Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Will ISO22301 become more important with the transistion to ISO27001:2013 ?
Biffa,
Yes, ISO 22301 has greater importance now because the scope of business continuity in ISO 27001 is narrower in new 2013 revision. ISO 27001 focuses only on continuity of information security operations, not on the whole company.
Although, new control A.17.2.1 called "Availability of information processing facilities" basically requires disaster recovery to be established, and this is something that didn't exist in ISO 27001:2005. Therefore, 2013 revision is actually closer to disaster recovery than to business continuity. -
Disruption or Disaster?
Juliano,
Disruption and a disaster are not two mutually excluding terms - disruption is any kind of interruption of your activities, whereas a disaster is a longer disruption with large impacts.
The main criteria to activate your Disaster Recovery Plan (or Business Continuity Plan) is a length of a disruption - if the expected length of a disruption is longer then your RTO (Recovery Time Objective), then you need to activate your plan. You should determine your RTO through the business impact analysis.
To learn more about RTO read this article: https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/ -
Definition of Physical and Tehnical security and responsibilities
"Technical security" is a term usually not used in English; for physical security, ISO 27001 defines as objective the following: "To prevent unauthorized physical access, damage and interference to the organizations information and information processing facilities." and "To prevent loss, damage, theft or compromise of assets and interruption to the organizations operations."
You should perform risk assessment and based on the results define your secure areas and protect them accordingly. The responsibility for physical security can vary from company to company - in traditional companies this is usually the responsibility of Security manager (who has no relationship with information security), while more modern approach would be to have Corporate security function which covers both information security and physical security, but also e.g. health & safety. -
Difference between plans
Juliano,
The difference is the following:
- Business continuity plan is a top-level plan with some general guidelines and responsibilities
- Incident response plan describes how to initially respond to various incidents - e.g. earthquake, fire, bomb threat, etc.
- Recovery plans are used to describe how individual activities/departments will be recovered if their operations have been disrupted. This plan can be used for both business side of your organization, but also for IT department - for Disaster Recovery Plan.
This article may also help you: Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/ -
Matching threats and vulnerabilities
Answer: Unfortunately, our Risk assessment table does not offer this kind of automation. However, you should use your common sense when doing this matching - e.g. if a threat is a virus, then the vulnerability can be lack of anti-virus software. If a threat is fire then the vulnerability can be lack of procedures (incident response procedures) or lack of fire suppression systems.
As a general rule, each asset sh ould have 2 to 5 threats, and each threat 2 to 3 vulnerabilities. You really don't have to do more than that in your initial risk assessment. -
How can I approach the certification body to gain audit experience
Basically, you have to find a certification body which is looking for new auditors. I'm not sure about the situation in your country, but this could be difficult. I'm not sure if this is an option for you, but perhaps you can offer them to go through their trainee program for free? Normally, if they have a regular employee they would have to pay his salary.
You can read more about the whole process here: How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Where to start from as a new CISO
First, I would start looking for the benefits that information security can bring to your company, especially how can it support the strategic objectives of your company - this way you will be able to get your top management commitment to support your information security efforts. Learn more here: https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Secondly, I would start doing the risk assessment in order to identify which safeguards/controls must be implemented. Learn more here: https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
ISO 27001:2013 and KPIs
Answer: ISO 27001:2013 does not require you to use KPIs (Key performance indicators) - it does however require you to set the objectives, define how to measure them, define who and when will report on the results, and who will evaluate these results. And I agree with you this is very similar concept to KPIs.
In our Documentation Toolkit, these principles are outlined in the Information Security Policy, while the control objectives need to be defined through the Statement of Applicability. We didn't describe the objectives into detail because they will differ greatly from company to company; you can also use the suggested objectives that are stated in Annex A of ISO 27001. -
Roles and ResponsibilitiesAssets and risk assessment
You could consider a computer room as an asset, but this is not the control - the controls are air conditioning, secure door with access control, fire extinguishing and other equipment installed in this room. -
Difference between the internal audit and the risk assessment
1) The risk assessment should be done by all asset owners - since the assets are not only software and hardware, but also information, people, infrastructure, etc., it will have to include more people. Risk assessment is about understanding threats and vulnerabilities and how to value the risks - see this webinar for detailed explanation: The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
2) Internal audit is about both doing the interviews and collecting hard evidence (e.g. records, personal insight, etc.)