Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk owners vs asset owners.
Thank you so much. Could you please advise the two methods the company can use to determine its level of legal compliance. Thank you. -
Standards in ISO 27001 series
Answer: As you pointed, ISO 27001 has recommended control objectives and controls for all areas you mentioned, and in terms of an ISO certified management system it is enough to be in compliance with only ISO 27001. The other standards you mentioned provide additional information and details about how to implement controls described in ISO 27001 Annex A, but they are not required for certification. Think of them as useful tools to improve your controls.
These materials will also help you regarding general guidelines for ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secu re-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Schedule for testing controls under ISO 27001
Answer: Specific guidance for control testing is difficult to provide since each organization context and risks are unique, but you can use some of the criteria applied to planning internal audits to help define a proper test schedule, like:
- Criticality of the assets under protection of the control: the more critical the asset, the more frequent should be controls testing.
- Frequency of changes: the more frequent changes in assets or in the environment where the asset operates, the more frequent should be controls testing.
- Results of previous test: previous tests pointing corrections or improvement to be made, should be considered to reduce interval between tests.
It is important to note that testing of controls should not be confused with internal audit; in smaller companies, internal audit is usually performed once a year by people independent of the audited process, while testing generally is performed by people involved in the process.
Regarding documentation, unfortunately we do not have a template that covers controls testing, but I suggest you to take a look at the following templates, since I believe that with some adaptations you can make them more general and use them to help you testing a wider range of controls :
- Annual Internal Audit Program https://advisera.com/27001academy/documentation/annual-internal-audit-program/
- Exercising and Testing Plan https://advisera.com/27001academy/documentation/exercising-and-testing-plan/
- Form – Exercising and Testing Report https://advisera.com/27001academy/documentation/form-exercising-and-testing-report/
This article will provide you further explanation about scheduling controls testing:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
These materials will also help you regarding scheduling controls testing:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 related certifications
Answer: ISO 27001 makes use of process approach and PDCA cycle concepts to help organizations protect their information and those from other interested parties under their responsibility. In terms of benefits, ISO 27001 can help identifying and prioritizing information security risk according business objectives, optimizing resources allocation and reducing costs of incidents.
These articles will provide you further explanation about ISO 27001 certification:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Has the PDCA Cycle been removed from the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/
This article will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding ISO 27001 related certification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free webinar ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
Requirements identification
Answer: Some techniques you may use to identify needs and expectations that are base for ISMS's requirements are:
- documentation review, covering documents like the strategic plan, policies, procedures, contracts, and laws, among others
- interviews with top management, process owners, key users, clients and suppliers representatives.
The use of checklists also can help you not forget relevant topics and optimize your time and effort.
This article will provide you further explanation about requirements identification:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Scope definition
Can you advise on this, please?
Answer: The approach considered by certification bodies is that a proper scope statement can be defined based on processes, organizational units, or physical locations, not in the format of the information medium. Therefore, your scope statement cannot limit information to be protected to electronic data only.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Timescale in risk treatment plan
Answer: Yes, the time you need to complete for each of these activities, and the sequences and dependencies that exist between them, will provide you the information about the total time required for risk treatment completion.
In the video tutorials that came with your toolkit, you will see information on how to fill out all the data about the risk treatment plan. -
Is ISO 27001 Risk Assessment Methodology applicable to ISO 22301
Answer:
This is certainly a very good question - actually you can use the ISO 27001 risk assessment methodology also for ISO 22301, because this methodology is so called "asset-based" methodology which lists all the assets, then all related vulnerabilities and threats, and finally calculates the level of risk.
But you are right, there are couple of differences:
1) Information security risk assessment must take into account the consequences related to confidentiality, integrity and availability of assets, whereas the business continuity risk assessment must take into account only the consequences related to availability. Therefore, you can delete "confidentiality" and "integrity" when they are mentioned in the document.
2) ISO 22301 does not require you to have a document called Statement of Applicability, so you can avoid it if you see no value in it for your business continuity (t his document is mentioned in the Risk assessment methodology).
3) Instead of asset-based methodology you can decide to go for a methodology that will be based on critical activities and processes - this will be probably quicker than the asset-based methodology mentioned above, but this will also be less accurate.
This article will also help you: Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
These materials will also help you regarding the risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 business value
Answer: We may say ISO 27001 can provide business values in the following aspects: compliance, marketing edge, expenses decreasing and strengthening of the internal structure. That being said, the following articles may provide you examples about business value that can be achieved with ISO 27001:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799- complement-each-other-in-health-organizations/
- How can ISO 27001 help protect your company against ransomware? https://advisera.com/27001academy/blog/2016/11/14/how-can-iso-27001-help-protect-your-company-against-ransomware/
These materials will also help you regarding identification or ISO 27001 business value:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001-22301 Integration
Answer: Considering the content of ISO 27013, there is no ISO similar document regarding integration of specific aspects of ISO 27001 (risk assessment and treatment) and ISO 22301 (business impact analysis and business continuity plans), but since both standards follow the same structure, based on ISO Annex SL, their management aspects (e.g., document control, internal audit, management review, etc.) are practically the same, which makes the integration job easier.
These articles will provide you further explanation about ISO 27001/ISO 22301 integration:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continui ty-in-iso-27001/
These materials will also help you regarding ISO 27001/ISO 22301 integration:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Free webinar - ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/