Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Which controls to apply?


    Answer: None of the controls from Annex A are mandatory - any control can be excluded if there are no risks or other legal or regulatory requirements; however, it is extremely rare to see a company that has excluded control A.11.3.1.

    The control 11.3.1 suggests that I have a system that chaise passwords. Once I apply the control, I have to use all suggestions, or can I do it my way, for example I generate passwords instead of a system?

    Answer: There is no such requirement in ISO 27001:2005 A.11.3.1 - perhaps you are reading ISO 27002? In any case, any requirement that doesn't exist in ISO 27001 is not mandatory. This means you can apply your rules as long as they are not conflicting with ISO 27001 and that they reflect your risk assessment.

    When I apply a control that refers to another, should I use this one too?

    Answer: I'm not sure if I understood your question well, but you have to apply all the controls where there are risks or legal or regulatory requirements. Of course, you can implement couple of controls together.

  • Certify against ISO 27001 2005 or 2013?


    You can certify against the old ISO 27001 2005 revision until September 25, 2014, but in that case you will have to make the transition to the 2013 revision until September 25, 2015.

    Much better option would be to certify right away against the 2013 revision of the standard. For more information read this article: How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/

  • BIA questionnaire

    Juliano,

    The point is to assess which resources will be needed when - e.g. you may have 10 employees in your activity, and 4 of them will be needed immediately when the recovery begins, 1 will be needed 2 hours after that, and remaining 5 employees will be needed 24 hours after.

  • How to implement all policies and procedures for stage 2

    I've received this question: We have passed Stage 1, Could you please suggest how to implement all policies and procedures for stage 2 and what exactly they check on Stage 2. Answer: At Stage 2 audit, the certification auditors will check if you really operate according to your policies and procedures - so for example if you have written that you will perform backup every 2 hours, then the auditor will check if this is really done so. So the answer to your question is: you have to observe all the rules you have documented.

  • Change in risk assessment methodology in ISO 27001:2013


    Answer: Basically, there are two changes regarding risk assessment in ISO 27001 2013 revision: (1) it is not required any more to identify threats and vulnerabilities related to assets - you can identify risk in some other way, and (2) you need to identify risk owner for each risk.

    As in 2005 revision, there are no requirements on how to calculate risks - every company can develop it's own method of calculating risks.

  • Process approach in ISO 27001:2013

    As long as a standard demands establishment and maintenance of a system of interrelated processes, their implementation, their control based on measurable results and continual improvement, it is based on process approach, in my opinion. Also, the process approach should prove to be an enabler to achieve business objectives, including customer satisfaction/ delight.

  • Reasonable prices for ISO 27001:2013 and ISO 27002:2013?

    Thanks Dejan for such a prompt response! None of the national standardization bodies seem to be offering these standards for the time being. Shall update as soon as I come across a suitable one with reasonable prices.

  • Appendix_List_of_Statutory_Regulatory_Contractual_and_Other_Requiremen ts_EN

    Todd,

    The rules for List of Statutory, Regulatory, Contractual and Other Requirements are defined through the Procedure for Identification of Requirements. In this procedure you define who is responsible for filling in the List, but basically you will have 2 sources:
    1) Laws and regulations - you can find them here: https://wiki.iso27001standard.com/index.php?title=Laws_and_re************************************************************ /> 2) Contractual obligations - you have to browse through the contracts with your clients and see what obligations you have

  • IS Incident Management Procedures

    Kaoutar,

    Yes, you can place all these procedures in one single document - this is the most convenient. This is exactly how our Incident Management Procedure is structured: https://advisera.com/27001academy/documentation/incident-management-procedure/

  • ISO 27001 Lead Auditor training


    IRCA is the main body that certifies that a training organization complies with certain standards; TUV is nothing else but a training provider.


    Also, Will it be really helpful to go for ISO 27001 lead Auditor training? After ISO 27001 LA training, which certification will be next? And what is your preference?

    I think ISO 27001 Lead Auditor is really useful, particularly if you are planning a consultant or auditor career. You can also consider the ISO 27001 Lead Implementer course - click here to see an explanation of all the available courses: https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
Page 1115-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +