Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Business continuity in specific industries
But how bcp is done in sectors like Manufacturing , Petroleum or Aviation , we cannot really have redundant Plants of manufacturing or those units for petroleum . So in these industries how bcp is done , where does bcp play role in these industries , how business continuity is implemented in sectors like aviation , what value does business continuity bring to these mentioned industries.
Answer: Yes, you cannot have redundant manufacturing plants or petroleum platforms, but you can have as many redundant valves, pipes, and other critical elements, which a Business Impact Analysis and a Risk Assessment identify as necessary to avoid a situation to reach a level so critical as to compromise the entire facility. That's why, for example, a plane has secondary, tertiary, and even quaternary systems, to avoid a failure th at can make the plane crash.
So, not only in these, but in all industries, the business continuity management helps identify and implement business continuity in a cost effective way by identifying the balance between the smallest set of critical points that must be protected to achieve the greatest protection level.
This articles will provide you further explanation about business continuity strategy:
- Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/
- Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/
This material will also help you regarding business continuity strategy:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Integrated management systems
Answer: No, on the contrary, you should seek to integrate the systems. Since 2012, all released ISO management systems standards have the same basic structure, which makes easier to integrate them. By doing so you can save administrative effort in such areas as document and record control, internal audit, performance monitoring, measurement and evaluation, and improvement.
This article will provide you further explanation about Integrated management systems:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
These materials will also help you regarding Integrated management systems:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Implementation cost
(What is the approximate value to implement ISO 27001 in a logistical evaluation support center in Colombia?)
Answer: There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information it's not possible to precise a value.
What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated / implemented
- Employee's effort and time
- The certification process
These articles will provide you further explanation about Implementation cost:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
These materials will als o help you regarding Implementation cost:
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Records required in an IT project
Answer: The information to be stored will depend on the results of risk assessments, applicable legal and contractual requirements, and any other decision made by the organization regarding the project. Applying information security in project management is like implementing a small and simplified version of an ISMS in the scope of the project.
There are many similarities with implementing an ISMS that you can use to drive the implementation of information security in project management:
1 – You have to define information security objectives and include them in the project objectives, the same way you define information security objectives for an ISMS aligned with organization's objectives, the only difference is that these objectives are restricted to the scope of the project.
2 – You have to perform at the beginning, and periodically, information risk assessments in the project, like you would do it with other bu siness processes, to identify necessary controls
3 – You have to ensure that information security practices are part of all phases of the project (e.g., from the issue of the project charter to project closing).
In short, you can think the inclusion of information security in project management as if you are going to implement a small ISMS that will fit the projects needs and be proportional to the project's lifetime and budget.
This article will provide you further explanation about information security in project management:
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
These materials will also help you regarding information security in project management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Toolkit list of documents
Answer: Yes, the latest revision of the ISO 27001 & ISO 22301 Premium Documentation Toolkit is the 3.1, published in 2015
By the name of the documents you provided, it seems to me you are comparing the white paper "Checklist of mandatory documentation required by ISO 27001:2013", available as free download at https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001, against the List of Documents file from the toolkit you bought, and you shouldn't do that. You should follow the information in the list of documents file in your toolkit.
2- Also, the Business continuity procedures is not required or used in the new version; however, it is required in the 2013 version.
Answer: This toolkit is fully compliant with ISO 2700 1:2013 and ISO 22301:2012. The requirement for businesses continuity procedures is covered with the Disaster Recovery Plan in the ISO 27001 Documentation Toolkit.
3 - Is the Supplier security policy no longer mandatory?
Answer: Supplier security policy is mandatory only if the results of risk assessments identify that there are unacceptable risks that can be treated by this control, there are legal or contractual requirements that demand the control to be applied, or if the organization has a recorded decision to apply this control. Besides these reasons, an organization is not obligated to implement a supplier security policy. -
SoA content
From the standard, I am not able to gauge whether the above fields are mandatory.
Answer: The justification for inclusions is needed because the reason for applying a control will help understand how to evaluate its effectiveness. For example, if the reason is because results of risk assessment, them we have to check which risks are being treated by the control to ensure all of them are being handled properly. On the other hand, if the reason is because of a legal or contractual requirement, we need to identify if this requirement is being properly fulfilled
You can find the requirements for filling the SoA in the clause 6.1.3 d) of ISO 27001.
This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding the Statement of Applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 Annex A checklist
Answer: Yes. I suggest you to take a look at the free demo of our Internal Audit Checklist at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/
This document provides a list of questions in order to help perform an internal audit against ISO 27001, so you can verify compliance with standard's requirements and applicable controls.
These materials will also help you regarding ISO 27001 Annex A controls verification:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Operational planning and control documentation
Answer: Yes, according ISO 27001, you have to document operational planning and control, but the extent of what will be documented is up to what the organization decides as sufficient to ensure the processes are being performed as planned. In our experience, some controls require more detailed documentation than others, but in general there is no need for a 'manual' to centralized them all.
These articles will provide you further explanation about mandatory and most common documents and which consider to decide what to write:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
These materials will also help you regarding documentation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 and PCI-DSS certifications
To become an ISO 27001 certified professional you can go either for ISO 27001 Lead Auditor Course or ISO 27001 Lead Implementer Course. In the market there are many accredited providers (certifications from these organizations are world wide recognized) you can choose regarding price, location and payment conditions.
Regarding PCI-DSS, there are many certification programs supported by PCI Security Standards Council, with different certification requirements. I suggest you to take a look at the PCI site (https://www.pcisecuritystandards.org/assessors_and_solutions/become_qualified) so you can identify which certifications are better for you and which requirements you have to fulfil
These articles will provide you further explanation about ISO 27001 certifications for persons:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Checking information on significant residual risks
Answer: The records you should look for regarding acceptance of the residual information security risks are the information security risk treatment plan approval (regarding clause 6.1.3.f) and the records of management reviews (clause 9.3.e).
From the risk treatment plan you will know who are the risk owners and this will be your reference to check if each one of them approved the risk treatment plan and was informed about the results of management reviews.
For more information, see: Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
2 - Explain how to utilize opportunities to promote the implement of the risk reduction methods and procedures?
Answer: In general, you can justify that by implementing risk reduction methods and procedures an organization can take advantage of opportunities more easily. For example, opportunities to reduce cost are by reducing in surance related costs and costs of incidents, and both can be achieved by implementing risk reduction methods and procedures.
Another example of opportunity is to win new customers, by offering improved information security as a feature.
For more information, see: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
3 - Explain how to record the risk reduction methods and procedures in the appropriate information systems?
Answer: According ISO 27001, the mandatory records and documents an organization has to keep to evidence the performing of risk assessment and risk treatment processes are:
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
This article will provide you further explanation about ISO 27001 documented information:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
These materials will also help you regarding your questions:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/