Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO27001 recertification to 2005 or 2013
Mark,
Re-certification against ISO 27001 is completely the same as the initial certification. Certification/re-certification against ISO 27001 2005 revision will be possible until October 2014 - after that, you will be able to certify/re-certify only against ISO 27001:2013.
These articles will also help you:
- How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/#2005
- Infographic: New ISO 27001 2013 revision What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/ -
Taking into account existing controls in the risk assessment
Answer: During the risk assessment you should take into account the existing controls, because they decrease the probability of your risk.
If we take the existing controls into account only in risk treatment table, there will be a lot of risks that are actually already on the acceptable level, since the controls are already in use.
Answer: This is true, but in your Statement of Applicability you will define those controls as applicable because you're already using them. -
Liniking the risk assessment with business continuity management
Answer: The purpose of the risk assessment is to identify which incidents can happen to your company. Therefore, if you didn't perform the risk assessment and started writing your business continuity plans, then you have a high chances of not covering all major incidents in your response plans.
Further, the purpose of business continuity management is to prevent some of the incidents. If you didn't know which incidents could happen, how will you be able to prevent them? -
Qualitative and/or Quantitative Risk Assessment
Ysong,
ISO 27001 does not prevent you from mixing the qualitative and quantitative risk assessment, but frankly speaking such approach would be very unusual, and not very practical.
The problem is that you have to assess consequences and likelihood in order to calculate the level of risk. If you have both consequence and likelihood assessed qualitatively (e.g. using scale 1 to 5), then it is not difficult to calculate the level of risk; however if your consequence is e.g. 2, and your likelihood e.g. 13%, you wouldn't be able to use formula - you would need to use tables with pre-defined logic, which could complicate the calculation. -
Document and Record Control Procedure for ISO 9001 and ISO 27001
You can use your existing Procedure for Document Control for both ISO 9001 and ISO 27001, because ISO 9001 has the same requirements as ISO 27001 when it comes to document control. See also: ISO 27001 implementation: How to make it easier using ISO 9001 https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ - the fact that you have two different languages does not matter either.
If you want to define the rules for information classification, you should do it in a separate policy - this is usually called Information Cl assification Policy - see also: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Control A.6.1.5 project management in ISO 27001:2013
Answer: The standard only says that you need to address information security in any type of the project - this means you have to make sure that the information is protected in all your projects. Usually, this can be done the following way:
- include security objectives in overall project objectives
- Include security specifications in your project description
- perform a risk assessment specifically for the project you are to undertake
- make sure security rules/technology are included in all the steps/tasks of the project
- test if the project deliverables are compliant with security specifications -
ISO 27001 certification scope - include only HQ or also the branches?
This really depends on the size of the company - if your company is really small, than you should include all your locations; if this is a large international corporation, then you should include only one location.
This article can also help you: Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
Preparing Statement of Applicability
ISO 27001 does not require a minimum or maximum controls to select, nor does it require to select controls from every section of Annex A. Further, you can select the controls that are not listed in Annex A - that you added on your own.
When you look closely at the Annex A, you will realize two things: (1) it is really difficult to exclude most of the controls because they are common sense - for example, it would be difficult to exclude the control for backup (A.12.3.1) or the control for anti-virus protection (A.12.2.1), and (2) at least 50% of the controls you already did implement before you started your ISO 27001 implementation.
In effect, most companies do not select less than 90 controls in the SoA. See also this article: Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/ -
How much of Partial scope is permitted?
You should identify the interested parties and the issues first, because interested parties may directly influence the scope itself - e.g. some of the government agencies may require you to implement ISMS in your whole company.
See also this article: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Is the computerized machinery considered to be an asset
Answer: Yes, I think that computerized machinery can be considered as assets if the corruption of the information they process could cause the machines to malfunction. When thinking about assets and risks, you should always think about what can compromise the confidentiality, integrity and availability of the information in those assets.
Regarding the risk treatment of such computerized machinery, you have to see whether these computers are connected to a network, and if yes how are they protected from intrusion; also, the question is who has the access to those computers and how do you ensure these people are handling the information in a proper way.