Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions about risk assessment/treatment.
In other words, we have only one unacceptable risk which needs treatment.
So our risk treatment results are rather thin (I have combined that table with the risk assessment table) and the SoA will have mostly controls which are already in place.
And then the Risk Treatment Plan will have very little to say.
It isnt that we are complacent about information security, but rather that our risks are already mitigated by several controls, which are described in the risk assessment table (although not in terms of the Annex A controls).
Answer: Finding only 30 risks seems to me a bit too little. A company with 7 employees probably has ca 50 assets (people, hardware, software, databases, documents electronic and paper, infrastructure, etc.), each asset could have ca 5 threats and each threat ca 2 vulnerabilities. This easily makes ca 500 risks (assets x threats x vulnerabilities) for a small company.
When using this methodology of identifying assets, threats and vulnerabilities, most companies I've worked with realized they were aware of only ca 50% of their risks - which means that only then they could decide which additional controls to implement. -
BIA in Petrochemical Plan Definition of Activities for Operational department
I don't know very well the petrochemical operations, but if you have your operational and maintenance processes already defined, I think exactly those are the ones that should be used as activities from the business continuity point of view.
If you give me some more details perhaps I could give you a more precise answer. -
ISMS Scope Assistance
If you store and process sensitive/important information for your company in that data center, then you should include such information in your ISMS scope.
In this kind of a situation, physical infrastructure should be placed out of your scope (since you do not control it directly), and you should place within the scope only what you control - operation system, applications, and of course data. -
Data Center audit preparation
We do not have any articles or customized documents on preparation of data center, but the truth is - if you want to implement ISO 27001 in a data center, there is no much difference to other IT companies. Majority of our customers are IT companies, and they find our documentation very convenient for their purpose. Here is a detailed description of our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
If you are interested particularly on how to audit, this Internal Audit Toolkit can help you: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
And here's one article on ISO 27001 and cloud computing: https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/ -
Coding of policies, procedures and records
Answer: If the coding system for internal documents is strictly defined in the Document control procedure, then there is no need for anyone to assign codes - e.g. really simple coding system for your documents could be ISMS-001, ISMS-002, ISMS-003, etc.
If you want to have a system where someone must define a code for each document, then this could be one person for all the documents in your company (e.g. Quality manager), or your Information security manager can do it for your ISMS documents only. -
Question on General Impact Assessments in the BIA Questionnaire
Great stuff Dejan... -
How to select appropriate controls from Annex A
Don't worry, there are no stupid questions. Actually, I receive this question quite often, but this is the first time to answer it through this forum. -
Asset inventory issues
Kaoutar,
You could view them as controls instead of assets, but this way you could miss some threats and vulnerabilities directly related to such controls - e.g. confidential waste bins could be placed in positions where they are accessible to too many people; lockable filing cabinets might have weak locks, etc.
Therefore, I would advise to view them both as assets and as controls. Such duplication won't add significantly to your risk assessment job, but it will certainly increase the quality of results.
By the way, the controls you are referring to are from old 2005 revision of ISO 27001. Controls from new ISO 27001:2013 are as follows:
- A.8.3.2 Disposal of media
- A.11.2.9 Clear desk and clear screen policy -
ISO 27001 - frequency of recertification
If speaking about certification of organizations, surveillance visits must take place at least once a year, and the certificate is valid for 3 years. After the certificate expires, an organization can decide whether to go for the recertification, but this is not mandatory - this is something you do only if you want to keep the certificate.
This article can also help you: Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
Expenses in BIA Questionnaire
Think this will be the most challenging part of the BIA Questionnaire now ...
Thanks for the feedback...