Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Change in risk assessment methodology in ISO 27001:2013
Answer: Basically, there are two changes regarding risk assessment in ISO 27001 2013 revision: (1) it is not required any more to identify threats and vulnerabilities related to assets - you can identify risk in some other way, and (2) you need to identify risk owner for each risk.
As in 2005 revision, there are no requirements on how to calculate risks - every company can develop it's own method of calculating risks. -
Process approach in ISO 27001:2013
As long as a standard demands establishment and maintenance of a system of interrelated processes, their implementation, their control based on measurable results and continual improvement, it is based on process approach, in my opinion. Also, the process approach should prove to be an enabler to achieve business objectives, including customer satisfaction/ delight. -
Reasonable prices for ISO 27001:2013 and ISO 27002:2013?
Thanks Dejan for such a prompt response! None of the national standardization bodies seem to be offering these standards for the time being. Shall update as soon as I come across a suitable one with reasonable prices. -
Appendix_List_of_Statutory_Regulatory_Contractual_and_Other_Requiremen ts_EN
Todd,
The rules for List of Statutory, Regulatory, Contractual and Other Requirements are defined through the Procedure for Identification of Requirements. In this procedure you define who is responsible for filling in the List, but basically you will have 2 sources:
1) Laws and regulations - you can find them here: https://wiki.iso27001standard.com/index.php?title=Laws_and_re************************************************************ /> 2) Contractual obligations - you have to browse through the contracts with your clients and see what obligations you have -
IS Incident Management Procedures
Kaoutar,
Yes, you can place all these procedures in one single document - this is the most convenient. This is exactly how our Incident Management Procedure is structured: https://advisera.com/27001academy/documentation/incident-management-procedure/ -
ISO 27001 Lead Auditor training
IRCA is the main body that certifies that a training organization complies with certain standards; TUV is nothing else but a training provider.
Also, Will it be really helpful to go for ISO 27001 lead Auditor training? After ISO 27001 LA training, which certification will be next? And what is your preference?
I think ISO 27001 Lead Auditor is really useful, particularly if you are planning a consultant or auditor career. You can also consider the ISO 27001 Lead Implementer course - click here to see an explanation of all the available courses: https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/ -
9001 & 27001
Hi Gokhan,
Although ISO 9001 and ISO 27001 are very compatible, I wouldn't add information security elements in your Quality Policy.
These documents you can use for both standards, you don't have to write them twice:
Document control procedure
Internal audit procedure
Procedure for corrective action
Procedure for preventive action (although this is not required in ISO 27001 2013 revision)
In documents which you use for both QMS and ISMS, you should mention the reference to both ISO 9001 and ISO 27001.
By the way, you can also see this webinar for detailed explanation: ISO 27001 implementation: How to make it easier using ISO 9001 -
Using the results from BIA Questionnaire for calculating MTPD
I've received this question: In the following example on BIA, MTPD 2 hrs 4 hrs 24 hrs 48 hrs 1 week 2 weeks a. Impact on people, health & safety 1 1 1 1 2 3 b. Impact on environment 1 1 2 3 3 3 c. Impact on reputation 1 1 1 2 2 3 d. Impact on service performance delivery 1 1 2 2 3 4 e. Business impact 1 1 2 2 3 4 1= marginal impact, 2=acceptable impact, 3=high impact, 4=catastrophic impact MTPD = 36 hours (?) this will be used to work on RTO with consideration also on dependencies. What about the rest of the MTPD under the other items, a, c, d, e? Are they taken into consideration with the overall MTPD? Answer: Yes, judging from this BIA Questionnaire, MTPD for this activity will be between 24 hours and 48 hours because in question b. this is where the assessment "3" has appeared for the first time. Whether it will be closer to 24 hours or closer to 48 hours is a matter of discussion with the responsible person from this activity. The rest of the answers (a, c, d and e) are not relevant because they are not so time critical - you always have to take the answers that are the most time critical. -
Is ISO 27001 risk assessment good enough for BCM?
Answer: If the information security risk assessment took into account all the risks related to confidentiality, integrity and availability of information, then the chances are adjustments won't be necessary because the purpose of business continuity risk assessment is to find out potential risks related to continuity of operations, which is in most cases nothing else but availability of information. You can read more about this topic here: Can ISO 27001 risk assessment be used for ISO 22301?
I admit there are some exceptions to this rule - e.g. if you have certain equipment which does not contain information (e.g. in the manufacturing process) - this is where additional risk assessment should be made. -
Do I have to purchase ISO standard for the certification?
Answer: I'm not sure to which ISO Code of Practice do you refer to, but if you are implementing e.g. ISO 27001, it will be difficult to explain to the certification auditor that you don't have a (legal) copy of the standard that you just implemented.