Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Updated article
Answer:
This article was already updated considering the 2013 revision of ISO 27001, so these tips are still applicable.
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Controls information
Answer:
For domains A.5 (Information security policies) I suggest you these articles:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
For domains A.13 (Communications security) I suggest you these articles:
- How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
- Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls https ://advisera.com/27001academy/blog/2016/07/04/using-intrusion-detection-systems-and-honeypots-to-comply-with-iso-27001-a-13-1-1-network-controls/
- How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/ -
ISO 27001 2017 review
Answer:
This 2017 version refers to the British version of ISO 27001 (the BS EN ISO/IEC 27001:2017), which does not include any change that impacts requirements defined by the ISO 27001:2013.
Considering that, Conformio set of documents is also compliant with this British version of ISO 27001.
This article will provide you further information:
- European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/ -
Documenting controls
Answer:
First lets understand the differences between these documents. Normally policies define general guidelines (what must be done), while procedures are more specific (defining how to perform an activity), but it is not mandatory that your documentation is divided in such way.
Considering that, if your "policy" fulfills requirements from Annex A control A.9.4.2 this is compliant with ISO 27001 and will be acceptable for certification audit.
These articles will provide you further explanation about documenting controls:
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/ 22/detailed-iso-27001-documents/
These materials will also help you regarding documentation:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Certification in multiple geographic locations
Answer:
First of all, implementing a certification in multiple geographic locations is a complex task and you should go for it only if it is really necessary for business strategies and objectives. Instead you should consider the prioritization of locations and implementing the certification one location at a time.
Regarding project steps to become certified, they are practically the same for single and multiple locations. Broadly speaking, to implement ISO 27001 an organization has to:
- Obtain top management support
- Define and document a scope based on the needs and expectations of interested parties relevant to information security. At this point, for a multiple location project, you have to identify common needs and handle conflicting issues regarding the multiple locations (e.g. conflicting laws and regulations).
- Define, document and communicate an information security policy and responsibi lities relevant to operation and management of information security. For a multiple location project you should consider an organization wide-policy defining common requirements and defining that local issues are to be considered for specific topics (e.g., common issue may be top management commitment to ISMS, and a specific issue are the definition of security objectives for each location.
- Define a risk assessment and treatment methodology
- Define and allocate competencies and resources for the operation and management of information security
- Implement risk assessment and risk treatment
- Operate the security controls and generate the necessary records. This another point where implementation can differ according the location
- Measure, monitor and evaluate the information security performance
- Implement corrections and improvements
Regarding support required, to increase chances of success, it is important that persons involved have experience in project management and knowledge of the standard, and that you consider hiring expert legal advise to map legal requirements and handle conflicting issues.
A last, but not least, the point is that you have to consider a certification body that can cover all locations you wish to include in your certification.
These articles will provide you further explanation about ISO 27001:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/ -
Using the context of the organization
Answer:
Although ISO 9001:2015 does not require a documented context of the organization when working with organizations, help them develop a document, a report for example, that acts as an input to the management review. Organizations should determine the context and use it to inform decision making. That way, we also ensure that for the next management review the context information is updated.
You can find more information in the following links:
- ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- Free online ISO 9001:2015 Foundations Course - https://tr aining.advisera.com/course/iso-90012015-foundations-course/
- Free webinar – ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
BCP/BIA templates
Answer:
For BIA toolkit I suggest you to take a look at this free demo: https://advisera.com/27001academy/iso22301-business-impact-analysis-documentation-toolkit/
Or if you want to implement whole ISO 22301 (including BIA and BCP), you can upgrade to this ISO 27001 & ISO 22301 Premium Documentation Toolkit: https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/
Also, I’m looking at Conformio, but also need to attach incident, risks, action, etc. Our organization (an agency for UN) is not really big, so budget is a constraint. I would prefer not to go with Eramba (bad experience). Would you have plan for Conformio to add more features ? Or could you suggest a system / platform that can be helpful for us ?
In the second half of 2019 we plan to launch a new version of Conformio which will have a Risk register that will relate assets, threats, vulnerabilities, impact, likelihood, controls, and activities to implement them. -
ISO 27001 and ISO 22301 communication plan
Answer:
ISO 27001 nor ISO 22301 do not require the communication plan to be documented, these standards only specify the activities you must do.
Considering that, depending on the size of the organization and its security objectives, a Communication Plan could be more or less formal, fully documented as a separate document or simply stated in a few sentences within other policies, procedures and plans (our toolkits adopt this second approach).
For example, in the Information Security Policy it is communicated the security organization and the key roles and responsibilities. In the Awareness plan, the general and specific requirements to respond to incidents can be communicated. In the Incident management procedure it is specified who needs to communicate with whom, as well as in the Business continuity plan.
If you do want to create a separate Communicatio n plan, then this article will provide you further explanation about communication plan (although it focuses on ISO 27001, the same concepts can be applicable to ISO 22301):
- How to create a Communication Plan according to ISO 27001 https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/ -
Compliance with ISO 27001 and GDPR
Answer: If you are an organization operating inside EU, and your scope is the whole organization, then indeed you will not be able to exclude GDPR (as you said, at least the personal data from your employees will have to be protected considering Article 32).
As for an example where you can exclude GDPR of your ISMS list of requirements, even if you operate inside EU, I can mention a scope limited to Research and Development process/department, provided that it does not use EU citizens personal data on test databases. -
Risk Management and BCM
Answer:
There is no definitive organizational structure for a BCM, so here are some examples:
- For micro and small businesses, the BCM may consist of only one person, accumulating this role with other business functions.
- For mid-size businesses, the BCM may consist of a person dedicated to this function plus a small team for operational activities.
- For large business, the BCM may consist of a business manager or coordinator with teams dedicated to specific business processes (e.g., IT, physical infrastructure, logistic, etc.)
The common point is that all these structures are subordinated to Top Management, either to the CEO himself or to a Senior Manager.
Regarding the role of the Risk Management team on BCM, this team works to id entify and prioritize the most relevant risks that can lead to business disruption and work with related interested parties to identify, implement and periodically evaluate the effectiveness of controls and continuity plans. Their role is more on prevention, performance evaluation and continual improvement, than on handling the disruptive event when it happens.
These articles will provide you further explanation about BCM roles:
- The challenging role of the ISO 22301 BCM Manager https://advisera.com/27001academy/blog/2016/03/21/the-challenging-role-of-the-iso-22301-bcm-manager/
- Beyond the BCM Manager: Additional roles to consider during the disruptive incident https://advisera.com/27001academy/blog/2016/12/05/beyond-the-bcm-manager-additional-roles-to-consider-during-the-disruptive-incident/
These articles, although related to ISO 27001, standard for Information Security Management, use concepts that can also be applied to BCM:
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- Where does information security fit into a company? https://advisera.com/27001academy/blog/2016/10/24/where-does-information-security-fit-into-a-company/
This material also can provide you further information:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/