Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Transition from ISO 27001:2005 to 27001:2013 standard
Theoretically, until September 25, 2014 you can (re)certify against the old 2005 revision of the standard, but I wouldn't recommend that - I think it is much better to transition to the new 2013 revision and then re-certify.
Transition is rather easy, for a smaller company it might take ca 1 month, whereas larger companies should be able to do it in couple of months. See also this article: How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ -
When does RTO begin?
I’m assuming that by failover you mean Disaster Recovery Plan because the failover concept is related to protective controls that automatically takes over when the main system fails, i.e., it is the first resort in most incidents, while the Disaster Recovery Plan refers to the actions to be performed when main facilities/systems cannot be recovered within an acceptable timeframe (i.e., within the Recovery Time Objective – RTO).
Considering that, the RTO needs to be considered from the time the disruption is perceived by the customer (the RTO is defined from the customer point of view), so it needs to start when the disruption is reported or detected.
What happens is that, for example, if you have an RTO of 10 hours and your DRP needs 3 hours to be implemented, the DRP only needs to be started after 7 hours of the start of the incident, and by this time the teams may solve the situation.
For further information, see:
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
- Explanation of the most common business continuity terms https://advisera.com/27001academy/blog/2021/01/18/explanation-of-most-common-business-continuity-terms/
-
Mandatory processes for ISO 27001:2013 external communications relevant to ISMS
1) ISO 27001:2013 requires you to define a communication process, although there is no requirement that such a process must be documented. Therefore, you have the following options: (a) to have such a process without documenting it, (b) to write a separate procedure for communication, or (c) to include communication procedures in your other documents - e.g. in Incident management procedure.
2) If speaking about mandatory documents, there are many documents that are required in all four phases of PDCA cycle - you can see their list here: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Questions about risk assessment/treatment.
In other words, we have only one unacceptable risk which needs treatment.
So our risk treatment results are rather thin (I have combined that table with the risk assessment table) and the SoA will have mostly controls which are already in place.
And then the Risk Treatment Plan will have very little to say.
It isnt that we are complacent about information security, but rather that our risks are already mitigated by several controls, which are described in the risk assessment table (although not in terms of the Annex A controls).
Answer: Finding only 30 risks seems to me a bit too little. A company with 7 employees probably has ca 50 assets (people, hardware, software, databases, documents electronic and paper, infrastructure, etc.), each asset could have ca 5 threats and each threat ca 2 vulnerabilities. This easily makes ca 500 risks (assets x threats x vulnerabilities) for a small company.
When using this methodology of identifying assets, threats and vulnerabilities, most companies I've worked with realized they were aware of only ca 50% of their risks - which means that only then they could decide which additional controls to implement. -
BIA in Petrochemical Plan Definition of Activities for Operational department
I don't know very well the petrochemical operations, but if you have your operational and maintenance processes already defined, I think exactly those are the ones that should be used as activities from the business continuity point of view.
If you give me some more details perhaps I could give you a more precise answer. -
ISMS Scope Assistance
If you store and process sensitive/important information for your company in that data center, then you should include such information in your ISMS scope.
In this kind of a situation, physical infrastructure should be placed out of your scope (since you do not control it directly), and you should place within the scope only what you control - operation system, applications, and of course data. -
Data Center audit preparation
We do not have any articles or customized documents on preparation of data center, but the truth is - if you want to implement ISO 27001 in a data center, there is no much difference to other IT companies. Majority of our customers are IT companies, and they find our documentation very convenient for their purpose. Here is a detailed description of our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
If you are interested particularly on how to audit, this Internal Audit Toolkit can help you: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
And here's one article on ISO 27001 and cloud computing: https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/ -
Coding of policies, procedures and records
Answer: If the coding system for internal documents is strictly defined in the Document control procedure, then there is no need for anyone to assign codes - e.g. really simple coding system for your documents could be ISMS-001, ISMS-002, ISMS-003, etc.
If you want to have a system where someone must define a code for each document, then this could be one person for all the documents in your company (e.g. Quality manager), or your Information security manager can do it for your ISMS documents only. -
Question on General Impact Assessments in the BIA Questionnaire
Great stuff Dejan... -
How to select appropriate controls from Annex A
Don't worry, there are no stupid questions. Actually, I receive this question quite often, but this is the first time to answer it through this forum.