Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Is ISO 27001 Risk Assessment Methodology applicable to ISO 22301
Answer:
This is certainly a very good question - actually you can use the ISO 27001 risk assessment methodology also for ISO 22301, because this methodology is so called "asset-based" methodology which lists all the assets, then all related vulnerabilities and threats, and finally calculates the level of risk.
But you are right, there are couple of differences:
1) Information security risk assessment must take into account the consequences related to confidentiality, integrity and availability of assets, whereas the business continuity risk assessment must take into account only the consequences related to availability. Therefore, you can delete "confidentiality" and "integrity" when they are mentioned in the document.
2) ISO 22301 does not require you to have a document called Statement of Applicability, so you can avoid it if you see no value in it for your business continuity (t his document is mentioned in the Risk assessment methodology).
3) Instead of asset-based methodology you can decide to go for a methodology that will be based on critical activities and processes - this will be probably quicker than the asset-based methodology mentioned above, but this will also be less accurate.
This article will also help you: Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
These materials will also help you regarding the risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 business value
Answer: We may say ISO 27001 can provide business values in the following aspects: compliance, marketing edge, expenses decreasing and strengthening of the internal structure. That being said, the following articles may provide you examples about business value that can be achieved with ISO 27001:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799- complement-each-other-in-health-organizations/
- How can ISO 27001 help protect your company against ransomware? https://advisera.com/27001academy/blog/2016/11/14/how-can-iso-27001-help-protect-your-company-against-ransomware/
These materials will also help you regarding identification or ISO 27001 business value:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001-22301 Integration
Answer: Considering the content of ISO 27013, there is no ISO similar document regarding integration of specific aspects of ISO 27001 (risk assessment and treatment) and ISO 22301 (business impact analysis and business continuity plans), but since both standards follow the same structure, based on ISO Annex SL, their management aspects (e.g., document control, internal audit, management review, etc.) are practically the same, which makes the integration job easier.
These articles will provide you further explanation about ISO 27001/ISO 22301 integration:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continui ty-in-iso-27001/
These materials will also help you regarding ISO 27001/ISO 22301 integration:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Free webinar - ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
Importance of CIA aspects
Answer: There is no general single answer, since the impacts on information security confidentiality, integrity, or availability for each asset in your scope will vary depending upon the considered threats, which are to be identified during risk assessment. For example, for the asset "research and development information" the threat "fire" will have availability as the aspect most affected, while for the threat "unintentional change of data" the integrity is the most affect aspect.
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27018 implementation
ISO 27018 offers details on how to implement privacy controls on cloud environments, considering the controls from ISO 27001 Annex A, so in truth you can use the same process used to implement ISO 27001, and only complement the standard requirements, and controls you identify as relevant, with the recommendations from ISO 27018.
Regarding ISO 27001 implementation, I suggest you to take a look at these free materials:
- Project proposal for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-implementation-powerpoint
- Project plan for ISO 27001 / ISO 22301 implementation https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation
- Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
- Project checklist for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation
This article will provide you further explanation about ISO 27018:
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Verification of Product in ISO 9001
Answer:
The purpose of the product verification is to check whether the received product is compliant to the requirements for the product. Depending on the properties of the product, different measurements can be conducted to determine whether it complies to the requirements, it can be measuring dimensions, weight, etc.
For more information, see: Purchasing in QMS – The Process & the Information Needed to Make it Work https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/ -
Capacity Management GAP analysis
Answer:
Please use our GAP analysis tools for ITIL i.e. ISO 20000. There are some differences in questionnaire, please suit it to your needs.
You can find them here:
ITIL https://advisera.com/20000academy/itil-iso-20000-tools/itil-gap-analysis-tool/
ISO 20000 https://advisera.com/20000academy/itil-iso-20000-tools/iso-20000-gap-analysis-tool/ -
Documentation requirements of clause 4.1, 4.2 and 6.1
Answer:
Clauses 4.1 and 4.2 of ISO 14001:2015 do not require any document to be made. Clause 6.1 requires organization to document risks and opportunities to be addressed and this can be done in a form of register. This register can be merged with one for environmental aspects but it would be better if it is separate register because the scope of assessment of environmental aspects and risks and opportunities is different. For more information, see: ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/ -
Interpretation of risks in ISO 14001
Answer:
By definition from ISO 14001, the risk is effect of uncertainty . The standard requires organization to identify and address risks and opportunities regarding environmental aspects, compliance obligations and other issues emerging from context of the organization.
The purpose of addressing risks and opportunities is to give assurance that the EMS (Environmental Management System) can achieve its intended outcomes, prevent, or reduce, undesired effects, including the potential for external environmental conditions to affect the organization and achieve continual improvement.
For more information about risks and opportunities, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/