Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Weekly status report for management


    Answer: First of all, you can report the status of your project against the Project plan - you can use our Project plan template, and specify there all the documents you have to produce and deadlines for doing so - then you can report whether you delivered those documents within the deadlines. 

    You can add some additional explanation to such report - e.g. you can track each day or each hour what you have been working on, and use that as a basis for detailed explanation. However, I don't find this particularly useful - it is much more important if you delivered the documents as planned.

  • Filling in the inventory of assets


    Answer: You could do the Inventory of assets first if you wish, but it is easier to start filling in the Risk assessment table first - once you are finished with this table, then you just copy the information to the Inventory of assets. 

    When I do the inventory, does every single laptop, server, etc need to be documented? I found this template which was free.

    Answer: This is the same with Inventory of assets and Risk assessment table - you don't have to fill in each and every laptop - you can just specify that you have a class called "laptops" and that the owner of each laptop is a person who is using it. Basically, every time you have several assets which have very similar threats and vulnerabilities, in such cases you can specify these classes of assets instead of single assets. 

    By the way, you can see a detailed explanation about all this in a video tutorial called "How to Implement Risk Assessment According to ISO 27001."

  • Exclusion of security controls in Statement of Applicability


    Answer: There is no limit for the exclusion of the controls from Statement of Applicability, however I never saw a company which would exclude more than 30 controls. The main criteria for excluding the controls from SoA is that there are no risks nor legislative or contractual requirements that would require such a control. 

    If you want to implement those controls at the later stage, there are two ways to do it:

    a) You recognize such risk(s) right away, and in your Risk Treatment Plan define that you will implement applicable controls some time in the future, or

    b) If the risks  do not exist at the moment, when you do the risk assessment review in the future recognize them then, and at that time start implementing the controls.

  • How to define criticality?

    Juliano,

    Priority of recovery is determined on the basis of RTO - the activity with the shortest RTO will be recovered first. Quantitative impacts are an input for determining the RTO - for instance if the impact of disruption that lasts 24 hours is US$ 100,000, you can determine that this is not acceptable, so that your RTO needs to be less than 24 hours.

  • Enterprise Branch Certification

    Dear Dejan

    Thank you somuch for your wise guidance

     

    Gökhan

  • BIA Questionnaire and the RTO


    Answer: ISO 22301 requires to calculate the RTO (Recovery Time Objective) after you determine the dependencies between all the activities - therefore, in the BIA Questionnaires you should write MAOs (Maximum Acceptable Outages) for each activity, and then in a separate document (that is usually Business continuity strategy) you analyse all the dependencies and decide on the final RTOs for each of your activities.

  • Minimum documents for business impact analysis


    Answer: You should use the following documents:

    Business impact analysis methodology, and
    BIA Questionnaire

    You may also find useful these two video tutorials:

    How to write BIA methodology
    How to implement BIA according to ISO 22301

  • The best ISO to implement for a Data Center


    Answer: Regarding your Data Center, you can take a look at ISO 27031 (a standard for disaster recovery), however I'm always in favor of ISO 27001 because it gives you a clear framework on how to link the business requirements and IT.

    Regarding the security certifications for IT personnel, you can go for CISSP, CISM, CISA, ISO 27001 Lead Auditor or ISO 27001 Lead Implementer - read more in this article: How to learn about ISO 27001 and BS 25999-2

  • Should Physical Cable prototypes be considered as information asset

    Many Thanks Dejan :)

  • ISO 27001 Stage 1 and Stage 2 audit


    Answer: ISO 27001 Stage 1 certification audit is also called "Documentation review" - the auditor will evaluate whether you have all the mandatory documentation. You can find the list of mandatory documents in this blog post: List of mandatory documents required by ISO 27001
    What is the difference in stage 1 and stage 2?

    Answer: The main difference is that Stage 1 is rather theoretical (it is about reading documents), whereas Stage 2 is very practical - this is where the auditor goes around your company, speaks to your employees, looks for logs and other records, observes the effectiveness of your safeguards, etc. Learn more about it in this webinar: ISO 27001/ISO 22301: The certification process
Page 1118-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +