Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
10.8.5 Business Information systems
Kaoutar,
Control A.10.8.5 "Business Information Systems" existed in the old 2005 revision of ISO 27001 / ISO 27002, it does not exist any more in the 2013 revision of ISO 27001/27002.
All the requirements for transfer of information are now covered in the section A.13.2 called "Information transfer". To cover these requirements, you should prepare a policy which defines basic rules for exchanging the information with third parties, and then sign agreements with them which are compliant with your policy.
For example, see this Information Transfer Policy template: https://advisera.com/27001academy/documentation/information-transfer-policy/ -
Questions about ISO 27001 & ISO 22301 Premium Documentation Toolkit
The templates for ISO 27001 and ISO 22301 are integrated into a single package because in my opinion it is very easy to implement these 2 standards together - see also this webinar: ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
However, if you want to implement those standards separately, you can very easily separate the templates as well:
1) For implementation of any of the standards you need to use folders 0, 1, 2, 5, 9, 10, 11, 12
2) For implementation of ISO 27001 only, you need to use folders 3, 4, 6, 7 and 08 Annex A (A.6 to A.16)
3) For implementation of ISO 22301 only, you need to use folders 08 Annex A - A.17
Also I am wondering why the total templates is now 63 for the combo (ISO 22701 + 22301) while if I buy individuall y the ISO 27001 documentation templates would have been 43 and ISO 22301 templates are 33 making total of 76.
Answer: This is because some of the documents are the same for both standards - e.g. Procedure for Document and Record Control, Procedure for Internal Audit, etc. -
ISO 27001 - must you implement all the 133 controls?
When implementing ISO 27001 you must implement only the controls that are applicable, that is - only those controls that are required per your risk assessment or per some other legal or contractual requirements. See also this article: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
By the way, new 2013 revision of ISO 27001 has 114 controls - see also this article:
Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/ -
Risk analysis tool
Cesar,
We do not use risk risk assessment tools because we are focused mainly on smaller and mid-sized companies - for such companies I think it is easier to use Excel sheets because it makes risk assessment much quicker; of course, larger companies will find it easier to perform risk analysis using some tool, but currently we cannot recommend any.
You'll find more information about the dilemma whether to use a tool or not here: How to organize initial risk assessment according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/04/29/how-to-organize-initial-risk-assessment-according-to-iso-27001-and-iso-22301/ -
Preventive actions in ISO 27001
The 27000:2013 refers to preventive actions as an action aimed at getting rid of a potential noncompliance. But no trace of preventive in 27001:2013. But in my opinion, there is no such thing as a potential noncompliance.
Or you detect it and then it is a detected noncompliance requiring a corrective action. Or you do not detect it and then it has no existence.
Answer: It is true that in ISO 27001:2013 there are no requirements for preventive actions, however preventive actions are in fact included in risk assessment and treatment because the essence of risk management is to recognize a potential problem before it happens, and by treating it to prevent such an incident from happening.
There are examples of potential noncompliance - e.g. if the top management is not investing enough in training and awareness, the nonconformit ies will not happen right away, they will happen in the future. Therefore, in this case the preventive action would be to invest more in training and awareness. -
Clause to requires status of control in 27001:2013 SOA
Chattavut,
ISO 27001:2013 defines Statement of Applicability in clause 6.1.3 d), and it requires that SoA should state for each control "whether they are implemented or not" - therefore, you need to document their status in SoA. -
Does the scope exclusions allow in 27001:2013
Chattavut,
ISO 27001:2013 allows the scope of the ISMS to defined per the company decision - there are no restrictions whatsoever to which part of the company your ISMS is implemented. However, ISO 27001:2013 says that you need to implement all the clauses of the standard from 4 to 10 - you cannot exclude any of these clauses from the implementation. -
Risk Acceptance Criteria and Residual Risk
Cesar,
Residual risk is the risk that has remained after the treatment of risks - for example, if you had a risk that had a level of 9, and by treating it you have reduced it to 6, this level of 6 is the residual risk.
After you calculate this residual risk, you have to see whether it is acceptable - for example, if your acceptable level of risk is 7, this would mean that this residual risk of 6 is acceptable; if your acceptable level of risk is 5, in such case you would need to reduce this risk further, or ask the risk owners to explicitly accept such risk without reducing it further. -
Which are better ways to test the BCP?
Answer: Theoretically, the best way to test your business continuity plan would be the so-called "Full-scale exercise" - it simulates the real incident as closely as possible, and includes not only your organization but also your partners and suppliers who have some role in business continuity.
Of course, it would be very difficult to organize such a test in large organization, at least in the beginning - therefore, the best would be to start with easier tests (checklists, tabletop exercises), and gradually throughout the years progress towards more complex way of test ing.
You can find additional information about testing and exercising in A.8 of NFPA 1600-2013 Annex A, or in PD 25666:2010 (Guidance on exercising and testing for continuity and contingency programmes). -
Who needs to sign an NDA?
Signing a Non-disclosure Agreement is one of the controls that can be implemented according to ISO 27001. But, as with other controls in ISO 27001 it should be implemented only if there are risks that need to be decreased with such a control. See also this article: The basic logic of ISO 27001 - How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
To answer your question directly, only those employees where the risks are higher should sign the NDA - it can include also you as their boss if there are risks that need to be decreased using this control. Therefore, first do your risk assessment and then decide who needs to sign the NDA.