Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Which documentation to show to certification auditor
Answer: You should show all your documents related to your ISMS/ISO 27001.
Our Documentation Toolkit contains both mandatory documents required by ISO 27001 and non-mandatory documents - you have to produce all the mandatory documents, and choose whether or not to produce non-mandatory documents. In the Toolkit you have a file called "List of Documents" which specifies which documents are mandatory and which are not. -
risk assessment and controls
May,
You have to identify all the risks, even though you have implemented a control for some of them - it is true that in such cases the likelihood will be low, but the risk still exists.
If the value of such risk turns out to be acceptable, then of course you won't have to treat the risk; it some cases it might happen that such risk is still unacceptable (because the existing control is not enough), so you will have to apply some additional controls. -
Business countinuity plan
The easiest way is to use one recovery plan per department - e.g. your IT department will have one recovery plan (this plan will include all your IT systems), your marketing department should have its own recovery plan, your human resources department should have their recovery plan, etc.
The point is, you should recover not only your IT department and IT systems, you should recover also your business activities. -
Making mistakes in documents because of an auditor
Answer: My opinion is that you shouldn't make intentional mistakes because of the following reason: you should implement information security/ISO 27001 because you want to increase the level of your security; you shouldn't implement it to satisfy your auditor.
Besides, the auditor will find enough nonconformities anyway. -
Procedure for document and Record control
Todd,
This needs to be in the procedure because ISO 27001 explicitly requires to control the external documents.
Examples of such external documents may be technical documentation, confidential client documents, contracts, etc. - it is very important to control all such documents. -
Records of Management Decisions
Todd,
Management decisions can be documented in several forms - from ordinary email all the way to written document called "Decision xyz". We do not have a template for such decisions because their form varies greatly from company to company, and really for a smaller company no particular form is needed - as I mentioned, if your CEO sends an email saying he has decided something, this is a management decision documented in a perfectly acceptable form.
The only template we do have are the Management Review minutes - you can find them in the folder #10 of our Toolkit. -
Risk register vs. risk treatment table
Answer: The term "Risk register" does not exist in ISO 27001, however this term is commonly used in some countries for the results of the risk assessment - basically, this is a list of your risks - in our Toolkit this would be the Risk assessment table.
Risk register is usually not the same thing as Risk treatment table, however since Risk register is not an official term, some companies are using it for risk treatment as well. -
Risk Assessment Table
You should list the asset multiple times with the different threat/vulnerability combination.
By the way, all this is described into detail in video tutorial called How to Implement Risk Assessment According to ISO 27001 - you have access to it in our Customer Portal. -
Specifying excluded controls as exclusions in the ISMS Scope document
ISMS scope document can only exclude certain departments, processes, locations or assets of your organization. However, for those departments/processes/locations/assets that remain within the scope, you cannot exclude the controls in this phase - the decision whether to apply or exclude controls can be made only after the risk assessment & treatment is finished.
The point is - the controls can be excluded only if there are no risks which would require such controls. Read more here: ISO 27001 risk assessment & treatment 6 basic steps -
Referring to Inventory of assets from the ISMS Scope document
Answer: Clause 4.2.1 a) of ISO 27001 requires you to document the scope in terms of assets, so basically you have 2 choices:
a) List most of your assets in the Scope document - I wouldn't recommend that, or
b) Refer to the Asset inventory - much better solution since you will (probably) make it anyway.
Now, since you are writing the ISMS Scope document now, and Asset inventory later, you can just say that Asset inventory will be developed until certain date.