applicability https://advisera.com/27001academy/documentation/statement-of-applicability/ -
ISO 27001-2013 - Amended Version
A.8.1.1 - Inventory of Assets - has changed from
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained
To
Information, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained
Are you able to advise what this change means please ?"
Answer:
This amendment has corrected the mistake that only assets associated with information and IT need to be identified; however you should identify some other assets as well (e.g. human resources) so this is the reason for this change. -
BIA MTPD Calculation
Luc,
You should log in to our Customer Portal https://epps.c************** where you will see all the videos. You have received login information through email when you purchased the product from us. -
BIA & RA Review Period
Neither ISO 27001 nor ISO 22301 do not prescribe how often the risk assessment and business impact analysis must be reviewed.
However, once a year really is the best practice because of the following:
1) If you are ISO 27001 or ISO 22301 certified, the certification auditor will want to see those reviews at each surveillance visit (which happen once a year - see this article: https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/)
2) If you perform reviews less often, then you are in a danger that your RA / BIA will become too outdated because the pace of change (especially in IT) is really quick. -
ISMS Scope Question
This depends where is your most valuable information located - if it is located in HR/Finance departments, then they should be included in the ISMS scope; also if you are a smaller company it would be difficult to exclude such departments from the scope even though the information is not located there.
This article will explain you this topic into detail: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Control 17.2 Redundancies
The main issue in business continuity is timing, or to be more precise the recovery time objective (RTO). If the RTO is couple of hours, you will be able to retrieve your EMS from the backup file; if RTO is couple of minutes you won't be able to do it from backup, which means you will need to have something more than the backup.
RTO is determine through a process called business impact analysis - read more in this article: How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
Supplier relationships
Both of these categories are your suppliers. However, not both of them are equally risky for your company - therefore, after you perform your risk assessment you will realize that your stationery does not pose threat to your information, while consultancy could - this means that you will have to perform certain controls on your consultant only.
The point is - you do not divide the suppliers upfront based on their business. You should decide whether to apply security controls only after you perform risk assessment, no matter what they do.
Read also this article: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Evaluation of the impact of the identified risks
To calculate the risk, you have to assess two main components: impact and likelihood. In most cases the scales for those two components are the same (e.g. low-medium-high for both, or 1 to 5 for both).
However, if you assess business continuity risks, you can add additional weight to high impact if you feel this will better represent the resulting risk - in other words, you are free to set you risk assessment methodology as you see fit.
Regarding the acceptable level of risk, it is set for the risk itself, not separately for the components (impact and likelihood).
This article may help you: H ow to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/ -
Roles and responsibilities
Answer: Information and communication technology should serve the business part of the organization, therefore a person who is in charge of business continuity should set the rules for risk assessment and for continuity / disaster planning for all departments in a company, including the IT department.