Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Statement of Applicability & auditor's comments on effectiveness of controls
Statement of Applicability (as well as other ISMS documents) are internal documents that the company develops for managing their security - they should not be produced to serve the certification audit, neither should certification auditor use them as their records.
Certification auditors should use their own forms for noting conclusions and reporting them to you.
The certification body won't issue the certificate if they find major nonconformities (when you lack some important part of the ISMS or when you do not comply at all with some of your documents); if they find Minor nonconformities they will issue the certificate.
There articles can also help you:
- Becoming ISO 27001 certified - How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- How to get certified against ISO 27001? https://advisera.com/27001academy/blog/2010/02/15/how-to-get-certified-against-iso-27001/
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
- How to approach an auditor in a certification audit https://advisera.com/articles/how-to-approach-an-auditor-in-a-certification-audit/ -
How does IT complete a BIA
IT department should focus on identifying which systems & infrastructure they need to get up and running in order to run the applications/services that are needed by the business side of the organization.
They need to identify exactly which resources are needed, and the timing when those are needed. -
Certification - RABQSA
Again, I'm not sure which ISO 27001 certification you are speaking about - are you speaking about the certification of an individual or a certification of a company?
Here are some articles that can help you:
- ISO 27001 certification for persons vs. organizations https://advisera.com/27001academy/iso-27001-certification/
- How to learn about ISO 27001 (this article lists different possible trainings) https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/ -
Transition from ISO 27001:2005 to 27001:2013 standard
Theoretically, until September 25, 2014 you can (re)certify against the old 2005 revision of the standard, but I wouldn't recommend that - I think it is much better to transition to the new 2013 revision and then re-certify.
Transition is rather easy, for a smaller company it might take ca 1 month, whereas larger companies should be able to do it in couple of months. See also this article: How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ -
When does RTO begin?
I’m assuming that by failover you mean Disaster Recovery Plan because the failover concept is related to protective controls that automatically takes over when the main system fails, i.e., it is the first resort in most incidents, while the Disaster Recovery Plan refers to the actions to be performed when main facilities/systems cannot be recovered within an acceptable timeframe (i.e., within the Recovery Time Objective – RTO).
Considering that, the RTO needs to be considered from the time the disruption is perceived by the customer (the RTO is defined from the customer point of view), so it needs to start when the disruption is reported or detected.
What happens is that, for example, if you have an RTO of 10 hours and your DRP needs 3 hours to be implemented, the DRP only needs to be started after 7 hours of the start of the incident, and by this time the teams may solve the situation.
For further information, see:
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
- Explanation of the most common business continuity terms https://advisera.com/27001academy/blog/2021/01/18/explanation-of-most-common-business-continuity-terms/
-
Mandatory processes for ISO 27001:2013 external communications relevant to ISMS
1) ISO 27001:2013 requires you to define a communication process, although there is no requirement that such a process must be documented. Therefore, you have the following options: (a) to have such a process without documenting it, (b) to write a separate procedure for communication, or (c) to include communication procedures in your other documents - e.g. in Incident management procedure.
2) If speaking about mandatory documents, there are many documents that are required in all four phases of PDCA cycle - you can see their list here: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Questions about risk assessment/treatment.
In other words, we have only one unacceptable risk which needs treatment.
So our risk treatment results are rather thin (I have combined that table with the risk assessment table) and the SoA will have mostly controls which are already in place.
And then the Risk Treatment Plan will have very little to say.
It isnt that we are complacent about information security, but rather that our risks are already mitigated by several controls, which are described in the risk assessment table (although not in terms of the Annex A controls).
Answer: Finding only 30 risks seems to me a bit too little. A company with 7 employees probably has ca 50 assets (people, hardware, software, databases, documents electronic and paper, infrastructure, etc.), each asset could have ca 5 threats and each threat ca 2 vulnerabilities. This easily makes ca 500 risks (assets x threats x vulnerabilities) for a small company.
When using this methodology of identifying assets, threats and vulnerabilities, most companies I've worked with realized they were aware of only ca 50% of their risks - which means that only then they could decide which additional controls to implement. -
BIA in Petrochemical Plan Definition of Activities for Operational department
I don't know very well the petrochemical operations, but if you have your operational and maintenance processes already defined, I think exactly those are the ones that should be used as activities from the business continuity point of view.
If you give me some more details perhaps I could give you a more precise answer. -
ISMS Scope Assistance
If you store and process sensitive/important information for your company in that data center, then you should include such information in your ISMS scope.
In this kind of a situation, physical infrastructure should be placed out of your scope (since you do not control it directly), and you should place within the scope only what you control - operation system, applications, and of course data. -
Data Center audit preparation
We do not have any articles or customized documents on preparation of data center, but the truth is - if you want to implement ISO 27001 in a data center, there is no much difference to other IT companies. Majority of our customers are IT companies, and they find our documentation very convenient for their purpose. Here is a detailed description of our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
If you are interested particularly on how to audit, this Internal Audit Toolkit can help you: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
And here's one article on ISO 27001 and cloud computing: https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/