Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • How to link risk assessment to Statement of Applicability


    Answer: Once you identify all the risks, you have to select the ones that are not acceptable. For those unacceptable risks you have to select controls or other options for treating the risks - this is done through some kind of a risk treatment table. Once you select all the controls you want, then you start writing the Statement of Applicability.

  • Questions regarding the ISMS scope document


    Answer: You should specify in section 3.2 of your ISMS Scope document all the departments or business units that are part of your ISMS scope.

    In section 3.4 you could say that only the assets that belong to before mentioned departments are included in the scope, but you should specify which interfaces exist between those assets and assets that are out of the scope. For example, for a local network the interface is a router or some other device that separates your network from the outside world; for an office space the "interface" is a door.

  • Minimum Business Continuity Objectives and its connection to the work load in th


    The point of business continuity is to prepare you for the worst case scenario - and worst case scenario is that a disruption hits you in a period when you have a highest workload. In my book Becoming Resilient https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ I gave an example of a bank - typically, banks have the highest workload in December, and this is what you have to analyze in your BIA Questionnaire.

    However, this doesn't mean that your Minimum Business Continuity Objective (MBCO) will be to prepar e for a full (100%) capacity of your highest workload - e.g. you can decide that you are fine with preparing with 60% of your capacity immediately after the recovery, but again those 60% must be calculated compared to highest workload.

  • Is ISO 27001:2013 based on PDCA cycle?


    Answer: ISO 27001 revision 2013 is based on PDCA (Plan-Do-Check-Act) cycle, even though this fact was not emphasized in the introduction.

    This is visible when you look at the main clauses of ISO 27001:2013:
    - 4 Context of the organization - Plan phase
    - 5 Leadership - Plan phase
    - 6 Planning - Plan phase
    - 7 Support - Plan phase
    - 8 Operation - Do phase
    - 9 Performance evaluation - Check phase
    - 10 Improvement - Act phase

  • Mobile code - the control reference is A10.4.2


    The term mobile code existed in the old ISO 27001 2005 revision - it meant the code like Java script. However, in the new 2013 revision, there is no more mention of mobile code in ISO 27001.

    See more details here:
    - https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/
    - https://advisera.com/27001academy/blog/2013/02/11/main-changes-in-the-new-iso-27002-2013-draft-version/

  • Required tools for ISO 27001


    Answer: PCI-DSS is not my field of expertise, but ISO 27001 does not require you to implement any of these tools - ISO 27001 requires you to assess whether there are risks in your organization that would require such tools, and if yes - then you would n eed to implement the tools.

    In my experience, large majority of companies already do have most of the technology they need, but they don't use it in an appropriate way.

  • Upgrades to Documentation Set

    Dear Doug,

    You're not entitled for a discounted upgrade, but for a free upgrade

    Our policy is to send free upgrades to all customers who purchased the toolkit in the last 12 months - we made an upgrade in October 2013, and we've sent you the email with this upgrade, but it seems it didn't reach you.

    In any case, my colleague will send you the upgraded toolkit (compliant with ISO 27001 2013 revision) shortly.

  • Which is first - BIA or risk assessment?


    Answer: I assume that by "RIA" you refer to risk assessment. ISO 22301 is fine with both approaches - risk assessment first and BIA second, or the other way around.

    My preference is to perform the risk assessment first because you will have a much better feeling about which incidents can happen (and therefore better assess the impact during BIA), but you can also use the list of assets you identified during your risk assessment as an input for BIA when you need to identify all the required resources.

  • Addres change after certification

    Gokhan,

    1) About company relocation - you should read the terms and conditions with your certification body and see what they require, but in most cases you would have to notify them of such change, and they would check whether you adapted your ISMS during their first surveillance visit. You would normally need to assess the risks again and implement all the new controls as identified during risk treatment.

    2) If your risk assessment and treatment shows that by having a key instead of a digital lock sufficiently decreases the risks, than this is OK.

  • Corporate information security policy


    Answer: Basically, ISO 27001:2013 requires you to include these items in the top-level policy (clause 5.2):
    - Objectives and framework for setting them
    - Commitment to fulfill the requirements
    - Commitment for continual improvement

    So not really much.
Page 1111-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +