Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Mandatory DRP


    Need your advice on this. As i feel its not mandatory to have DRP.

    Answer: Although ISO 22301 clause 8.4.4 requires procedures for responding to disruptive incidents (e.g. business continuity plan(s) and recovery plan(s), including the disaster recovery plans), neither this standard, nor ISO 27001, mention "badge access request", so you need to analyse the following issues to confirm if a DRP is required for this specific process:
    - the results of the business impact analysis (can the time needed to recover minimal conditions for this process after a disruptive incident prevent the organization to achieve its objectives for recovery or continuity of the business?)
    - legal requirements applicable to the organization (e.g., are there any laws or contracts demanding for this specific DRP?)
    - top management decisions specifically related to the recovery or continuity of this process (regardless of any other conditions, does the top m anagement require a DRP for this process?)

    If after verifying these issues you identify no reason to have a DRP for this process, then you can consider this DRP as no needed.

    This article will provide you further explanation about mandatory ISO 22301 documentation:
    - Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/

    This material will also help you regarding mandatory ISO 22301 documentation:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Auditing clause 4.1

    Hi.. May I know how to audit the clause 4.1. thanks.

  • Compliance of U.S. company dealing with B2B customers


    Answer: In order to provide a precise answer we would need some more information on the type of transactions and services provided by the US based company as well as the purpose of collection of the personal data.

    If these information are lacking my first choice would be to consider that the US based company is acting as a processor and since they are dealing with a EU based controller there is high chance that GDPR would be applicable for the processing activities involving EU citizens personal data.

    See also this article: EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

  • Risk assessment


    Answer:

    There is no requirement in the standard to update the risk assessment on a periodic basis. Nevertheless, a company can decide to update the risk assessment based on the calendar. Another possibility is to update the risk assessment based on nonconformities occurrence (see clause 10.2.1 e)) or after reviewing information about internal and external issues (see clause 4.1), or about interested parties (see clause 4.2).

    The following material will provide you information about risk assessment:

    - ISO 9001 – How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
    - ISO 9001:2015 Risk Management Toolkit https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
    - free online tr aining ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
    - book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Defining the scope of IATF 16949 based QMS


    Answer:

    Supporting functions, whether onsite or remote ( such as design centres, corporate headquarters, and distribution centres) should be included in the Quality Management System. you need to include all of them if they are part of your company. Auditing just a corporate headquarters won't provide evidence that you company is fully compliant with the standard, all processes and functions need to be audited.

    For more inf ormation, see: How to define scope of the QMS according to IATF 16949:2016 https://advisera.com/16949academy/blog/2017/06/28/how-to-define-scope-of-the-qms-according-to-iatf-16949/

  • CIA

    First of all, you should note that threats in ISO 27005 catalogue are only examples. They are not mandatory, and probably your organization will have some threats that won't be there (you have to identify them by performing the risk assessment process).

    That said, to identify if a threat is related to confidentiality, integrity or availability, you have to analyse how the threat will work over an asset. For example, a malicious software can either allow an unauthorized person the access an information in a database (compromising confidentiality), change it (compromising integrity), or destroy it (compromising availability). This will depend on how the malicious software work.

    In case of embezzlement, it is, by definition, a financial fraud (a fraudulent conversion of the property of another person by the person who has lawful possession of the property). Basically this threat is related to the information related to the ownership of a property, then it can be r elated to compromise of information integrity, since in many times involves falsification of records in order to conceal the activity.

  • BCP presentation


    Answer: I suggest you to take a look at this free to download presentation: Why ISO 27001 – Awareness presentation, that you can find at this link: https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation

    Yo can use the general framework and adapt to your needs. For example, you can change the following information:
    - "what ISO 27001 is all about" to "what ISO 22301 is all about"
    - "why is it good for the company – and also for themselves" to "why BCPs are good for the company – and also for themselves"
    - "what is their role in handling information security" to "what is their role in BCP"
    Then you can finish presenting the BCP.

    Additionally, I suggest you to watch this free webinar ISO 22301: Resum en del proceso de implementación de GCN https://advisera.com/27001academy/es/webinar/iso-22301-an-overview-of-bcm-implementation-process-free-webinar/ - maybe you can use some items from here.

  • Scope definition


    Have you written a blog post that could help me and I’m sure others understand the boundaries of an ISMS scope.

    Answer: The first thing you need to identify for the scope's limits is to understand the organization's purpose for its ISMS and the requirements this ISMS has to fulfill. Once you know that you can identify how each department you mentioned is related to this purpose and requirements and then you can define the scope limits.

    Examples of limits for the scope related to Finance and HR may be:
    - Financial reports deemed for regulatory bodies (e.g., as required by SOX)
    - Employees' and customer's medical records (e.g., as required by HIPAA)

    For IT departments, the scope could be limited to information systems used by Financial and HR departments.

    These articles will provide you fu rther explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

    These materials will also help you regarding scope definition:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Risk assessment on Conformio


    Answer: Conformio does not have a separate module for risk management, however if you go for the Startup Plan, you will get the ISO 27001 Documentation Toolkit which will enable to you to perform the risk assessment and treatment using the Word and Excel files.

    Among other templates, this toolkit contains the following documents: Risk Assessment and Risk Treatment Methodology, Risk Assessment Table, Risk Treatment Table, Risk Assessment and Treatment Report, Statement of Applicability and Risk Treatment Plan. They can help you cover ISO 2700 1 requirements regarding risk management.

    These articles will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Meaning of information to ISO 27001

    ISO 27002 corrigendum related to change of control objective A.8.1.1 in ISO 27001 does not add any clarification regarding the meaning of information. It only makes texts adjustments regarding the change of control objective. To see this related corrigendum, please access this ISO page: https://www.iso.org/obp/ui/#iso:std:iso-iec:27002:ed-2:v1:cor:1:v1:en
    In fact, ISO 27001 series do not define the meaning of information, allowing organizations to use the definition considered more appropriate to their context. So, my recommendation to you is that your organization document a definition for information that is adequate to its context and implement its controls according this definition.
Page 839-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +