Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment and application control practical examples
a. Risk Assessment Table
b. Risk Treatment Table
Answer: Together with the ISO 27001 Documentation Toolkit you bought you have access to video tutorials with practical examples that will help you fill the risk assessment and risk treatment tables. In those videos you will get examples of vulnerabilities, threats, and how assess the level of risk, as well as how to determine options for the treatment of risks and appropriate controls for unacceptable risks.
2. A file (cross-link) that defines the 27002-controls that should be used for the pre-defined vulnerabilities as used in the template that is part of the toolkit.
Answer: Since the applicability of ISO 27002 controls is unique for each organization's context, even for the pre-defined vulnerabilities listed in the template, we do not provide definitions on what should be used by organizations (this is an organization decision, based in specific information). What we can provide are criteria and recommendations that should be considered when deciding which treatments and controls to apply through our many blog post you can consult here: https://advisera.com/27001academy/blog/
These are some examples:
- How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
If you still feel you need more assistance you can schedule a meeting with one of our experts to ask for more specific orientation (https://advisera.com/27001academy/consultation/), which is also part of the toolkit you bought. -
Business continuity strategy, plan, and procedure
Answer: The business continuity strategy is related on how an organization will ensure its recovery and continuity in the face of a disaster or other major incident or business disruption. It covers general decisions applicable to a wide range of types of disasters, major incidents or business disruptions (e.g. use of alternative sites).
The BC plan defines precisely how the organization will manage incidents in the case of a specific disaster or other disruption of business, and how it will recover its critical activities within set deadlines (e.g. BC plan for chemical leakage, fire, etc.).
The BC procedure is a document defining how a specific business continuity activity should be performed (e.g., evacuation procedure).
For templates of these documents, I suggest you to take a look at our following free demos:
- Business continuity strategy https://advisera.com/27001academy/documentation/business-continuity-strategy/
- Business continuity plan https://advisera.com/27001academy/documentation/business-continuity-plan/
- Incident response plan https://advisera.com/27001academy/documentation/incident-response-plan/
This articles will provide you further explanation about Business continuity strategy and plan:
- Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
This material will also help you regarding Business continuity strategy, plan, and procedure:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Business continuity in specific industries
But how bcp is done in sectors like Manufacturing , Petroleum or Aviation , we cannot really have redundant Plants of manufacturing or those units for petroleum . So in these industries how bcp is done , where does bcp play role in these industries , how business continuity is implemented in sectors like aviation , what value does business continuity bring to these mentioned industries.
Answer: Yes, you cannot have redundant manufacturing plants or petroleum platforms, but you can have as many redundant valves, pipes, and other critical elements, which a Business Impact Analysis and a Risk Assessment identify as necessary to avoid a situation to reach a level so critical as to compromise the entire facility. That's why, for example, a plane has secondary, tertiary, and even quaternary systems, to avoid a failure th at can make the plane crash.
So, not only in these, but in all industries, the business continuity management helps identify and implement business continuity in a cost effective way by identifying the balance between the smallest set of critical points that must be protected to achieve the greatest protection level.
This articles will provide you further explanation about business continuity strategy:
- Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/
- Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/
This material will also help you regarding business continuity strategy:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Integrated management systems
Answer: No, on the contrary, you should seek to integrate the systems. Since 2012, all released ISO management systems standards have the same basic structure, which makes easier to integrate them. By doing so you can save administrative effort in such areas as document and record control, internal audit, performance monitoring, measurement and evaluation, and improvement.
This article will provide you further explanation about Integrated management systems:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
These materials will also help you regarding Integrated management systems:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Implementation cost
(What is the approximate value to implement ISO 27001 in a logistical evaluation support center in Colombia?)
Answer: There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information it's not possible to precise a value.
What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated / implemented
- Employee's effort and time
- The certification process
These articles will provide you further explanation about Implementation cost:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
These materials will als o help you regarding Implementation cost:
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Records required in an IT project
Answer: The information to be stored will depend on the results of risk assessments, applicable legal and contractual requirements, and any other decision made by the organization regarding the project. Applying information security in project management is like implementing a small and simplified version of an ISMS in the scope of the project.
There are many similarities with implementing an ISMS that you can use to drive the implementation of information security in project management:
1 – You have to define information security objectives and include them in the project objectives, the same way you define information security objectives for an ISMS aligned with organization's objectives, the only difference is that these objectives are restricted to the scope of the project.
2 – You have to perform at the beginning, and periodically, information risk assessments in the project, like you would do it with other bu siness processes, to identify necessary controls
3 – You have to ensure that information security practices are part of all phases of the project (e.g., from the issue of the project charter to project closing).
In short, you can think the inclusion of information security in project management as if you are going to implement a small ISMS that will fit the projects needs and be proportional to the project's lifetime and budget.
This article will provide you further explanation about information security in project management:
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
These materials will also help you regarding information security in project management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Toolkit list of documents
Answer: Yes, the latest revision of the ISO 27001 & ISO 22301 Premium Documentation Toolkit is the 3.1, published in 2015
By the name of the documents you provided, it seems to me you are comparing the white paper "Checklist of mandatory documentation required by ISO 27001:2013", available as free download at https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001, against the List of Documents file from the toolkit you bought, and you shouldn't do that. You should follow the information in the list of documents file in your toolkit.
2- Also, the Business continuity procedures is not required or used in the new version; however, it is required in the 2013 version.
Answer: This toolkit is fully compliant with ISO 2700 1:2013 and ISO 22301:2012. The requirement for businesses continuity procedures is covered with the Disaster Recovery Plan in the ISO 27001 Documentation Toolkit.
3 - Is the Supplier security policy no longer mandatory?
Answer: Supplier security policy is mandatory only if the results of risk assessments identify that there are unacceptable risks that can be treated by this control, there are legal or contractual requirements that demand the control to be applied, or if the organization has a recorded decision to apply this control. Besides these reasons, an organization is not obligated to implement a supplier security policy. -
SoA content
From the standard, I am not able to gauge whether the above fields are mandatory.
Answer: The justification for inclusions is needed because the reason for applying a control will help understand how to evaluate its effectiveness. For example, if the reason is because results of risk assessment, them we have to check which risks are being treated by the control to ensure all of them are being handled properly. On the other hand, if the reason is because of a legal or contractual requirement, we need to identify if this requirement is being properly fulfilled
You can find the requirements for filling the SoA in the clause 6.1.3 d) of ISO 27001.
This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding the Statement of Applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 Annex A checklist
Answer: Yes. I suggest you to take a look at the free demo of our Internal Audit Checklist at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/
This document provides a list of questions in order to help perform an internal audit against ISO 27001, so you can verify compliance with standard's requirements and applicable controls.
These materials will also help you regarding ISO 27001 Annex A controls verification:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Operational planning and control documentation
Answer: Yes, according ISO 27001, you have to document operational planning and control, but the extent of what will be documented is up to what the organization decides as sufficient to ensure the processes are being performed as planned. In our experience, some controls require more detailed documentation than others, but in general there is no need for a 'manual' to centralized them all.
These articles will provide you further explanation about mandatory and most common documents and which consider to decide what to write:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
These materials will also help you regarding documentation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/