Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
About ISO 27003 for ISO/IEC 27001:2013
In theory, you could use larger part of ISO 27003:2010 for ISO 27001:2013 implementation because 2005 and 2013 revisions of ISO 27001 are not very different - see the differences here: https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/
However, all this is theoretical because ISO 27003 was written in such an unreadable way that it wasn't much help for the implementation of ISO 27001:2005 either. -
Documents of external origin
In your Procedure for document control you should specify only some general principles for controlling your external documents - e.g. who handles them, who decides whether they are necessary or not, etc. I wouldn't recommend that you specify which external documents are to be controlled in the Procedure because you would have to change your procedure too often. -
Secure Development Policy
Here are the answers:
1) Repository is usually associated with software development and is a tool to archive a code that is developed; secure repository is the one where such code is protected - e.g. with encryption, access control, etc. - try to search Google and you'll find lots of examples.
2) Version control is related to software versions.
3) Security in software development life cycle - from ISO perspective, the best explanation is given in section 14.2 of ISO 27002:2013; for more than this you should get some books or attend a course. -
ISO 27001 certification
Answer: 2013 revision of ISO 27001 has 14 sections in Annex A with 114 controls (it used to be 11 sections with 133 controls in 2005 revision) - see details here: https://blog.iso27001standard.com/2013/10/08/infogr***************************************************
Also, they tell me that they have only done an 'informal' risk assessment to determine their scope (and their scope does not have definite parameters at this point). Does a certification audit require documented evidence of a formal risk assessment as it pertains to Information Security to pass certification?
Answer: ISO 27001 requires you to document both the methodology for risk assessment, and the risk assessment results - if you didn't document these, you will fail the certification. Read also this article: List of mandatory documents required by ISO 27001 (2013 revision) https://blog.iso27001standard.com/2013/09/30/list-of-ma****************************************************** -
How to update isms policy and risk assessment
Thanks for reading my blog Regarding the maintenance of your documents:
1) You should nominate owners for each of your documents, and those owners should review the documents and decide if they need to be updated
2) For risk assessment you should send the previous year risk assessment sheets to all the asset owners (or risk owners if you have them) and ask them if there are some new risks, and if the values of the existing risks have changed
3) Very important - you need to produce all the records that are required by ISO 27001 and by your documentation - with those records you will show that you are doing everything that is required in your documentation.
If you still didn't transition to 2013 revision of ISO 27001, you have to do latest by September 2015 - here are the steps: https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ -
Document control in ISO 27001/ISO 9001
1. If I use the Procedure for Document Control of ISO9001 for the implementation of ISO27001, will that still any documentation procedure in ISO27001 saying referring to the ISO9001 "Procedure for Document Control? If yes, how should the document procedure in ISO27001 look like?
Answer: You do not need to write a separate Procedure for Document control only for ISO 27001 - this doesn't make sense since the requirements of ISO 9001 and ISO 27001 for document control are almost identical, therefore you should have only one procedure for both your ISMS and QMS.
2. If I share the Document Control of ISO9001, can I still audit both ISO separately instead of integrated audit?
Answer: Yes, you can audit them separately. -
ISO 22301 and virtual servers
Absolutely - ISO 22301 does not require you to have your own disaster recovery center. ISO 22301 requires you to prepare your activities to recover their operations if your primary location is destroyed, so if you can do that using third-party services within the RTO (Recovery Time Objective), they you do not need to invest in your own DRC.
As a consequence, more and more companies are using e.g. cloud services because they don't have to worry about physical infrastructure in case of a disaster. -
objectives in the policy document
Information security objectives should be no different from the ISMS objectives, however you could have different interpretation of these terms:
1) "information security objectives" could be interpreted as a generic term for any kind of objectives related to information security, whereas
2) "ISMS objectives" could be interpreted as top-level information security objectives for your overall ISMS - usually, these are the ones set in the top-level Information Security Policy
This means you could also have lower-level information security objectives for your processes, controls, departments, etc.
This article can also help you: ISO 27001 control objectives Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
BCM manual
Thanks for your comment, dmikulsk - I understand your point that BCM manual can be a useful document to describe the business continuity process; however, wouldn't the ISO 22301 standard itself be a better document for that purpose? -
asset ownership
Vahagn,
You can find the answers to your questions in this blog post: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Basically, the owner of the asset should be a person who can directly control the protection of its confidentiality, integrity and availability.