Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11272 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Risk assessment on BCP

1. Write the methodology (EBIOS: 2010 complying with ISO 27005)
2. Prepare Metrics (confidentiality, Integrity, Availability, Impact, Likelihood, risk apetite, maturity of controls...)
3. Risk management criterias
4. Essential Assets (Process)
5. Support Asset (Hardware, Software, network Links, persons, papers..)
6. Link between Essential assets and support assets
7. threat sources (humans, non humans ..)
8. Feared events (concerning the essential assets)
9. Threats scenarios (concerning the support assets)
10. Risk analysis (Impact, Likelihood, risk level, existing controls, Annex A, Prevention, protection, recovery, maturity, Action Plan , and recalcul Impact, Likelihood, Residual risk level, and acceptance of residual risk)

Is this methodology correct ? And what is next to do for continuing the implementation of BCP? I know I'm using the ISMS risk management methodology, is this right ?

Answer:

First it is important to note that risk a ssessment is mostly related to Business impact analysis (BIA), when you define which business processes and services are more critical, not Business Impact Plan (BCP), when you define actions to handle a disaster situation.

Considering that, ISO 22301 does not prescribe which risk methodology approach to use, only that risk assessment must be performed, so you can adopt any methodology you see fit for your organization, and the risk assessment and treatment methodology for an ISO 27001 ISMS can be adopted.

The single point of attention is that for business risk analysis you have to consider additional criteria than only confidentiality, integrity and availability (e.g., financial, environmental, etc.), so I'd suggest you to also consult ISO 31000 as reference, since it can provide additional criteria.

These articles will provide you further explanation about BIA, BCP and ISO 31000:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ (the concepts on this article can also be applied to ISO 22301).
Audit results

Answer:

Once surveillance audit is concluded the auditor must hold an audit closure meeting, informing among other things the results of the audit:
- any non-conformities (minor and/or major), opportunities for improvement, and observations identified
- his recommendation for the certification body (certification maintenance, certification maintenance after presentation of action plan to handle minor conformities, or certification on hold until major nonconformites are handled)

After the audit closure meeting the auditor must deliver a copy of the audit rep ort and, in case there are nonconformities to be handled, define a deadline for the deliver of the action plan / solving of major nonconformities.
Practice for collection of evidence

Answer:

ISO 27001 does not prescribe specific rules for evidence collection, and this is not a commonly used procedure, so we do not have an specific template, but these are good references you can look for to develop rules to your organization:
- SANS Digital Forensics and Incident Response Blog: https://digital-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/
- NIST Guide to Integrating Forensic Techniques into Incident Response: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf
ISO 22301 continuity analysis and ISO 27001

Answer:

I'm assuming you are referring to Business Impact Analysis (BIA). Considering that, ISO 27001 is not required to implement requirements of ISO 22301, so you do not need to apply ISO 27001 to carry out business impact analysis compliant with ISO 22301

These articles will provide you further explanation about ISO 22301 and ISO 22301:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
Tool for carrying out security vulnerability assessment

Answer:

It's our policy not to make recommendations about specific tools, since the selection of a tool will depend on specific requirements and needs of each organization. Some features you can use to help you select a tool are:
- Capability to work with multiple operational systems
- Approach used to identify vulnerabilities (e.g., signatures database, heuristics, etc.)
- Reporting generator module.
Corrective actions and corrections

Answer:

Since correction and corrective action have different focuses on what to solve this paragraph is necessary to avoid less instructed personnel on ISO standards to get confused. Since the template is fully editable, if you understand that for your organization this second paragraph is not needed, you can delete it (but we do n ot recommend this).

Regarding the form for corrective actions, ISO 27001 only requires the documentation of corrective actions, not corrections, so to avoid unnecessary effort this form does not cover corrections recording.

For further information, see: ISO 9001 – Difference between correction and corrective action https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/

Although it is an ISO 9001 article the same concept applies to ISO 27001.
Monitoring legal compliance
Is there any free services I can sign up to let me know when any legislation is modified or if there are any new ones to ensure I keep this up to date at all times.

Answer:
I don’t know any free service of that kind. In certain countries and certain industries, being part of a sectorial association can provide that service for free.

The following material will provide you information about compliance obligations:
- ISO 14001 – Compliance requirements according to ISO 14001:2015 – What has changed? - https://advisera.com/14001academy/blog/2015/09/14/compliance-requirements-according-to-iso-140012015-what-has-changed/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/
Starting a new document structure
We want to implement the New Document Structure for 2019 because we have so many things to change so we consider setting up the new document structure Start from Revision 00. My question is Can we do like that?

Answer
Yes, you can as long as it is clear that it is a new edition of the document structure. Some organizations include edition and revision in the document codification. Others consider the change in edition as a change in the format of the documentation. I helped an organization attain their certification in 2018. After certification we decided to change the process mapping and the document structure and naming and this year, they had their surveillance audit with their new document structure starting from revision 0 without problems.

The following material will provide you information about documentation:
- Article – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Transition and Construction
diferencias entre el iso 9001:2008 e iso 9001:2015

Answer 1:
You can find a great summary of those differences in this article - Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? - https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/

Question 2:
2. iso obras de infraestructura

Answer 2:
You can find a case study of application of ISO 9001:2015 to a construction company in this white paper - Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf

The following material will provide you more information about ISO 9001 transition and construction:
- Article – Would construction companies benefit from ISO 9001? - https://advisera.com/9001academy/blog/2016/06/07/would-construction-companies-benefit-from-iso-9001/
- Free webinar – ISO 9001:2015 vs ISO 9001:2008 – The main changes - https://advisera.com/9001academy/webinar/iso-90012015-vs-iso-90012008-the-main-changes-free-webinar-on-demand/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Physical controls selection

Answer:

ISO 27001 does not prescribe which controls for physical premises must be used.

A control is mandatory to be implemented only if:
- results of risk assessment identify unacceptable risks that can be treated by the control
- there are laws , contracts or regulations that require the control to be implemented
- there is a top management decision requiring the control Implementation.

If none of these occurs you do not have to Implement a control.

The following articles can provide you a view about physical protection:
- Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
- How to pro tect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/

This article will provide you further explanation about selection of controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11272 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Risk assessment on BCP

Audit results

Practice for collection of evidence

ISO 22301 continuity analysis and ISO 27001

Tool for carrying out security vulnerability assessment

Corrective actions and corrections

Monitoring legal compliance

Starting a new document structure

Transition and Construction

Physical controls selection

Didn’t find an answer?