Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Information security policy - including references to clauses of ISO 27001 stand
Answer: Actually, there is no requirement in ISO 27001 that Information Security Policy should cover all the information security aspects.
What you suggest is quite common - many companies insert references to detailed policies in the top-level Information Security Policy, but I see two potential problems with this approach:
1) You will need to update the Information Security Policy quite often - each time you create a new policy related to information security
2) You should show this Information Security Policy to many interested parties (requirement in ISO 27001 5.2. g) - if it includes a list of all detailed policies, this could cause a potential threat (too many people will know which kind of internal rules you have)
To conclude, Statement of Applicability is the document where you must make such references - I think this is enough, you don't have to do it again in the Information Security Policy. -
What types of evidence is normally obtained for each of the controls
Further question:
> What is vague to me is what operating procedures are in the control A.12.1.1. I work at a very large company and we have many different operating segments and thousands of people that work in operations so that is why I was unsure on how much detail is needed.
The objective of section A.12.1 is "To ensure correct and secure operations of information processing facilities" - therefore, the operating procedures here refer to IT operations. In other words, for control A.12.1.1 you need to check only your IT procedures.
Regarding the question of detail - I would say that each of the controls that you select as applicable from the section A.12 should be covered with some document - they can all be covered in a single document, or each could have a separate document; the documents could be more or less detailed - all this doesn't matter as long as you have all these controls documented.
But if you are a larger organization, chances are that you already do have all of these documents. -
Who writes the Statement of Applicability?
Answer: ISO 27001 does not define who should write the Statement of Applicability, but good practice is that this document is written by a person who is a project manager for the ISO 27001 implementation - in most cases this is the CISO. Project manager/CISO is usually in the best position to collect all the information from other departments and fill them into the SoA.
If you had several people updating the SoA, you would have a problem of integrity of this document.
ISO 27001 does not require you to determine the maturity level of the controls, it only requires you to state whether they are implemented or not (clause 6.1.3 d). -
Glossary of Terms about BCP
You can find a short glossary of business continuity and information security terms here: https://advisera.com/27001academy/knowledgebase/glossary/
You can also find one here: https://www.drj.com/resources/tools/glossary-2.html
There is also a glossary of business continuity terms in my book Becoming Resilient: https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Why does Annex A folder in the Toolkit include A.6-A.16 and not A.1-A.5?
Actually, the reason is very simple - in the standard itself, the sections A.1 to A.5 do not exist (Annex A of ISO 27001). The reason for this is that Annex A is directly related in numbering to ISO 27002, and sections 1 to 5 in ISO 27002 are not very important.
Section A.17 (Business continuity) is covered in our Premium toolkit - see pricing here https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/
Section A.18 (Compliance) is covered in folder 02 Procedure for Identification of Requirements. -
Project Planning - does the calculator results implementation time for all of th
Our Implementation Duration calculator gives you an estimate of the implementation time of the whole project, including the controls.
I agree with you that asset identification and risk assessment goes rather quickly, but the implementation of controls (and their acceptance by all the employees and the top management) is something that takes a long time. Of course, you can do it in shorter time, but in such cases it is a big question whether all controls would really work if needed. -
Statement of Applicability for network security
Answer: I assume that by SOA you refer to Statement of Applicability. ISO 27001 requires that Statement of Applicability lists all the controls from Annex A - in the Annex A of ISO 27001:2013 you have 3 controls dealing with network security in the sub-section A.13.1 Network security management.
So there is no separate Statement of Applicability for network security - you need to list those controls in your existing Statement of Applicability. -
Narrow ISMS scope and an Information Security policy for the whole organization
Just to clarify the terminology first: ISO 27001:2013 does not require an ISMS Policy any more - the top-level policy in ISO 27001 is now called an "Information security policy".
So basically, if you plan to certify smaller scope than the whole ISMS policy or Information security policy, you should have the following:
1) Information security policy (top-level policy) - it can cover the wider scope than your ISMS scope
2) ISMS Scope definition - of course, it has to describe the ISMS scope precisely as you will certify it
3) Statement of Applicability - it should cover the controls for your ISMS scope only
4) Other information security policies (e.g. Classification policy, Backup policy, Access control policy) can cover the wider scope than your ISMS scope
This article can also help you: One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/ -
What will the ISO 22301 certification auditor check?
Answer: The auditor will check all your documents (mandatory and non-mandatory), and if your activities comply with all those documents.
I am doing the question because I got a print screen of the list of document in a process of certification of a company ... for example there is documents such as: 7.5, 7.2, 5.1 that aren't mandatory.
Answer: The certification auditor must check not only all the documents you have for BCMS, but also if your activities have complied with all clauses 4 to 10 of ISO 22301. Therefore, even if you don't have documents for some clauses, the certification auditor will still check if you have complied with those clauses.
By the way, clause 7.2 says you must have documented information as evidence of your trainings.
I could to think that if don´t have mandatory document then I will have a major non conformities or not?
Answer: The auditor will raise major nonconformity: (1) if you don't have all the mandatory documents, (2) if your activities fail to comply with a complete clause of ISO 22301, and (3) if your activities fail to comply with a complete requirement from your own BCMS documentation. -
What RTO means ?
We've received the following question:
#1. The Recovery Time Objective (RTO) - is a maximum amount of time within which an activity needs to be resumed at the MBCO level (Minimum business continuity objective), or
#2. The Recovery Time Objective (RTO) - is a maximum amount of time within which an activity needs to be resumed at the full capacity.
The recovery time objective is the target time set for resumption of product, service or activity delivery after an incident. RTO is determined during the business impact analysis (BIA), and the preparations are defined in the business continuity strategy, so this means that option #1 is the correct one.
Please have a look on the following link for further explanation.
https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
Thanks