Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Referring to the Business continuity policy from the ISMS documentation
Answer:
Business continuity is required in the Annex A of ISO 27001, section A.17 - so if you select those business continuity controls as applicable in your Statement of Applicability, then yes - you should refer to your Business continuity policy in your ISMS documentation.
If the ISO 27001 certification auditor sees that you have implemented business continuity in a proper way, he will certainly look at that fact in a positive way - he will assess your business continuity documentation, and how you performed your exercising and testing, but he probably won't go any deeper.
These articles will help you:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/ -
Exmple of risks and opportunities
Answer:
First, it is good to clarify where to look for risks and opportunities in environmental management system. According to ISO 14001, the organization needs to consider the relationship a particular risk or opportunity has to:
- the organization’s important environmental issues (its “context”)
- the organization’s EMS requirements, including its compliance obligations
- the defined scope of the organization’s environmental management system
For example, the organization might be at risk a of non complying with contractual obligation regarding environmental protection, therefore it must take action to ensure that the contractual obligation will be meet. Opportunity can be some governmental funding of green energy or energy preservation, so the organization must take actions to apply for those funding.
For more information, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/ -
How to address first three clauses of ISO 9001
Answer:
First three clauses of ISO 9001 do not contain any requirements regarding quality management system, so organization doesn't have to do anything to address those clauses. -
Any controls for BCMS like ISMS?
Answer:
No I am sorry, a BCMS is not composed by security controls as an ISMS. Remember that ISO 27002 is a code of best practices with 114 security controls that you can use together with ISO 27001 to implement an ISMS. For BCMS you can use ISO 22313 together ISO 22301 to implement a BCMS, but ISO 22313 is not composed by controls, is composed by guidelines to implement the standard.
Anyway, you can also use control from ISO 27002 to mitigate most of business continuity risks, although this is not mentioned in ISO 22301.
This article can be interesting for you “ISO 22301 vs. ISO 22313” : https://advisera.com/27001academy/blog/2013/05/21/iso-22301-vs-iso-22313/
And also this one “ISO 27001 vs. ISO 27002” : https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
And this book can be also interesting for you "Becoming Resilient: The Defini tive Guide to ISO 22301 Implementation" : https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Who owns the risk?
In the "Existing controls" column you should list all the controls that are currently implemented related to the risk - sometimes the asset itself will be the control, like in case of a firewall.
However, if the asset is managed by an entity that is not part of the scope, then likely this asset is also not going to be included in the ISMS scope.
This article will also help you: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Sure, we can organize a call, please contact me via email. -
Which policies to implement before the certification
Answer:
If your company wants to go for the ISO 27001 certification, the first thing you need to have are all the mandatory documents, you can see them here: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Next, once you perform the risk assessment you will define which controls you need, and then you have to decide which of these controls need to be documented. Finally, in the Risk treatment plan you need to decide which controls are to be implemented before the certification, and which will be implemented after.
In the certification audit, t he auditor will check if all the published documents are fully implemented.
So, to summarize: each document you write needs to be fully implemented; the only documents that you can leave for after the certification are those that are not mandatory.
These articles will also help you:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
Probably the best thing for your is to go through this free online course ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ - it will explain you all the details. -
Asset Inventory: 'Printer' - Justification!
That was helping the doubt! Thank you so much -
How essential is a 'Scope Diagram' in the Scope Document?
That cleared the query! Thank you @ajsegovia -
RARTP vs NCPA
Thanks for the help! It cleared the doubt :-) -
Risk assessment of vendor who is ISO 27001 certified
Answer:
When assessing the risk of third-party services you have to assess the ability of those vendors to protect confidentiality, integrity and availability of your data that they are handling. Of course, if they are ISO 27001 certified, this will mean that the risks are probably lower; however this is not the only criteria, you should also check out what does your agreement with them say, what is their reputation, what are other customers saying, check if they have some other certificates, etc.