Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Performing risk assessment for both ISO 27001 and ISO 22301


    You shouldn't perform them separately - risk assessment performed according to ISO 27001 is perfectly acceptable for ISO 22301 also. See also this article: Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/

    You should just follow your Risk assessment methodology for ISO 27001, and since it must take into account risks related to availability, if you comply with such methodology you will perform one risk assessment for both standards.

  • Responsibility for identification of requirements


    Answer: I would say all the functions like COO, CISO, CIO, CFO should help identify the requirements, and since there are so many people included, CEO could be ultimately responsible for this part of the job in a small company.

    After all, it is CEO who is responsible towards the lawmakers and towards the shareholders so it is in his best interest to be informed and to make sure his company is fully compliant.

  • Benefit of perfoming BIA for a single department


    You should perform BIA for each of your activities/departments separately, because very likely different activities will have different MAO (Maximum Acceptable Outage)/RTO (Recovery Time Objective), and different resources. Therefore, by merging them all into one single BIA won't give precise results.

    Read also this article: How to define activities when implementing business continuity according to ISO 22301 https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/

    One doubt is , RTO is only for application or for process.

    RTO could be set for either of them, but usually it is set for the whole activity (i.e. process or a department).

  • Statement of Applicability/Annex A Documents

    Todd,

    To answer your question, I'll quote a paragraph from our ISMS Scope template: "The organization needs to define the boundaries of its ISMS in order to decide which information it wants to protect. Such information will need to be protected no matter whether it is additionally stored, processed or transferred in or out of the ISMS scope. The fact that some information is available outside of the scope doesn't mean the security measures won't apply to it – this only means that the responsibility for applying the security measures will be transferred to a third party who manages that information. "

    The point is - you need to require your suppliers and partners to protect your information - and you need to determine these requirements through the risk assessment.

  • List of legal regulatory and contractual requirements


    Answer: If you refer to ISO 27001, you should list all legal, regulatory and contractual requirements related to information security (e.g. personal data protection). But this has nothing to do with a function - laws and regulations are valid equally for your IT department and your business departments.

    See here list of laws and regulations worldwide: https://wiki.iso27001standard.com/index.php?title=Laws_and_***********************************************************

  • Risk identification

    Only up to a point, ISO 22301 is more strict on what must be documented.

    In these two articles you'll find everything that must be documented, everything else may be documented only if you make such a decision:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/

  • Steering committes for a smaller company


    Answer: Yes you can combine them in one document; actually ISO 27001 does not require any of these bodies so you can organize them any way you wish, or you can decide not to have such a body at all - smaller companies usually do not have such committees.

    Do we have to creat processes diagram such as internal audit process?

    Answer: No, you to not have to draw the diagrams because ISO 27001 does not require you do to so; the standard does require you to have a process for internal audit, and it is a best practice to write a procedure for it.

  • 7 2 2 labeling and handling

    Sure, our support will contact you shortly.

  • Criteria of IT company ISO certification


    I assume you are asking me about ISO 27001 certification. The basic criteria is to comply with all the requirements written in the ISO 27001. Since there are many requirements listed, you need to purchase this standard and read all of them.

    This article will also help you: Becoming ISO 27001 certified - How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

    The criteria for certification is the same for all industries - IT, government, financial, manufacturing, etc.

  • General impacts

    If you marked the answer to the question "How difficult will it be to catch up on the backlog of work" as high impact after 4 hours, then this is where your MTPD is. Because if this wasn't that important, I assume you wouldn't mark it that high.

    If you consider the backlog of work completely irrelevant for your operations, than you can delete this question altogether - none of these questions are mandatory by ISO 27001 or ISO 22301.
Page 1112-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +