Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk Assessment Table

    You should list the asset multiple times with the different threat/vulnerability combination.

    By the way, all this is described into detail in video tutorial called How to Implement Risk Assessment According to ISO 27001 - you have access to it in our Customer Portal.

  • Specifying excluded controls as exclusions in the ISMS Scope document


    ISMS scope document can only exclude certain departments, processes, locations or assets of your organization. However, for those departments/processes/locations/assets that remain within the scope, you cannot exclude the controls in this phase - the decision whether to apply or exclude controls can be made only after the risk assessment & treatment is finished.

    The point is - the controls can be excluded only if there are no risks which would require such controls. Read more here: ISO 27001 risk assessment & treatment – 6 basic steps

  • Referring to Inventory of assets from the ISMS Scope document


    Answer: Clause 4.2.1 a) of ISO 27001 requires you to document the scope in terms of assets, so basically you have 2 choices:

    a) List most of your assets in the Scope document - I wouldn't recommend that, or

    b) Refer to the Asset inventory - much better solution since you will (probably) make it anyway. 

    Now, since you are writing the ISMS Scope document now, and Asset inventory later, you can just say that Asset inventory will be developed until certain date.

  • Weekly status report for management


    Answer: First of all, you can report the status of your project against the Project plan - you can use our Project plan template, and specify there all the documents you have to produce and deadlines for doing so - then you can report whether you delivered those documents within the deadlines. 

    You can add some additional explanation to such report - e.g. you can track each day or each hour what you have been working on, and use that as a basis for detailed explanation. However, I don't find this particularly useful - it is much more important if you delivered the documents as planned.

  • Filling in the inventory of assets


    Answer: You could do the Inventory of assets first if you wish, but it is easier to start filling in the Risk assessment table first - once you are finished with this table, then you just copy the information to the Inventory of assets. 

    When I do the inventory, does every single laptop, server, etc need to be documented? I found this template which was free.

    Answer: This is the same with Inventory of assets and Risk assessment table - you don't have to fill in each and every laptop - you can just specify that you have a class called "laptops" and that the owner of each laptop is a person who is using it. Basically, every time you have several assets which have very similar threats and vulnerabilities, in such cases you can specify these classes of assets instead of single assets. 

    By the way, you can see a detailed explanation about all this in a video tutorial called "How to Implement Risk Assessment According to ISO 27001."

  • Exclusion of security controls in Statement of Applicability


    Answer: There is no limit for the exclusion of the controls from Statement of Applicability, however I never saw a company which would exclude more than 30 controls. The main criteria for excluding the controls from SoA is that there are no risks nor legislative or contractual requirements that would require such a control. 

    If you want to implement those controls at the later stage, there are two ways to do it:

    a) You recognize such risk(s) right away, and in your Risk Treatment Plan define that you will implement applicable controls some time in the future, or

    b) If the risks  do not exist at the moment, when you do the risk assessment review in the future recognize them then, and at that time start implementing the controls.

  • How to define criticality?

    Juliano,

    Priority of recovery is determined on the basis of RTO - the activity with the shortest RTO will be recovered first. Quantitative impacts are an input for determining the RTO - for instance if the impact of disruption that lasts 24 hours is US$ 100,000, you can determine that this is not acceptable, so that your RTO needs to be less than 24 hours.

  • Enterprise Branch Certification

    Dear Dejan

    Thank you somuch for your wise guidance

     

    Gökhan

  • BIA Questionnaire and the RTO


    Answer: ISO 22301 requires to calculate the RTO (Recovery Time Objective) after you determine the dependencies between all the activities - therefore, in the BIA Questionnaires you should write MAOs (Maximum Acceptable Outages) for each activity, and then in a separate document (that is usually Business continuity strategy) you analyse all the dependencies and decide on the final RTOs for each of your activities.

  • Minimum documents for business impact analysis


    Answer: You should use the following documents:

    Business impact analysis methodology, and
    BIA Questionnaire

    You may also find useful these two video tutorials:

    How to write BIA methodology
    How to implement BIA according to ISO 22301
Page 1117-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +