Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Asset inventory issues

    Kaoutar,

    You could view them as controls instead of assets, but this way you could miss some threats and vulnerabilities directly related to such controls - e.g. confidential waste bins could be placed in positions where they are accessible to too many people; lockable filing cabinets might have weak locks, etc.

    Therefore, I would advise to view them both as assets and as controls. Such duplication won't add significantly to your risk assessment job, but it will certainly increase the quality of results.

    By the way, the controls you are referring to are from old 2005 revision of ISO 27001. Controls from new ISO 27001:2013 are as follows:
    - A.8.3.2 Disposal of media
    - A.11.2.9 Clear desk and clear screen policy

  • ISO 27001 - frequency of recertification


    If speaking about certification of organizations, surveillance visits must take place at least once a year, and the certificate is valid for 3 years. After the certificate expires, an organization can decide whether to go for the recertification, but this is not mandatory - this is something you do only if you want to keep the certificate.

    This article can also help you: Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

  • Expenses in BIA Questionnaire

    Think this will be the most challenging part of the BIA Questionnaire now ...

    Thanks for the feedback...

  • How to link risk assessment to Statement of Applicability


    Answer: Once you identify all the risks, you have to select the ones that are not acceptable. For those unacceptable risks you have to select controls or other options for treating the risks - this is done through some kind of a risk treatment table. Once you select all the controls you want, then you start writing the Statement of Applicability.

  • Questions regarding the ISMS scope document


    Answer: You should specify in section 3.2 of your ISMS Scope document all the departments or business units that are part of your ISMS scope.

    In section 3.4 you could say that only the assets that belong to before mentioned departments are included in the scope, but you should specify which interfaces exist between those assets and assets that are out of the scope. For example, for a local network the interface is a router or some other device that separates your network from the outside world; for an office space the "interface" is a door.

  • Minimum Business Continuity Objectives and its connection to the work load in th


    The point of business continuity is to prepare you for the worst case scenario - and worst case scenario is that a disruption hits you in a period when you have a highest workload. In my book Becoming Resilient https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ I gave an example of a bank - typically, banks have the highest workload in December, and this is what you have to analyze in your BIA Questionnaire.

    However, this doesn't mean that your Minimum Business Continuity Objective (MBCO) will be to prepar e for a full (100%) capacity of your highest workload - e.g. you can decide that you are fine with preparing with 60% of your capacity immediately after the recovery, but again those 60% must be calculated compared to highest workload.

  • Is ISO 27001:2013 based on PDCA cycle?


    Answer: ISO 27001 revision 2013 is based on PDCA (Plan-Do-Check-Act) cycle, even though this fact was not emphasized in the introduction.

    This is visible when you look at the main clauses of ISO 27001:2013:
    - 4 Context of the organization - Plan phase
    - 5 Leadership - Plan phase
    - 6 Planning - Plan phase
    - 7 Support - Plan phase
    - 8 Operation - Do phase
    - 9 Performance evaluation - Check phase
    - 10 Improvement - Act phase

  • Mobile code - the control reference is A10.4.2


    The term mobile code existed in the old ISO 27001 2005 revision - it meant the code like Java script. However, in the new 2013 revision, there is no more mention of mobile code in ISO 27001.

    See more details here:
    - https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/
    - https://advisera.com/27001academy/blog/2013/02/11/main-changes-in-the-new-iso-27002-2013-draft-version/

  • Required tools for ISO 27001


    Answer: PCI-DSS is not my field of expertise, but ISO 27001 does not require you to implement any of these tools - ISO 27001 requires you to assess whether there are risks in your organization that would require such tools, and if yes - then you would n eed to implement the tools.

    In my experience, large majority of companies already do have most of the technology they need, but they don't use it in an appropriate way.

  • Upgrades to Documentation Set

    Dear Doug,

    You're not entitled for a discounted upgrade, but for a free upgrade

    Our policy is to send free upgrades to all customers who purchased the toolkit in the last 12 months - we made an upgrade in October 2013, and we've sent you the email with this upgrade, but it seems it didn't reach you.

    In any case, my colleague will send you the upgraded toolkit (compliant with ISO 27001 2013 revision) shortly.
Page 1111-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +