Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 22301 and virtual servers
Absolutely - ISO 22301 does not require you to have your own disaster recovery center. ISO 22301 requires you to prepare your activities to recover their operations if your primary location is destroyed, so if you can do that using third-party services within the RTO (Recovery Time Objective), they you do not need to invest in your own DRC.
As a consequence, more and more companies are using e.g. cloud services because they don't have to worry about physical infrastructure in case of a disaster. -
objectives in the policy document
Information security objectives should be no different from the ISMS objectives, however you could have different interpretation of these terms:
1) "information security objectives" could be interpreted as a generic term for any kind of objectives related to information security, whereas
2) "ISMS objectives" could be interpreted as top-level information security objectives for your overall ISMS - usually, these are the ones set in the top-level Information Security Policy
This means you could also have lower-level information security objectives for your processes, controls, departments, etc.
This article can also help you: ISO 27001 control objectives Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
BCM manual
Thanks for your comment, dmikulsk - I understand your point that BCM manual can be a useful document to describe the business continuity process; however, wouldn't the ISO 22301 standard itself be a better document for that purpose? -
asset ownership
Vahagn,
You can find the answers to your questions in this blog post: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Basically, the owner of the asset should be a person who can directly control the protection of its confidentiality, integrity and availability. -
How to document the external and internal context of the organisation
Debasish,
In my opinion, it is not necessary to write a separate document for the context of the organization (clause 4.1 in ISO 27001:2013) - you can cover it through these documents:
- Business plan (if you have one)
- ISMS Scope
- List of requirements from your interested parties
- Risk assessment report -
step 1 of transmission guid
The first step in our white paper is about identifying the interested parties - please read this article which explains this topic into detail: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
By "arrangement" you could have a written or oral agreement, or something similar. -
Change the top-level policy
Our white paper "Twelve-step transition process from ISO 27001:2005 to 2013 revision" suggests you can change the title of the policy if you wish, but this is not necessary; also if you wish you can also delete some items from the policy because they are not needed any more. However, if your ISMS Policy is compliant with ISO 27001:2005, you can leave it as it is and it will be compliant with ISO 27001:2013 as well. -
How does an organization become able to audit / certify against 27001?
An organization can start issuing ISO certificates if it becomes accredited, i.e. if it gets the license for doing such a job. The accreditations are issued by a local government body in each country - e.g. in UK this is the UKAS, whereas in the United States this is ANAB. -
Incident management procedure-A.16.1.5 is new control?
I basically agree with you there is no big difference between incident management controls in ISO 27001:2005 and ISO 27001:2013; the only difference is that control A.16.1.5 of 2013 revision requires incident procedures to be documented, while controls in 2005 revision did not have such requirement. -
step2
I assume you refer to our free download "Twelve-step transition process from ISO 27001:2005 to 2013 revision"?
An interface is something that stands between your ISMS and the outside world - for example, if room A is within the scope, and room B is out of the scope, then the door between those two rooms is an interface; if you have two segments on your local network, the network device that is in between them is an interface. Therefore, your ISMS scope has various interfaces as borders to the outside world.
See also this article: Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/