Search results

Query on Business Continuity Plan

Please note that the RTO is related to the time needed to recover minimal agreed service levels after disruption is detected, not to the duration of an incident.

So, a more proper statement would be that the DRP will be activated as long as the time to recover minimal agreed service levels exceeds the established RTO time.

For example, in a disruption caused by a lightning bolt, the incident can be over in seconds, while in a disruption caused by fire, it may take several hours for the fire to be extinguished.

In the fire situation, you do not need to wait for the fire to be controlled to assess the time for recovery, compare it with the RTO, and decide to activate the DRP.

This article will provide you with further explanation about RTO:

• What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

Enterprise Account for Security Awareness Programs

Please note that ISO 22301 objective is business continuity, so its core processes are quite different from ISO 27001. While ISO 27001 focuses on risk management for information security, ISO 22301 focuses on business impact analysis for business continuity.

I suggest you take a look at the free demo of our ISO 22301 Documentation Toolkit to see a preview of the templates: https://advisera.com/27001academy/iso22301-documentation-toolkit/

This article will provide you with further explanation about ISO 22301:

• What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/

This material will also help you regarding ISO 22301:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

ISMS implementation

1 - In document 2.1 it asks for requirements. It is not clear to me how to identify those requirements. Can we link them to controls from the Annex?

Answer: The requirements related to the template “List of Legal Regulatory Contractual and Other Requirements” refers to needs and expectations defined in laws, regulations, and contracts the organization must fulfill (e.g., protection of privacy due to GDPR, service continuity due to a Service Level Agreement with a customer, etc.). 

Such requirements, together with the results of risk assessment, provide the bases for the definition of which controls from ISO 27001 Annex A will be implemented by an organization to protect information.

For further information, see:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

2 - For the ISMS Scope: we want to certify only our location in *** and we were advised by certification bodies to not mention our second location in *** at all. However, our processes happen regardless of the location and part of them happens in ***. Can we (and how) exclude *** from the ISMS while keeping the processes?

Answer: You can define the ISMS scope only in terms of site *** and treat site *** as an external party (e.g., like a supplier).

This way you can treat information security for them by means of “service agreements”, and they would not be a direct part of the ISMS scope.

For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

3 - Given that it's the first time we implement ISO in aug.e, what are the steps we should follow regarding filling in the documents? It seems to us that we will have to go back and forth in a way that will be quite confusing. I couldn't find any relevant information in the Advisera courses.

Answer: Please note that for conducting the implementation in the most efficient way you should implement the documents in the order they are displayed in the folders in the toolkit (i.e., first the Procedure for Document and Record Control, then the EU GDPR Readiness Assessment, then the Project Plan, the Procedure for Identification of Requirements, and so on).

Questions to be asked in an audit checklist

Thank you very much for your support,It's highly appreciated.

Additions to Conformio

First of all, we are sorry for this situation.

At this moment it is not possible to include other sources of controls besides ISO 27001 Annex A in the risk register.

ISO 27001 Annex A is a comprehensive set of controls, and if we know which control you are planning to use, we may be able to link to an equivalent control from ISO 27001 Annex A.

In case there is no possible relation to Annex A controls, a workaround would be for you to upload to Conformio document information which risk (i.e., asset, vulnerability, threat, risk value) will be treated by controls not related to ISO 27001 Annex A, also stating the residual risk.

Information security policies

1- ISMS Security Objectives can be the same Control Objectives of ISO 27001:2013 or are they two different types of objectives?

Answer: ISMS Security Objectives and Control Objectives are different. The ISMS Security Objectives are top-level objectives related to the business strategy, while the Control Objectives are operational objectives related to what is expected from the controls.

Examples you can consider for the ISMS Security objectives are:
- decrease the impact and/or number of information security incidents
- increase revenue
- win a new customer
- increase market share

When using our Documentation Toolkit, you can document the general ISMS objectives in the Information Security Policy, and specific objectives for controls (or groups of controls) in the Statement of Applicability.

These articles will provide you a further explanation about Objectives in ISO 27001:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

2 - What is the difference between an information security policy and a recommended control or can they be the same?

Answer: Information Security Policy is a top-level document that does not specify any security controls. You can write a specific policy for a particular control, e.g. "Backup policy" for the control A.12.3.1 "Information backup", and in such case, the Backup policy is the implementation method for the control A.12.3.1.

For further information, see:
- What is ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-iso-27001/

3 - For the establishment of the ISMS Security Policies, can the textual requirements of ISO 27001:2013 be taken?

Answer: You can use the requirements of the standard as guidance to write your own rules. You must not copy the requirement literally, because this would be a violation of ISO’s intellectual property. The templates in your toolkit are already written to be fully compliant with the standard.

4 - For the establishment of the ISMS Security Policies, can the same statements of the Control Objectives of ISO 27001:2013 be taken?

Answer: Like the previous answer, you must not copy the Controls Objectives’ statements literally, because this would be a violation of ISO’s intellectual property. With just small changes you can adapt the standard’s text to your needs.

5 - For the establishment of the ISMS Security Policies, can the same 114 statements of the ISO 27001:2013 Controls be taken?

Answer: You need to adjust the text to avoid violating intellectual property rights. Something like:

“Employment agreements, including those established with contractors, must define information security responsibilities for both the employee and the organization.”

However, the Statement of Applicability that you will find in your toolkit already specifies the activities you need to perform to comply with each control from ISO 27001. There is no additional text needed.

For further information, see:
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

Doubts about ODPR or GDPR

The scenario you are describing can be analysed from an IT Security perspective, and through a privacy-compliance perspective. From an IT Security perspective, the company might ask each employee to use a specific combination of username/password to make sure that it has a better control on company’s assets. There are modern technologies that allow recovery of lost passwords or account elevation, but certain companies might chose this approach. So from an IT Security perspective, if a company employs certain controls related to how these usernames/passwords can be used (in order to avoid impersonation of users), the scenario might be OK. From a privacy-compliance perspective, article 25 GDPR - Data protection by design and by default –mentions that: “the controller shall […] implement appropriate technical and organizational measures […] which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” and that “The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”, so in order to be GDPR-compliant, the company should deploy a thorough IT Security Policy describing all the controls implemented to protect the private lives of employees, an Access Control Policy to establish who can access what resource and when, a BYOD (Bring Your Own Device) Policy if employees use their own devices, and a Mobile Device and Teleworking Policy if the employees work from home. These policies should be amended with the necessary controls to make sure that impersonation of users is avoided. You can find templates for these documents in our EU GDPR Premium Documentation Toolkit.

Also, in Article 5 GDPR - Principles relating to the processing of personal data – the third principle, at para 1. c is called the principle of minimization: the personal data must be adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed. The second principle which is called purpose limitation, at para 1. b states that personal data must be collected for specified, explicit, and legitimate purposes. In this case, the purpose would require one of the legal grounds for processing personal data, as mentioned in Article 6 GDPR - Lawfulness of processing. Consent wouldn’t work because it wouldn’t be freely given, according to European Data Protection Board’s Guidelines 05/2020 on consent under Regulation 2016/679. If the company would like to use Legitimate Interest for this processing, the legitimate interest must pass a balancing test between the company’s interests and the interests or fundamental rights and freedoms of the employees which require protection of personal data. So my recommendation would be to perform a Data Protection Impact Assessment for this processing. Part of our EU GDPR Premium Documentation Toolkit, we have a Data Protection Impact Assessment methodology that can be used.

 Please consult these links as well:

• Article 5 GDPR – Principles: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
• Article 6 GDPR - Lawfulness of processing: https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/
• Article 25 GDPR - Data protection by design and by default: https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/
• Article 35 GDPR - Data protection impact assessment: https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/
• 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
• EU GDPR Premium Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/

ISO 27001 templates

Please note that all information you need to develop these records are in the template itself:

• [Security features and level of expected service for network services] – electronic and paper form: in section 3.4 is defined that you can use the service agreement established with the provider to document such requirements.
• [Security features and level of expected service for cloud services] – electronic and paper form: in section 3.5.1 you can find which features need to be documented, and with whom, in this case, the cloud providers.
• [Erasure/destruction records] – in paper form: in section 3.6.5 is defined which information needs to be recorded: : information about the media, date of erasure/destruction, method of erasure/destruction, and person who carried out the process.
• [Decisions about the communication channels used for specific types of information, restrictions, forbidden activities] – electronic form: in section 3.7 are defined information that must be included in the record: type of communication channel, type of information, applicable restrictions, etc.

In the comments of each section, you will find examples that you can use to fill in the records.

Regarding templates for these records, ISO 27001 does not prescribe the layout for these records, so organizations can develop them as they see fit.

For example, for the record about “Decisions about the communication channels…” you can use the current way your organization records decisions (there is no need to develop a specific document for the ISMS).

This article will provide you with a further explanation of record management:

• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

This material will also help you regarding record management:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Scope Document

Please note that each template is already fully compliant with the standard, so you won’t have problems with the audit if you only customize the templates where indicated by the comments included in each template.

The comments in the templates inform where you need to customize the document according to your needs (i.e., include, alter, or exclude information).

Please avoid altering parts of the document where there are no comments available because this can cause the document to become non-compliant with the standard.

Validation of the ISO certification

The validity of an internal auditor certification is related to the version of the standard, i.e., as long as the version of the standard related to the certification is valid, the internal auditor certification is valid.

In your example, since the ISO 27001:2013 was confirmed in 2019, an internal auditor certification issued in 2015 is still valid, but please note that after the release of the new version of ISO 27001 expected for this year, this certification will become outdated.