Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk Acceptance Criteria and Residual Risk

    Cesar,

    Residual risk is the risk that has remained after the treatment of risks - for example, if you had a risk that had a level of 9, and by treating it you have reduced it to 6, this level of 6 is the residual risk.

    After you calculate this residual risk, you have to see whether it is acceptable - for example, if your acceptable level of risk is 7, this would mean that this residual risk of 6 is acceptable; if your acceptable level of risk is 5, in such case you would need to reduce this risk further, or ask the risk owners to explicitly accept such risk without reducing it further.

  • Which are better ways to test the BCP?


    Answer: Theoretically, the best way to test your business continuity plan would be the so-called "Full-scale exercise" - it simulates the real incident as closely as possible, and includes not only your organization but also your partners and suppliers who have some role in business continuity.

    Of course, it would be very difficult to organize such a test in large organization, at least in the beginning - therefore, the best would be to start with easier tests (checklists, tabletop exercises), and gradually throughout the years progress towards more complex way of test ing.

    You can find additional information about testing and exercising in A.8 of NFPA 1600-2013 Annex A, or in PD 25666:2010 (Guidance on exercising and testing for continuity and contingency programmes).

  • Who needs to sign an NDA?


    Signing a Non-disclosure Agreement is one of the controls that can be implemented according to ISO 27001. But, as with other controls in ISO 27001 it should be implemented only if there are risks that need to be decreased with such a control. See also this article: The basic logic of ISO 27001 - How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    To answer your question directly, only those employees where the risks are higher should sign the NDA - it can include also you as their boss if there are risks that need to be decreased using this control. Therefore, first do your risk assessment and then decide who needs to sign the NDA.

  • How I can build my career in ISO 27k implementation and auditing

    Is there a way i can join as a trainee in your reputed organization?

    Here are some articles that will help you:
    - How to learn about ISO 27001 https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
    - How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/

    We are providing only online services, so for classroom training and to become a trainee you should look for some organizations in the UK - e.g. certification bodies like BSI, SGS, BV, DNV, but also organizations like IT Governance.

  • Applicable legislation control in ISO 27001


    You need to identify only the laws, regulations and contractual obligations that could influence the security of your information.

    See also this article: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

  • How will we evaluate the deliverables of the consultant?


    I have been asked by the top management how will we evaluate the deliverables of the consultant? my answer to them was that the consultant will be applying an international standard but I think this is not sufficient am wondering if there is a way other than real testing (since testing will not be carried out by the consultant) to evaluate the BIA or the RA or the BCP developed by the consultant specially that I will have to sign after each phase that consultant deliverable are acceptable.

    To summarize: how can I evaluate the consultant work regarding BIA,RA,BCP & strategy without real testing for the plan? in another way is there is clear KPI to mention in the SLA?

    Answer: This is a tough question. Frankly, I'm not aware of some KPIs with which you would be able to measure the quality of consultant's work. If you would be going for the certification, this would be one way to verify if what he has done was satisfactory.

    But, to ensure that the consultant does a good you can do this:
    1) When selecting a consultant, use this List of questions to ask your ISO 27001/ISO 22301 consultant - you can download it here: https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-iso-22301-consultant/
    2) In the agreement write that you have to approve every document before you pay him
    3) If you won't go for the certification, hire someone to review all the documents the consultant has written.

    However, the alternative could be that you implement BIA, RA, BC strategy, and BCP yourself, since the implementation, training and testing will be done by yourselves anyway. You can get all the know-how here: https://www.iso27001standard.com/en/se*************************************

  • Use old ISO 27001:2005 format for assessing the risks


    2013 revision of ISO 27001 gives you a greater freedom in performing the risk assessment, but you can certainly use the principle from 27001:2005 where risks were identified based on assets, threats and vulnerabilities. The only thing you have to do extra because of 2013 revision is that you need to identify the risk owner for each risk.

    You can learn more in this article: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

  • Competences for business continuity specialists


    Answer: ISO 22301 (nor ISO 27001) do not prescribe the level of competencies for business continuity - every company must determine their own level of competencies for their employees, based on the documentation you develop and based on the technology you are using. For instance, if you start using some new method of communication, then you need to train your employees for it.

    The person who coordinates the business continuity project (e.g. Business continuity manager) usually goes for the 5-day Lead Auditor or Lead Implementer course for ISO 22301.

  • Responsibility for classifying the assets

    - PUBLIC
    - PRIVATE
    - SENSIBLE
    - CONFIDENTIAL
    the question is, who is the responsible to give this classification to the assets??

    Answer: ISO 27001 standard does not prescribe the responsibility for asset classification, but the best practice is that asset owners classify their assets. This is because they are in the best position to assess how confidential or how sensitive each of their assets are.

    The asset inventory itself can be compiled by Information security manager, or some other person who coordinates information security in your company.

  • Information Systems Audit Control

    Control A.15.3.1 you refer to is from the old 2005 revision of ISO 27001 - in new 2013 revision almost the same control exists under A.12.7.1.

    This control is not about logging user activities; this control is on how to plan the audits of your information systems in order to minimize the disruption to business processes; in other words, you have to perform your audits carefully, in order not to corrupt your operational systems.

    By the way, you'll find the best guidance in the ISO 27002 standard.
Page 1104-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +