Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 certified organization in EU
Answer: You can find statistic about ISO certifications at ISO survey web page: https://www.iso.org/the-iso-survey.html
This link contain detailed files: https://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1 -
Elaborating an asset inventory
Thanks, this definitely helps. Another question I have is about threats: One of the obvious threats for an information system is "interruption of service". Is it wise to differentiate on the length of the interruption? For instance "interruption of service for less that 8 hours" and "interruption of service for more than 8 hours". Because the first may result in an acceptable risk, whereas the second is unacceptable. -
Control of outsourcing partner
Answer:
The purpose of controlling the outsourcing partner is to ensure that the product or service they deliver is compliant with your requirements. The simplest way of controlling outsourcing partner is by controlling quality of the product or service they deliver to your organization along with other requirements that you've imposed on them (e.g. deadlines).
Other way of control is to define processes and activities that the outsourcing partner needs to perform in order to deliver the product or service, or to perform second-party audits of your provider to ensure the product or service to be delivered is compliant with your requirements.
The method and extent of the controls imposed on the outsourcing partner depends on many factors and the standard only requires organization to ensure that externally provided product, process or service is compliant with requirements of the organization.
For more informa tion, see: How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/ -
Standard for safety in university workshops and lab
If we want only our Chemical Lab to be certified, not the entire facility in the campus, Is this possible. -
Filling a SoA document
Answer: ISO 27001 does not requires responsibilities to be included in the SoA, so you do not need to include this information because of the standard. Some organizations decide to include this information in the SoA so it becomes easier for them to identify who is responsible for each control (all information could be found in a single document). Of course, if you decide for this approach, if a control is considered not applicable, them you should left the field blank. -
Document control procedure template
Answer: Yes. You can have a printed version of a document with a higher confidentiality level too.
The access control of printed information is more difficult to be ensured than on electronic versions, that's why the text of section 3.3.2 does not mention the handling of printed versions, but it is only a suggestion.
The comments in this section explain that if an organization wants to use printed versions of more sensible information it only has to adapt the text according its needs.
With the toolkit you've bought are also included access to video tutorials that explain the document control procedure and can help you customize your document according your needs. -
BCP and ISO 27031 standard
I have all the templates from you for ISO22301 and have used them a few times so not concerned about their use. I have gone through the ISO27031 standard and can see the difference or value add of this approach for IRBC.
I would like to know;
1. How to use ISO27031, should I use it??
Answer: I would recommend you to use ISO 27031, since it can be a valuable reference to check and improve the BC Plans for IT, usually called IT disaster recovery plans, since its recommendations can show you if your plans already cover the most common controls and safeguards or if they need adjustments.
You can think the use of ISO 27031 in the same way ISO 27002 is used for ISO 27001, where ISO 27002 provides recommendations and guidelines for implementation of ISO 2 7001 Ann ex A controls.
2. Do you have documents that show how to use ISO27031.
Answer: Specifically for ISO 27031 we do not have such material, however our DRP template is compatible with 27031.
3. Having read through the standard it looks like DRP made smarter.
Answer: Yes, this is basically what ISO 27031 does, providing recommendations and guidelines to controls and safeguards applicable to IT BC plans
4. How do I marry the two?
Answer: You can consider the use of ISO 27031 in the planing phase of business continuity. After performing the BIA and defining RTO's, RPO's and general strategy, you can use ISO 27031 to detail which controls and other measures you have to consider in your DRP plans.
This article will provide you further explanation about ISO 27031:
- Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/ -
7.1.5.2 TRAZABILIDAD DE LAS MEDICIONES
Puede excluir esta cláusula si en la empresa no cuentan con ningún equipo de medición, por lo que el responsable de esto sería el proveedor externo.
Para más información vea: https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/# -
Identification of legal requirements
https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/?utm_source=clause-27001&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-knowledgebase-27001
The UK requirements towards the bottom. There are 16 requirements listed so not sure if I need to include all these and our approach to it?
Answer: This list is just a general reference, and your organization should seek for expert support for identification of legal requirements relevant for your organization's industry (there may be more or less than those presented in the article).
2 - I know we also need to state our approach; is this simply by stating how we comply eg storing all HR docs in a locked cupboard marked confidential and i=unedr access con trol?
Answer: This answer will depend on what each applicable legislation is requiring. Some of them may require you to implement some kind of technology, present some specific records or reports, or implement policies. Again, you should seek for expert support regarding each applicable legislation to identify the approach required to fulfill them.
This article will provide you further explanation about how using ISO 27001 to comply with a legal requirement:
- How ISO 27001 can help suppliers comply with U.S. DFARS 7012 https://advisera.com/27001academy/blog/2017/04/24/how-iso-27001-can-help-suppliers-comply-with-usa-dfars-7012/ -
Document control procedure
Answer: The section "Reference documents" is used to list any document in the company used to define document control. These may be, for example, a documented decision from top management, an internal policy, or an industry regulation.
To identify documents to be referred in the document control procedure, you must identify which requirements, internal or external, the business must fulfil regarding documentation control.
In the toolkit you bought you have access to video tutorials that will help you filling the document control procedure.
2 - We are an IT company (a webhosting provider). Do you have documents and / or recommendations for an industry like this (what are mandatory documents and what not)? Already saw the mandatory documents list.
Answer: ISO 27001 was designed to be easily used by organizations from any industry, so mandatory documents won't change much because you are a webhosting provider - we have lots of clients that are in the same business and there was no need to have any extra security documents.
These articles will provide you further explanation about document control:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
These materials will also help you regarding document control:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/