Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Alternative site and ISO 22301


    During the first audit (Gap Analysis) for the standard (22301) it seemed that the alternative site is a must

    Answer: No. An alternative site is not mandatory by ISO 22301, but what may happen is that the results of your business impact analysis may point out that your organization should consider it as a strategy to ensure business continuity in specific disaster scenarios.

    In cases like these, if your organization decide to not adopt an alternative site as a business continuity strategy it should record this decision and the criteria adopted to support it.

    This article will provide you further explanation about alternative sites:
    - Business continuity for small businesses – necessity or not? https://advisera.com/27001academy/blog/2011/04/04/business-con tinuity-for-small-businesses-necessity-or-not/
    - Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

  • ISO 22301 scope


    “An IT services organisation having contracts with customer for both onshore and Offshore work. The BCP that organisation has is primarily focused on the services being rendered from Offshore sites.” My questions are

    1 - Does Onshore work also need to be cover? I have always been of the opinion it should not as service organisation does not have control on resources of Client onsite locations. Please clarify

    Answer: According ISO 22301, the decision to include or not a service or process in the business continuity scope is up to the organization, that has to consider:
    - its business objectives;
    - legal requirements and contracts it has to fulfil;
    - costs involved in implementing business continuity;
    - potential losses related to disruptive events; and
    - that any exclusion made will not affect the organization's ability and responsibility to ensure business and operations continuity.
    So, if after considering all these issues you find no reason to include your Onshore work op eration on the BCMS scope, it does not need to be covered by the business continuity management system,

    2 - When client facility or network not available there is a possibility of Service organisation losing revenue due to the disaster at Client location. This has billing impact on service organisation. What is the way forward for such situation?

    Answer: If I understood well, you're asking what kind of business continuity strategy to develop if your client has a disruption - since you are completely dependent on this client in such case, the best strategy is not to have only a few big clients, but several smaller clients. That way you will decrease the risk of drop in revenue if one client is affected by a disaster.

  • Controls selection


    Answer: Considering your example the ISO 27001 controls that you should consider are:
    - Control A.9.3.1 Use of secret authentication information (this control provides orientation on how to store secret authentication information)
    - Control 9.2.3 Management of privileged access rights (this control provides orientation on how secret authentication information should be maintained when shared)

    Both controls can help you to treat the mentioned risk.
    This material will also help you regarding ISO 27001 controls:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • ISO27005 Threats & Vulnerabilities

    Thanks but I was referring to the actual threat 'events' in the threat & vulnerability catalogue, i.e. is there a definition anywhere of what constitutes the difference between for example 'unauthorised access to info systems' opposed to 'access to network by unauthorised persons' or 'info leakage' opposed to 'disclosure of info' etc., etc.

  • Information security personal development


    Answer: I suggest you to explore the following resources of 27001 Academy:
    - Webinars about ISO 27001 implementation, audit, integration with other standards (e.g., with ISO 9001 or ISO 20000): https://advisera.com/27001academy/webinars/
    - Blog articles about controls application, challenges in implementation, etc.: https://advisera.com/27001academy/blog/
    - White papers: a more detailed written approach of topics presented on blog articles: https://advisera.com/27001academy/free-downloads/
    - Book: Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

    Additionally, this material will present you some other links to external blogs that can also provide useful information to improve your knowledge ab out information security:
    - Top 10 information security bloggers in 2014 https://advisera.com/27001academy/blog/2014/12/17/top-10-information-security-bloggers-in-2014/
    - Top 10 information security blogs https://advisera.com/27001academy/blog/2012/05/07/top-10-information-security-blogs/

    2 - Would you also be able to point me to organizations that may be looking for trainee ISO 27001 auditors to help me acquire the experience I need to become certified?

    Answer: Unfortunately that's a difficult question to provide you an answer, because most of the main certification bodies already have their auditors, and always there are more people looking for opportunities than openings for new auditors.

  • Risk Treatment Plan and audit


    Answer: I'm assuming that for RTP you are referring to Risk Treatment Plan. Considering that, the answer is no, you can leave some of the controls for the implementation for after the auditing under the following conditions:

    1) That you have implemented before the audit the controls that mitigate the biggest risks – in other words, you can leave only less important controls for after the audit
    2) That you have specified the deadlines for the controls that you will be implementing after the audit in your Risk Treatment Plan – of course, those deadlines must be after the audit date
    3) That your risk owners or top management accept all the risks for which controls have not been implemented before the audit

    This means that the most important controls must have ”implemented“ status at the audit, while the less important controls can have status ”planned“ or ”partially implemented" at the moment of the audit. Of course that for controls with status of ”partially implemented" you have t o keep evidences of activities already performed regarding the implementation (the auditor won't audit the control, but he will verify if the implementation plan is being executed).

  • Shall and should in ISO 27001 standard


    Answer: In the ISO standards development, the word "shall" is related to requirements, which are mandatory to be fulfilled, while the word "should" is related to recommendations, which fulfilling is optional.

    ISO 27001 provides requirements for the implementation of an ISMS, which are mandatory to be fulfilled for certification (all controls in Annex A deemed as applicable must be implemented). On the other hand, ISO 27002 was designed to be used as support to ISO 27001, or as a separated standard to support the implementation of security best practices, without enforcing them. That's why ISO 27002 replaces the word "shall" by "should"in the description of the controls objectives.

    This article will provide you further explanation about the differences between ISO 27001 and 27002:

    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

  • Aspectos ambientales y riesgos

    Buenas tardes Iciar, gracias por su respuesta.

    saludos

  • Templates for human resources security


    Answer: In the list of documents file that comes with the toolkit you bought you can identify which clauses from ISO 27001 are covered by each template. In there you will find out that:
    - Control A.7.1.1 (Screening) is covered by template "Supplier Security Policy" for external personnel
    - Control A.7.1.2 (Terms and conditions of employment) is covered by templates "Confidentiality Statement", "Statement of Acceptance of ISMS Documents", applicable to both internal and external personnel, "Supplier Security Policy", and "Security Clauses for Suppliers and Partners", these last two applicable for external personnel
    - Control A.7.2.2 (Information security awareness, education and training) is covered by template"Supplier Security Policy" for external personnel, and template "Training and awareness plan" for internal personnel
    - Control A.7.2.3 (Disciplinar y process) is covered by template "Incident Management Procedure"

    All these templates are found on:
    - folder 09 Training and Awareness Plan (Training and awareness plan)
    - folder 08 Annex A, sub-folder A.7 Human resource security (Confidentiality Statement and Statement of Acceptance of ISMS Documents)
    - folder 08 Annex A, A.15 Supplier relationships (Supplier Security Policy and Security Clauses for Suppliers and Partners)

    Regarding control A.7.2.1 (Management responsibility), responsibilities are defined in each template when required (these responsibilities definition are identified by the expression [job title] you have to fulfil in the templates).
    Regarding the control 7.3.1 (Termination or change of employment responsibilities), the compliance with this control is covered through the description in Statement of Applicability (e.g., by the applicability of the access control policy).

    But if you have this specific need, or other doubts you want to solve, you can schedule a meeting with one of our experts (this meeting is also included in the toolkit you bought), so he can help you with this issue. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/

  • Fast implementation project


    Answer: First of all, you have to identify if it is possible to implement and certificate the management system in such short period. Some organizations may already have another systems implemented, or culture that can make the implementation easier, or the certification scope is small, but for others you will have to start from scratch. And in all these cases you have to count with management support in terms of money and human resources.
    What I can say to you is that if you have to start from scratch it will be very unlikely to accomplish implementation and certification in such a small period, most because the quantity of documents to be developed and the time needed to perform all activities that are prescribed by the documentation.

    To have an idea about how much time you would need, I suggestion to take a look at our ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

    Regarding time allocation, if you identify the three month period (tweelve weeks) is enough for the implementation, this is a good estimation of phases duration:

    Weeks 1-2: Project planning and elaboration of basic management system documentation (e.g., ISMS scope, information security policy, procedure for documentation control, procedure for internal audit, procedure for risk assessment and treatment, etc.)
    Week 2-3: Carrying out the risk assessment and risk treatment plan elaboration
    Week 4-5: Information security policies and procedures elaboration
    Weeks 5-8 : Implementation, operation and evaluation of policies and procedures (at this point some corrective actions may be required)
    Week 9: Internal audit and management review
    Week 10-12: Treatment of internal audit nonconformities and management review decisions

    Since this is a short period, the selection of the certification body should be performed in parallel to these activities, starting at the beginning of the project.

    This article will provide you further explanation about ISO 27001 implementation:
    - How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/

    These materials will also help you regarding about ISO 27001 implementation:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 858-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +