SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Questions about certification

Guest

Questions about certification

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Jul 10, 2019 Last commented:   Jul 10, 2019

Questions about certification

ISO 27001 & 22301
1. Is it mandatory to implement Business Continuity Management to obtain the ISO 27001 ?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Jul 10, 2019

Answer: ISO 27001 does not require the implementation of Business Continuity Management. A Disaster Recovery Plan will be enough to cover 27001 requirements.

For more information, see:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/

2. May personal employees laptops and smartphones be excluded from the ISMS scope ?

Answer: Personal assets from employees must not be included in the organization's ISMS scope (after all they do not belong to the organization). The point with such assets is that if they process or store information included in the ISMS scope you have to assess the involved risks in such access, and if the risks are identified as unacceptable you have to consider how to treat them (e.g., forbid such assets to access the organization's information, or regulate their use thr ough controls such acceptable use of assets or mobile and teleworking policy).

For more information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

3. In the template of Risk Assessment and Treatment report, can you explain me more in details what is expected for the section « Time period » ?

Answer: In the "time period" section you must document:
- When the risk assessment activity presented in the report has started and ended
- When the risk treatment activity presented in the report has started and ended
- When the elaboration of final report has started and ended

With this information it can be evaluated if risk assessment took enough time considering the complexity of scope assessment, if risk treatment was performed in due time, and if the report presents current or old information, which helps to support decision making.

This article will provide you further explanation about risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 10, 2019

Jul 10, 2019

Suggested Topics
Guest user Created:   Sep 26, 2019 ISO 27001 & 22301
Replies: 1
0 0

Questions about certification
Guest user Created:   Dec 21, 2022 ISO 27001 & 22301
Replies: 1
0 0

Questions about ISO certification
Guest user Created:   Aug 16, 2023 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Toolkit for consultants questions