Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Excluding secure development from Statement of Applicability
14.1.2
14.1.3
14.2.1
14.2.2
14.2.3
14.2.4
All the way till
15.1.3
Answer: If your risk assessment has proved there are no risks, and there are no contractual or regulatory requirements in this respect, then you can exclude these controls from SoA - in this case, you have to explain the reason for their exclusion. If you use our SoA template, you will mark those controls as non-applicable, and in the column "Reason" briefly explain that there are no risks and no requirements.
However, controls A.14.1.2 and A.14.1.3 are related to e-commerce, so if you have web shop, it will be difficult to exclude those. Further, controls from A.15 are about suppliers, which include your telecom provider, so it will be difficult to exclude anything from A.15. -
Documenting the record control
Answer: Yes, you are right - this is the requirement from ISO 27001:2005.
So it is safe to say that an organization shall have five documented procedures. In addition to the four which you have mentioned plus one for records control. Of course the organization has the flexibility to have one documented procedure for document and record control.
Answer: I agree with you only partially - you could write a fifth procedure for records management, however best practice is to document records management in each policy or procedure which requires creation of records. For exampl e, if your Access control policy requires written approval of privileges, then this same Access control policy can define how these approval records are created, where they are stored, how are they protected, etc.
In most cases, you would create a table at the end of each policy/procedure where you would specify those rules for all the records.
(By the way, ISO 27001:2013 does not require documenting 4 mandatory procedures you referred to - this was the requirement from the old ISO 27001:2005.) -
Is the latest 2013 revision of ISO 27001 finalized?
Yes, ISO 27001:2013 is published in September - if you are starting ISO 27001 implementation you should go for the new 2013 revision. These articles will also help you:
- https://advisera.com/27001academy/blog/2013/08/26/implement-iso-27001-according-to-current-2005-revision-or-wait-for-new-2013-revision/
- https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/
Also what should be the approach for an organisation who is already certified and is looking for expanding their scope.
First you have to define exactly your new scope, then amend the ISMS Scope document but also your other policies and procedures accordingly. Finally, you have to ask your certification body to re-certify you with the new scope. -
4 questions related to ISMS
No, there is no requirement for ISMS Manual in ISO 27001 - see here the list of all mandatory documents according to ISO 27001: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Statement of Applicability is the document where you should refer to individual clauses/controls of ISO 27001 and specify how you implemented them.
2) Is the Project plan a required document, since the realization of the project is defined in the contract with the client?
Project plan is not a required document, but it is recommended since there you specify into more detail who has to do what during the project (normally you wouldn't specify such level of detail in a contract).
3) Is it required to nominate a person responsible for ISMS by a separate decision, or can this be documented in the job description?
You can do it either way, but usually you specify who is responsible for what in various ISMS policies and procedures.
4) Are Business Continuity Policy and Business Continuity Plan mandatory?
If you implement ISO 22301, both of these documents are required; if you implement ISO 27001 then Business Continuity Policy is not required, while Business continuity plan (or procedures) are required according to control A.17.1.2. Theoretically, you could decide to exclude control A.17.1.2, but I haven't seen anyone do it. -
Performing risk assessment for both ISO 27001 and ISO 22301
You shouldn't perform them separately - risk assessment performed according to ISO 27001 is perfectly acceptable for ISO 22301 also. See also this article: Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
You should just follow your Risk assessment methodology for ISO 27001, and since it must take into account risks related to availability, if you comply with such methodology you will perform one risk assessment for both standards. -
Responsibility for identification of requirements
Answer: I would say all the functions like COO, CISO, CIO, CFO should help identify the requirements, and since there are so many people included, CEO could be ultimately responsible for this part of the job in a small company.
After all, it is CEO who is responsible towards the lawmakers and towards the shareholders so it is in his best interest to be informed and to make sure his company is fully compliant. -
Benefit of perfoming BIA for a single department
You should perform BIA for each of your activities/departments separately, because very likely different activities will have different MAO (Maximum Acceptable Outage)/RTO (Recovery Time Objective), and different resources. Therefore, by merging them all into one single BIA won't give precise results.
Read also this article: How to define activities when implementing business continuity according to ISO 22301 https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/
One doubt is , RTO is only for application or for process.
RTO could be set for either of them, but usually it is set for the whole activity (i.e. process or a department). -
Statement of Applicability/Annex A Documents
Todd,
To answer your question, I'll quote a paragraph from our ISMS Scope template: "The organization needs to define the boundaries of its ISMS in order to decide which information it wants to protect. Such information will need to be protected no matter whether it is additionally stored, processed or transferred in or out of the ISMS scope. The fact that some information is available outside of the scope doesn't mean the security measures won't apply to it this only means that the responsibility for applying the security measures will be transferred to a third party who manages that information. "
The point is - you need to require your suppliers and partners to protect your information - and you need to determine these requirements through the risk assessment. -
List of legal regulatory and contractual requirements
Answer: If you refer to ISO 27001, you should list all legal, regulatory and contractual requirements related to information security (e.g. personal data protection). But this has nothing to do with a function - laws and regulations are valid equally for your IT department and your business departments.
See here list of laws and regulations worldwide: https://wiki.iso27001standard.com/index.php?title=Laws_and_*********************************************************** -
Risk identification
Only up to a point, ISO 22301 is more strict on what must be documented.
In these two articles you'll find everything that must be documented, everything else may be documented only if you make such a decision:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/