Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Toolkit's content
Some of the questions may seem obvious, sorry about that. I´ll list them so I think it´ll be easier to address;
- Any document that is related to a control, marked with “*” in the LoD, is only mandatory only if such control applies, right?
- Access control policy; why is it mandatory in CoM but depends on if control is applicable in LoD?
- 8.A.8 Acceptable use of Assets (CoM) is Acceptable use p olicy (LoD)?
- A.12 Any difference between Operating procedure for IT management and Operating procedure for ICT?
- 8.A.14 Secure System Engineering principles (+ Appendix) in the Checklist, is this one the same as Secure Development Policy (+ appendix) template from the toolkit? I guess, but just to make sure
- 8.A.15 Supplier Security Policy; this one is not checked as mandatory in the LoD, but the Annex is (only if a control applies) and it is also in the CoM?
- 8.A.17 Disaster Recovery Plan (LoD) is Business Continuity Procedures (CoM), right?
- Definition of security roles and responsibilities (CoM); is this in Template 02 in the toolkit or somewhere else?...
Answer:
The general answer for your question is always to follow the content of your toolkit, in this case the list of documents file (LoD), because it is the most updated version considering the standard's requirements and templates content.
Regarding your specific questions:
- Any document that is related to a control, marked with “*” in the LoD, is only mandatory if such control applies, right?
Answer: Yes, your understanding is correct
- Access control policy; why is it mandatory in CoM but depends on if control is applicable in LoD?
Answer: If you read the article again, you will see in the first paragraph of section "Mandatory documents and records required by ISO 27001:2013" a note informing that "...documents from Annex A are mandatory only if there are risks which would require their implementation.)". So, in both documents the Access Control Policy depends on if control is applicable.
- 8.A.8 Acceptable use of Assets (CoM) is Acceptable use policy (LoD)?
Answer: These titles refer to the same template. Please consider the information in the list of documents file of your toolkit as the most updated.
- A.12 Any difference between Operating procedure for IT management and Operating procedure for ICT?
Answer: No differences.
- 8.A.14 Secure System Engineering principles (+ Appendix) in the Checklist, is this one the same as Secure Development Policy (+ appendix) template from the toolkit? I guess, but just to make sure
Answer: Secure System Engineering principles is one topic in the Secure Development Policy, which covers other controls, like Identification of security requirements.
- 8.A.15 Supplier Security Policy; this one is not checked as mandatory in the LoD, but the Annex is (only if a control applies) and it is also in the CoM?
Answer: Please consider it as not mandatory as listed in the list of documents file of your toolkit.
- 8.A.17 Disaster Recovery Plan (LoD) is Business Continuity Procedures (CoM), right?
Answer: The Disaster Recovery Plan template can be used to cover the controls related to Business Continuity Procedures on small and medium size organizations. On some organizations their requirements may define the development of additional documents.
- Definition of security roles and responsibilities (CoM); is this in Template 02 in the toolkit or somewhere else?
Answer: General roles and responsibilities can be defined in the Information Security Policy, while specific responsibilities and roles are described throughout all templates. -
Time between surveillance audits
Answer:
Surveillance audits have to be performed at least once a year. Consider a certification audit performed in November 2018, the first surveillance audit will take place in November 2019, and the second (and last) surveillance audit in November 2020. After this, in November 2020, the certificate would expire, and a company could go for the recertification audit.
Some certification bodies schedule surveillance audits within a time frame inferior to 12 months to avoid a situation where a surveillance audit find major nonconformities and there is no time to close those nonconformities until the 12 month limit after the last audit, situation that should translate into a loss of certification.
The following material will provide you information about surveillance audits:
- ISO 9001 – What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/ dit/
- free online training ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Statement of Applicability
Answer:
ISO 27001 Annex A is not to be used as a document for the ISMS. It is a reference for the definition of which controls to use to protect information and to built the Statement of Applicability. The SoA differs from Annex A because it only makes reference to the controls on Annex A (it does not contain the description of each control), and contains other information, such as which controls are applicable, whether they are implemented or not, and justi fication of controls from Annex A you are not using.
To see how a Statement of Applicability looks like, I suggest you to take a look at the free demo of our Statement of Applicability template at this link: https://advisera.com/27001academy/documentation/statement-of-applicability/
These articles will provide you further explanation about Statement of Applicability and ISO 27001 documentation:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
These materials will also help you regarding Statement of Applicability and ISO 27001 documentation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 22000 and ISO 22301
Answer:
While ISO 22000 defines requirements for food safety management systems, ISO 22301 defines requirements for business continuity, so organizations can manage conditions to protect business from disruptive incidents when they arise, and ensure minimal continuity levels.
Considering your demands, you should look for training on ISO 22000. Unfortunately at this moment we do not provide such training.
For more information about ISO 2301 and business continuity, please see:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/ -
Scope extension
Answer:
To extend the ISMS scope you have to perform all the steps as if you were implementing the ISMS for the first time, in an scale equivalent to the size of this extension.
While you will have less effort related to common requirements such as document and record control, internal audit and management review, the effort for the risk assessment and treatment will depend on how similar this extension is to the current scope. If they are similar you may use existent controls and security metrics with only minor adjustments.
This article will provide you further explanation about implementing ISO 27001 (the concepts are the same for scope extension):
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding implementing ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Toolkit content
Answer:
Included in your toolkit there is a List of Documents file that shows which controls from Annex A are covered by each template from your toolkit. This file is on the root folder of the zip file your received. -
Processes periodicity
Answer:
Considering as example a software development company, as processes performed on a daily basis that we can mention are codification and testing activities. As for weekly based process you can think of the release of a new version on production environment.
These articles will provide you further explanation about Setting an Awareness program:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/ -
Controls application
Answer:
ISO 27001 does not prescribe how many controls you must use to treat a risk, so you can use as many controls as you see is proper for your organizations (the applicable controls will have to be stated as such on the SoA. It is important to note that while applying multiple controls can significantly decrease a risk, it will also require more administrative effort, and these controls may also introduce new risks, so this approach should balance security with effort and new risks.
This article will provide you further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Assessing the C-I-A of assets
Answer: ISO 27001 does not require you to assess assets, but it does require you to assess likelihood and impact of a risk. When the impact of a risk is assessed, you have to take into account the effects of this risk on the confidentialiy, integrity and availability of your data.
Q2: Does the RTP have to cover all risks identified against each of the controls or only high/medium risks identified from your risk assessment performed against the companies assets?
Answer: The Risk Treatment Plan (RTP) has to cover only the controls that have not yet been implemented - it doesn't matter to which assets or risks those controls are related to. The risk treatment process has a differentu purpose than the RTP - it has to cover only the unacceptable risks, i.e. the highest risks you identified during the risk assessment process.
See also these articles:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
These materials will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Who will write Business Continuity Plan
The development of business continuity plans often requires the involvement of several persons, because the plan has to consider multiple views such as business, operation, financial, etc. Since these people normally have low experience on developing BCPs, it is the role of the BC manager / implementer to coordinate their efforts, guiding them on the identification of needed information and resources, defining objectives and activation/deactivation conditions, etc. On some cases, after gathering all the information, they can elaborate the part of the plan that involves the activities they will be involved with, while you can write the parts more related to the Business Continuity Management System (e.g., communication plan).
To see how a BCP looks like, I suggest you to take a look at the free demo of our Business Continuity Plan at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/
These articles will provide you further explanation about Business Continuity Plans:
- How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
- The challenging role of the ISO 22301 BCM Manager https://advisera.com/27001academy/blog/2016/03/21/the-challenging-role-of-the-iso-22301-bcm-manager/
This material will also help you regarding Business Continuity Plans:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/