Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Glossary of Terms about BCP
You can find a short glossary of business continuity and information security terms here: https://advisera.com/27001academy/knowledgebase/glossary/
You can also find one here: https://www.drj.com/resources/tools/glossary-2.html
There is also a glossary of business continuity terms in my book Becoming Resilient: https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Why does Annex A folder in the Toolkit include A.6-A.16 and not A.1-A.5?
Actually, the reason is very simple - in the standard itself, the sections A.1 to A.5 do not exist (Annex A of ISO 27001). The reason for this is that Annex A is directly related in numbering to ISO 27002, and sections 1 to 5 in ISO 27002 are not very important.
Section A.17 (Business continuity) is covered in our Premium toolkit - see pricing here https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/
Section A.18 (Compliance) is covered in folder 02 Procedure for Identification of Requirements. -
Project Planning - does the calculator results implementation time for all of th
Our Implementation Duration calculator gives you an estimate of the implementation time of the whole project, including the controls.
I agree with you that asset identification and risk assessment goes rather quickly, but the implementation of controls (and their acceptance by all the employees and the top management) is something that takes a long time. Of course, you can do it in shorter time, but in such cases it is a big question whether all controls would really work if needed. -
Statement of Applicability for network security
Answer: I assume that by SOA you refer to Statement of Applicability. ISO 27001 requires that Statement of Applicability lists all the controls from Annex A - in the Annex A of ISO 27001:2013 you have 3 controls dealing with network security in the sub-section A.13.1 Network security management.
So there is no separate Statement of Applicability for network security - you need to list those controls in your existing Statement of Applicability. -
Narrow ISMS scope and an Information Security policy for the whole organization
Just to clarify the terminology first: ISO 27001:2013 does not require an ISMS Policy any more - the top-level policy in ISO 27001 is now called an "Information security policy".
So basically, if you plan to certify smaller scope than the whole ISMS policy or Information security policy, you should have the following:
1) Information security policy (top-level policy) - it can cover the wider scope than your ISMS scope
2) ISMS Scope definition - of course, it has to describe the ISMS scope precisely as you will certify it
3) Statement of Applicability - it should cover the controls for your ISMS scope only
4) Other information security policies (e.g. Classification policy, Backup policy, Access control policy) can cover the wider scope than your ISMS scope
This article can also help you: One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/ -
What will the ISO 22301 certification auditor check?
Answer: The auditor will check all your documents (mandatory and non-mandatory), and if your activities comply with all those documents.
I am doing the question because I got a print screen of the list of document in a process of certification of a company ... for example there is documents such as: 7.5, 7.2, 5.1 that aren't mandatory.
Answer: The certification auditor must check not only all the documents you have for BCMS, but also if your activities have complied with all clauses 4 to 10 of ISO 22301. Therefore, even if you don't have documents for some clauses, the certification auditor will still check if you have complied with those clauses.
By the way, clause 7.2 says you must have documented information as evidence of your trainings.
I could to think that if don´t have mandatory document then I will have a major non conformities or not?
Answer: The auditor will raise major nonconformity: (1) if you don't have all the mandatory documents, (2) if your activities fail to comply with a complete clause of ISO 22301, and (3) if your activities fail to comply with a complete requirement from your own BCMS documentation. -
What RTO means ?
We've received the following question:
#1. The Recovery Time Objective (RTO) - is a maximum amount of time within which an activity needs to be resumed at the MBCO level (Minimum business continuity objective), or
#2. The Recovery Time Objective (RTO) - is a maximum amount of time within which an activity needs to be resumed at the full capacity.
The recovery time objective is the target time set for resumption of product, service or activity delivery after an incident. RTO is determined during the business impact analysis (BIA), and the preparations are defined in the business continuity strategy, so this means that option #1 is the correct one.
Please have a look on the following link for further explanation.
https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
Thanks -
How to document System Secure Engineering Principles
There are code of best practices for each programming language. Java for example has a code of best practices that you can download from the official page of ORACLE. So, depending on the language, you can follow a specific code of best practices. -
How much of business continuity to implement in ISO 27001
I've received this question: When implementing ISO 27001, how deep we have to go in Business Continuity (16)?. Is it the same as implementing a hole Business Continuity Project, or something lighter?.
Answer: When implementing business continuity according to ISO 27001, you could implement a "lighter" version that would focus only on developing a disaster recovery plan (for recovering your IT infrastructure), and a recovery plan for your information security functions. This means you do not have to implement the whole business continuity project according to ISO 22301.
However, I would argue that it would make much more sense to implement a full business continuity project according to ISO 22301 as part of your ISO 27001 project - this is because of the following:
1) This would add perhaps only 10% of additional effort to your ISO 27001 project
2) You would implement two standards (both ISO 27001 and ISO 22301) with only little additional cost
3) You can ensure the continuity of your business operations only by doing this full business continuity project - complying wi th the minimum that is set in ISO 27001 wouldn't be enough.
You can find out more in this webinar: ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
By the way, ISO 27001:2013 defines the controls for business continuity in Annex A, section A.17. -
ISO 27001 maintenance mode after implementation mode
We've received the following question: We recently achieved our ISO certification on Friday last - the 28 Feb. However I have been looking on your blog to find out what is the process -if any- to transition from implementation mode to maintenance mode and if there are any critical items that need to be closed off/completed before this can happen? We are still keenly in ISO operational mode and are now looking at including the rest of the business in scope (we had a limited scope initially) but at present we want to wind down activity and e.g reduce the frequency and attendance of the ISMS team meetings and suchlike. Are there any guidelines for what should still happen post audit while leaving the implementation phase behind and how to get into that mode? Answer: Regarding your description I can assume that you already sent to the certification body the CAP (Corrective Action Plan) to the non conformities arised during the audit, because this is the most critical item. The actions you mentioned in CAP should be treated in accordance with the scheduled timeframe yo u refered in the document. If you had no nonconformity you shouldn't be required to send a Corrective Action Plan. To get "in maintenance mode after implementation mode" it is just following the policies, processes, procedures and controls you've just included in your system and get the focus in the performance of the indicators you have selected, completing the PDCA cycle. If your team is motivated and you have the management commitment to include the rest of the business in the scope, please proceed in that way and increase the maturity level of the system. Thanks