Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 22000 and ISO 22301
Answer:
While ISO 22000 defines requirements for food safety management systems, ISO 22301 defines requirements for business continuity, so organizations can manage conditions to protect business from disruptive incidents when they arise, and ensure minimal continuity levels.
Considering your demands, you should look for training on ISO 22000. Unfortunately at this moment we do not provide such training.
For more information about ISO 2301 and business continuity, please see:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/ -
Scope extension
Answer:
To extend the ISMS scope you have to perform all the steps as if you were implementing the ISMS for the first time, in an scale equivalent to the size of this extension.
While you will have less effort related to common requirements such as document and record control, internal audit and management review, the effort for the risk assessment and treatment will depend on how similar this extension is to the current scope. If they are similar you may use existent controls and security metrics with only minor adjustments.
This article will provide you further explanation about implementing ISO 27001 (the concepts are the same for scope extension):
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding implementing ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Toolkit content
Answer:
Included in your toolkit there is a List of Documents file that shows which controls from Annex A are covered by each template from your toolkit. This file is on the root folder of the zip file your received. -
Processes periodicity
Answer:
Considering as example a software development company, as processes performed on a daily basis that we can mention are codification and testing activities. As for weekly based process you can think of the release of a new version on production environment.
These articles will provide you further explanation about Setting an Awareness program:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/ -
Controls application
Answer:
ISO 27001 does not prescribe how many controls you must use to treat a risk, so you can use as many controls as you see is proper for your organizations (the applicable controls will have to be stated as such on the SoA. It is important to note that while applying multiple controls can significantly decrease a risk, it will also require more administrative effort, and these controls may also introduce new risks, so this approach should balance security with effort and new risks.
This article will provide you further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Assessing the C-I-A of assets
Answer: ISO 27001 does not require you to assess assets, but it does require you to assess likelihood and impact of a risk. When the impact of a risk is assessed, you have to take into account the effects of this risk on the confidentialiy, integrity and availability of your data.
Q2: Does the RTP have to cover all risks identified against each of the controls or only high/medium risks identified from your risk assessment performed against the companies assets?
Answer: The Risk Treatment Plan (RTP) has to cover only the controls that have not yet been implemented - it doesn't matter to which assets or risks those controls are related to. The risk treatment process has a differentu purpose than the RTP - it has to cover only the unacceptable risks, i.e. the highest risks you identified during the risk assessment process.
See also these articles:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
These materials will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Who will write Business Continuity Plan
The development of business continuity plans often requires the involvement of several persons, because the plan has to consider multiple views such as business, operation, financial, etc. Since these people normally have low experience on developing BCPs, it is the role of the BC manager / implementer to coordinate their efforts, guiding them on the identification of needed information and resources, defining objectives and activation/deactivation conditions, etc. On some cases, after gathering all the information, they can elaborate the part of the plan that involves the activities they will be involved with, while you can write the parts more related to the Business Continuity Management System (e.g., communication plan).
To see how a BCP looks like, I suggest you to take a look at the free demo of our Business Continuity Plan at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/
These articles will provide you further explanation about Business Continuity Plans:
- How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
- The challenging role of the ISO 22301 BCM Manager https://advisera.com/27001academy/blog/2016/03/21/the-challenging-role-of-the-iso-22301-bcm-manager/
This material will also help you regarding Business Continuity Plans:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Naming the documents
Answer:
ISO 9001:2015 doesn´t state or require anything on how organizations should name the different documents, so then it will be up to the company how to do it. As you mention in your consultation, usually companies use the following documentation structure:
- level 1 - Quality Manual
- level 2 - Quality Policy
- level 3 - Procedures
- level 4 - Instructions
- level 5 - Records
To learn more about document structure and naming, see these materials:
- Article - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Book - Managing ISO documentation: a plain English guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Handling risk
Answer:
When it comes to risk treatment, there are four general options: mitigate, avoid, transfer and accept. So, in a sense, even raw risks can be considered residual risks (when the chosen treatment for them is to accept the risk).
Regarding organization's risk appetite, it helps to define which kind of risks are acceptable or not, and on which degree the cheapest treatment alternatives are acceptable (the higher the risk appetite, the higher the risks an organization is wiling to accept, and more prone it is to adopt cheaper treatments). So regarding residual risk, the higher the risk appetite, the higher will be the number of raw risks in the residual risk list. Regarding the other risk treatment alternatives, there is no definitive answer, because for each scenario the cheapest treatments will be different.
For more information, see:
- Risk appetite and its influen ce over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/ -
NIST 800-171, Aerospace standards, CIS 20, NIST 800-53 with ISO 27001 Standards
Answer:
NIST 800-171, NIST 800-53, and CIS 20 (Center for Internet Security) provide detailed information for implementation of some controls related to ISO 27001 Annex A, so to integrate these controls to ISO 27001 you have to map the relationship between them. NIST documents already have annexes that identify these relations (NIST 800-171 Annex D and NIST 800-53 Anex H). Unfortunately we are not experts on CIS 20 to inform you have such relations already been mapped.
Regarding Aerospace standards, without details about which one you are referring to, we are unable to provide a proper answer.
These articles will provide you further explanation:
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/