Questions about certification
Assign topic to the user
Answer: ISO 27001 does not require the implementation of Business Continuity Management. A Disaster Recovery Plan will be enough to cover 27001 requirements.
For more information, see:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
2. May personal employees laptops and smartphones be excluded from the ISMS scope ?
Answer: Personal assets from employees must not be included in the organization's ISMS scope (after all they do not belong to the organization). The point with such assets is that if they process or store information included in the ISMS scope you have to assess the involved risks in such access, and if the risks are identified as unacceptable you have to consider how to treat them (e.g., forbid such assets to access the organization's information, or regulate their use thr ough controls such acceptable use of assets or mobile and teleworking policy).
For more information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
3. In the template of Risk Assessment and Treatment report, can you explain me more in details what is expected for the section « Time period » ?
Answer: In the "time period" section you must document:
- When the risk assessment activity presented in the report has started and ended
- When the risk treatment activity presented in the report has started and ended
- When the elaboration of final report has started and ended
With this information it can be evaluated if risk assessment took enough time considering the complexity of scope assessment, if risk treatment was performed in due time, and if the report presents current or old information, which helps to support decision making.
This article will provide you further explanation about risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Comment as guest or Sign in
Jul 10, 2019