Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Data Center audit preparation
We do not have any articles or customized documents on preparation of data center, but the truth is - if you want to implement ISO 27001 in a data center, there is no much difference to other IT companies. Majority of our customers are IT companies, and they find our documentation very convenient for their purpose. Here is a detailed description of our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
If you are interested particularly on how to audit, this Internal Audit Toolkit can help you: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
And here's one article on ISO 27001 and cloud computing: https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/ -
Coding of policies, procedures and records
Answer: If the coding system for internal documents is strictly defined in the Document control procedure, then there is no need for anyone to assign codes - e.g. really simple coding system for your documents could be ISMS-001, ISMS-002, ISMS-003, etc.
If you want to have a system where someone must define a code for each document, then this could be one person for all the documents in your company (e.g. Quality manager), or your Information security manager can do it for your ISMS documents only. -
Question on General Impact Assessments in the BIA Questionnaire
Great stuff Dejan... -
How to select appropriate controls from Annex A
Don't worry, there are no stupid questions. Actually, I receive this question quite often, but this is the first time to answer it through this forum. -
Asset inventory issues
Kaoutar,
You could view them as controls instead of assets, but this way you could miss some threats and vulnerabilities directly related to such controls - e.g. confidential waste bins could be placed in positions where they are accessible to too many people; lockable filing cabinets might have weak locks, etc.
Therefore, I would advise to view them both as assets and as controls. Such duplication won't add significantly to your risk assessment job, but it will certainly increase the quality of results.
By the way, the controls you are referring to are from old 2005 revision of ISO 27001. Controls from new ISO 27001:2013 are as follows:
- A.8.3.2 Disposal of media
- A.11.2.9 Clear desk and clear screen policy -
ISO 27001 - frequency of recertification
If speaking about certification of organizations, surveillance visits must take place at least once a year, and the certificate is valid for 3 years. After the certificate expires, an organization can decide whether to go for the recertification, but this is not mandatory - this is something you do only if you want to keep the certificate.
This article can also help you: Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
Expenses in BIA Questionnaire
Think this will be the most challenging part of the BIA Questionnaire now ...
Thanks for the feedback... -
How to link risk assessment to Statement of Applicability
Answer: Once you identify all the risks, you have to select the ones that are not acceptable. For those unacceptable risks you have to select controls or other options for treating the risks - this is done through some kind of a risk treatment table. Once you select all the controls you want, then you start writing the Statement of Applicability. -
Questions regarding the ISMS scope document
Answer: You should specify in section 3.2 of your ISMS Scope document all the departments or business units that are part of your ISMS scope.
In section 3.4 you could say that only the assets that belong to before mentioned departments are included in the scope, but you should specify which interfaces exist between those assets and assets that are out of the scope. For example, for a local network the interface is a router or some other device that separates your network from the outside world; for an office space the "interface" is a door. -
Minimum Business Continuity Objectives and its connection to the work load in th
The point of business continuity is to prepare you for the worst case scenario - and worst case scenario is that a disruption hits you in a period when you have a highest workload. In my book Becoming Resilient https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ I gave an example of a bank - typically, banks have the highest workload in December, and this is what you have to analyze in your BIA Questionnaire.
However, this doesn't mean that your Minimum Business Continuity Objective (MBCO) will be to prepar e for a full (100%) capacity of your highest workload - e.g. you can decide that you are fine with preparing with 60% of your capacity immediately after the recovery, but again those 60% must be calculated compared to highest workload.