Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Certification in multiple geographic locations
Answer:
First of all, implementing a certification in multiple geographic locations is a complex task and you should go for it only if it is really necessary for business strategies and objectives. Instead you should consider the prioritization of locations and implementing the certification one location at a time.
Regarding project steps to become certified, they are practically the same for single and multiple locations. Broadly speaking, to implement ISO 27001 an organization has to:
- Obtain top management support
- Define and document a scope based on the needs and expectations of interested parties relevant to information security. At this point, for a multiple location project, you have to identify common needs and handle conflicting issues regarding the multiple locations (e.g. conflicting laws and regulations).
- Define, document and communicate an information security policy and responsibi lities relevant to operation and management of information security. For a multiple location project you should consider an organization wide-policy defining common requirements and defining that local issues are to be considered for specific topics (e.g., common issue may be top management commitment to ISMS, and a specific issue are the definition of security objectives for each location.
- Define a risk assessment and treatment methodology
- Define and allocate competencies and resources for the operation and management of information security
- Implement risk assessment and risk treatment
- Operate the security controls and generate the necessary records. This another point where implementation can differ according the location
- Measure, monitor and evaluate the information security performance
- Implement corrections and improvements
Regarding support required, to increase chances of success, it is important that persons involved have experience in project management and knowledge of the standard, and that you consider hiring expert legal advise to map legal requirements and handle conflicting issues.
A last, but not least, the point is that you have to consider a certification body that can cover all locations you wish to include in your certification.
These articles will provide you further explanation about ISO 27001:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/ -
Using the context of the organization
Answer:
Although ISO 9001:2015 does not require a documented context of the organization when working with organizations, help them develop a document, a report for example, that acts as an input to the management review. Organizations should determine the context and use it to inform decision making. That way, we also ensure that for the next management review the context information is updated.
You can find more information in the following links:
- ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- Free online ISO 9001:2015 Foundations Course - https://tr aining.advisera.com/course/iso-90012015-foundations-course/
- Free webinar – ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
BCP/BIA templates
Answer:
For BIA toolkit I suggest you to take a look at this free demo: https://advisera.com/27001academy/iso22301-business-impact-analysis-documentation-toolkit/
Or if you want to implement whole ISO 22301 (including BIA and BCP), you can upgrade to this ISO 27001 & ISO 22301 Premium Documentation Toolkit: https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/
Also, I’m looking at Conformio, but also need to attach incident, risks, action, etc. Our organization (an agency for UN) is not really big, so budget is a constraint. I would prefer not to go with Eramba (bad experience). Would you have plan for Conformio to add more features ? Or could you suggest a system / platform that can be helpful for us ?
In the second half of 2019 we plan to launch a new version of Conformio which will have a Risk register that will relate assets, threats, vulnerabilities, impact, likelihood, controls, and activities to implement them. -
ISO 27001 and ISO 22301 communication plan
Answer:
ISO 27001 nor ISO 22301 do not require the communication plan to be documented, these standards only specify the activities you must do.
Considering that, depending on the size of the organization and its security objectives, a Communication Plan could be more or less formal, fully documented as a separate document or simply stated in a few sentences within other policies, procedures and plans (our toolkits adopt this second approach).
For example, in the Information Security Policy it is communicated the security organization and the key roles and responsibilities. In the Awareness plan, the general and specific requirements to respond to incidents can be communicated. In the Incident management procedure it is specified who needs to communicate with whom, as well as in the Business continuity plan.
If you do want to create a separate Communicatio n plan, then this article will provide you further explanation about communication plan (although it focuses on ISO 27001, the same concepts can be applicable to ISO 22301):
- How to create a Communication Plan according to ISO 27001 https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/ -
Compliance with ISO 27001 and GDPR
Answer: If you are an organization operating inside EU, and your scope is the whole organization, then indeed you will not be able to exclude GDPR (as you said, at least the personal data from your employees will have to be protected considering Article 32).
As for an example where you can exclude GDPR of your ISMS list of requirements, even if you operate inside EU, I can mention a scope limited to Research and Development process/department, provided that it does not use EU citizens personal data on test databases. -
Risk Management and BCM
Answer:
There is no definitive organizational structure for a BCM, so here are some examples:
- For micro and small businesses, the BCM may consist of only one person, accumulating this role with other business functions.
- For mid-size businesses, the BCM may consist of a person dedicated to this function plus a small team for operational activities.
- For large business, the BCM may consist of a business manager or coordinator with teams dedicated to specific business processes (e.g., IT, physical infrastructure, logistic, etc.)
The common point is that all these structures are subordinated to Top Management, either to the CEO himself or to a Senior Manager.
Regarding the role of the Risk Management team on BCM, this team works to id entify and prioritize the most relevant risks that can lead to business disruption and work with related interested parties to identify, implement and periodically evaluate the effectiveness of controls and continuity plans. Their role is more on prevention, performance evaluation and continual improvement, than on handling the disruptive event when it happens.
These articles will provide you further explanation about BCM roles:
- The challenging role of the ISO 22301 BCM Manager https://advisera.com/27001academy/blog/2016/03/21/the-challenging-role-of-the-iso-22301-bcm-manager/
- Beyond the BCM Manager: Additional roles to consider during the disruptive incident https://advisera.com/27001academy/blog/2016/12/05/beyond-the-bcm-manager-additional-roles-to-consider-during-the-disruptive-incident/
These articles, although related to ISO 27001, standard for Information Security Management, use concepts that can also be applied to BCM:
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- Where does information security fit into a company? https://advisera.com/27001academy/blog/2016/10/24/where-does-information-security-fit-into-a-company/
This material also can provide you further information:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
BIA and risk analysis
Thank you so much for your response it was really helpfull -
Certification ISO 27001
Answer:
ISO 27000 and ISO 27002 aren't certifiable standards, they are support standards to implement ISO 27001, so you only need to fulfill requirements of ISO 27001 to certify an ISMS.
These articles will provide you further explanation about ISO 27001 and ISO 27002:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Questions to top management
Answer:
In fact you do not need 10 questions for top management regarding information security, because they do not need to have deep knowledge of information security to properly support it. These are the main questions you should consider asking them:
- Which benefits you understand information security management brings to your company?
- How information security objectives support business objectives?
- By which means do you support information security practices in your company?
Of course you can expand these questions to fulfill your needs (e.g., specific questions about communicating the information security policy and the realization of management review).
These articles will provide you further explanation about top management and ISO 27001:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in- iso-27001-and-iso-22301/
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/ -
Customer-facing Acceptable User Policy
Answer:
Included in your toolkit there is an "IT Security Policy" template, located on folder 08 Annex A ==A.8 Asset management, that define clear rules for the use of the information system and other information assets.