Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 certification
Answer: 2013 revision of ISO 27001 has 14 sections in Annex A with 114 controls (it used to be 11 sections with 133 controls in 2005 revision) - see details here: https://blog.iso27001standard.com/2013/10/08/infogr***************************************************
Also, they tell me that they have only done an 'informal' risk assessment to determine their scope (and their scope does not have definite parameters at this point). Does a certification audit require documented evidence of a formal risk assessment as it pertains to Information Security to pass certification?
Answer: ISO 27001 requires you to document both the methodology for risk assessment, and the risk assessment results - if you didn't document these, you will fail the certification. Read also this article: List of mandatory documents required by ISO 27001 (2013 revision) https://blog.iso27001standard.com/2013/09/30/list-of-ma****************************************************** -
How to update isms policy and risk assessment
Thanks for reading my blog Regarding the maintenance of your documents:
1) You should nominate owners for each of your documents, and those owners should review the documents and decide if they need to be updated
2) For risk assessment you should send the previous year risk assessment sheets to all the asset owners (or risk owners if you have them) and ask them if there are some new risks, and if the values of the existing risks have changed
3) Very important - you need to produce all the records that are required by ISO 27001 and by your documentation - with those records you will show that you are doing everything that is required in your documentation.
If you still didn't transition to 2013 revision of ISO 27001, you have to do latest by September 2015 - here are the steps: https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ -
Document control in ISO 27001/ISO 9001
1. If I use the Procedure for Document Control of ISO9001 for the implementation of ISO27001, will that still any documentation procedure in ISO27001 saying referring to the ISO9001 "Procedure for Document Control? If yes, how should the document procedure in ISO27001 look like?
Answer: You do not need to write a separate Procedure for Document control only for ISO 27001 - this doesn't make sense since the requirements of ISO 9001 and ISO 27001 for document control are almost identical, therefore you should have only one procedure for both your ISMS and QMS.
2. If I share the Document Control of ISO9001, can I still audit both ISO separately instead of integrated audit?
Answer: Yes, you can audit them separately. -
ISO 22301 and virtual servers
Absolutely - ISO 22301 does not require you to have your own disaster recovery center. ISO 22301 requires you to prepare your activities to recover their operations if your primary location is destroyed, so if you can do that using third-party services within the RTO (Recovery Time Objective), they you do not need to invest in your own DRC.
As a consequence, more and more companies are using e.g. cloud services because they don't have to worry about physical infrastructure in case of a disaster. -
objectives in the policy document
Information security objectives should be no different from the ISMS objectives, however you could have different interpretation of these terms:
1) "information security objectives" could be interpreted as a generic term for any kind of objectives related to information security, whereas
2) "ISMS objectives" could be interpreted as top-level information security objectives for your overall ISMS - usually, these are the ones set in the top-level Information Security Policy
This means you could also have lower-level information security objectives for your processes, controls, departments, etc.
This article can also help you: ISO 27001 control objectives Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
BCM manual
Thanks for your comment, dmikulsk - I understand your point that BCM manual can be a useful document to describe the business continuity process; however, wouldn't the ISO 22301 standard itself be a better document for that purpose? -
asset ownership
Vahagn,
You can find the answers to your questions in this blog post: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Basically, the owner of the asset should be a person who can directly control the protection of its confidentiality, integrity and availability. -
How to document the external and internal context of the organisation
Debasish,
In my opinion, it is not necessary to write a separate document for the context of the organization (clause 4.1 in ISO 27001:2013) - you can cover it through these documents:
- Business plan (if you have one)
- ISMS Scope
- List of requirements from your interested parties
- Risk assessment report -
step 1 of transmission guid
The first step in our white paper is about identifying the interested parties - please read this article which explains this topic into detail: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
By "arrangement" you could have a written or oral agreement, or something similar. -
Change the top-level policy
Our white paper "Twelve-step transition process from ISO 27001:2005 to 2013 revision" suggests you can change the title of the policy if you wish, but this is not necessary; also if you wish you can also delete some items from the policy because they are not needed any more. However, if your ISMS Policy is compliant with ISO 27001:2005, you can leave it as it is and it will be compliant with ISO 27001:2013 as well.