Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Hybrid approach for risk assessment
Answer: ISO 27001 does not prescribe any approach for risk assessment, so you can adopt the one that better suits your organization, even a hybrid one. The same applies for the process/methodology. You can create your own, provided this one fulfills the requirements from the standard.
But please note that you have to verify if the benefits of adopting a hybrid approach will be greater than the complexity required to perform it.
For information about alternative approaches for risk identification, please read:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/ -
ISO 27001 implementation case studies
Answer: For case studies I suggest you these articles:
- ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/
- A success story about implementation of ISO 27001 and 9001: How online platform Doccle did it https://advisera.com/27001academy/blog/2019/04/08/a-success-story-about-implementation-of-iso-27001-and-9001-how-online-platform-doccle-did-it/ -
Policy content
Vertrauliche Informationen müssen entsprechend der [Richtline zur Vertraulichkeit von Informationen] zusätzlich geschützt werden
Should this be "Richtlinie zur Klassifizierung"? Cannot find Richtline zur Vertraulichkeit - what subdirectory is this?"
("Confidential information must be additionally protected in accordance with the [Information Confidentiality Directive]
Should this be "Classification Guideline"? Can not find confidentiality policy - what subdirectory is this? ")
Answer: First of all, sorry for this translation problem.
The original text in English is "classified information must be additionally protected according to the [Information Classification Policy]"
The Information Classification Policy is located in folder 08 Annex A Security Controls A.8 Asset Management -
Risk assessment report
Answer:
I'm understanding that you did perform a single risk assessment and risk treatment. Considering that you can adjust the term "final reports" to "final report" ("final reports" is used only if you have performed more than one risk assessment and risk treatment during the implementation project). As for the period, you can use the period of time when you performed the risk assessment and risk treatment (please not that this period is important because the purpose of the report is to provide a snapshot of risks at a particular period).
Regarding documents to be used, besides the report itself, there are only two documents that need to be attached to the report (nothing more) - the risk assessment and risk treatment, and both of them are part of the toolkit. -
Sizing an project team
Answer: First it is important to note that there can be two kinds of personnel involved in a project:
- people regularly involved in all project's activities (e.g., project manager, information security expert, etc.)
- people involved in specific project's activities (document review and risk identification for specific departments/process, etc.)
Considering that, for a project involving 600 people, the project team would vary from 4 to 6 people, and the extra people related to specific project's activities will depend on the organizational structure (e.g., one or two by department/process).
Please note that people involved in specific project's activities will be only occasionally needed on the project, while project members will be probably involved at least once a week.
This article will provide you further explanation about responsibilities in a project:
- RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/
This material will also help you regarding responsibilities in a project:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Can ISO 27001 and ISO 22301 be used together in a document?
Answer: It is not clear about which document you are talking about, but some documents in the ISO 27001 & ISO 22301 Premium Documentation Toolkit are common for both ISMS and BCMS (e.g., Document control procedure and Internal audit Procedure), or can be used to support both systems, so it is possible to use them for both systems.
Included in your toolkit there is a List of Documents file which shows which clauses of both standards are covered by each document. Another way to identify this common use is by the commentaries included in each template. Some comments specifically identifies which text can be adjusted so the document can cover both standards.
For further information about integrating ISO management systems, please read:
- How to implement integrated management systems https://advisera.com/27001academy/blog/2015/10/05/how-to-implement-integrated-management-systems/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-iso-22301-better-implement-together-free-webinar-on-demand/ -
Questions about documents
Answer: I'm assuming you are referring to the Website Privacy Policy.
Considering that, this template is part of the following toolkits:
- EU GDPR & ISO 27001 Integrated Documentation Toolkit
- GDPR Mini Toolkit for Websites
- EU GDPR Premium Documentation Toolkit
The document in the EU GDPR Premium Documentation Toolkit can be customized by you to fulfill your needs related to ISMS/BCMS. The document included in the EU GDPR & ISO 27001 Integrated Documentation Toolkit already has the adjustments to be compliant with ISO 27001.
Second question: Can I use ISO 27001/22301 documents for BOTH ISMS and BCMS, referencing both ISMS and BCMS in the same document?....or must I use the documents for one or the other, but not both?
Answer: Some documents in the ISO 27001 & ISO 22301 Premium Documentation Toolkit are common for both ISMS and BCMS (e.g., Document control procedure and Internal audit Procedure), or can be used to support both systems, so it is possible to use these documents for both systems.
Included in your toolkit there is a List of Documents file which shows which clauses of both standards are covered by each document. Another way to identify this common use is by the commentaries included in each template. Some comments specifically identify which text can be adjusted so the document can cover both standards.
For further information about integrating ISO management systems, please read:
- How to implement integrated management systems https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-iso-22301-better-implement-together-free-webinar-on-demand/ -
Sizing information security and cyber security team
We've received additional question:
>Gracias por su información, lo que me lleva a la siguiente interrogante: Se aplica igual para entidades bancarias?
>(Thank you for your information, which leads me to the following question: Does the same apply to banks?)
Answer:
The general idea also applies to financial industries, but since it is a highly regulated industry, you should verify if there are any regulations about specific roles to be fulfilled (e.g., for EU GDPR you have to designate a Data Protection Office - DPO). -
Risk assessment approach
Per this article ISO does not recommend asset based risk assessment, so why are you selling documentation based on old format.
Do you have any documentation based on new format?
Answer: Sorry, but I think there is a misunderstanding here
ISO 27001:2013 in fact does not require the use of an asset-threat-vulnerability approach for risk assessment anymore, but this does not mean that it is not recommended, only that organizations can adopt other approaches they consider are better suitable for them. They still can use the asset-threat-vulnerability approach if they want, and since this is still the most popular and the most optimal way to implement risk assessment we decided to keep it in our documentation. -
Quality control responsibilities
Answer
You may not manufacture anything, but you buy relevant inputs and you provide some kind of service. So, your quality control responsibilities should include incoming materials or services and service provision.
The following material will provide you more information about quality control:
ISO 9001: Requirements for the release of the product or servisse - https://advisera.com/9001academy/blog/2017/03/28/iso-9001-requirements-for-the-release-of-the-product-or-service/
How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/
ISO 9001 document template: Quality Plan - https://advisera.com/9001academy/documentation/quality-plan/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/