Toolkit content ISO 27001

Answer: ISO 27001 does not require a document to cover clause 4.1, so to avoid unnecessary administrative effort there is no template for cover this clause in the toolkit.

This article will provide you further explanation about organizational context (although this is an ISO 27001 article the same concept applies to 22301):
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

2 - How can you best describe our organization’s risk appetite?

Answer: The risk appetite is the organization willingness to take risks, and accept some degree of impact. The risk appetite can be related, among other things, to organizational culture, top management mindset, the desired business outcomes, and the impacts related to disruptive incidents it considers acceptable to take.

This article will provide you further explanation about risk appe tite:
- Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/

3 - How can you best describe the links between the business continuity policy and the organization’s objectives and other policies, including our risk management strategy?

Answer: The organization's objectives are the base for the business continuity policy, the other policies, and the risk management strategy.

Based on the organization's objectives the policies must be developed to ensure they can be achieved (in respect to the business continuity policy, the objectives will help drive the processes and resources to be implemented to ensure the continuity of activities that are related to the objectives). Regarding risk management, the organization's objectives will help the identification of the most relevant risks and how they should be treated.

These articles will provide you further explanation about objectives:
- Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/

4 - How can you best describe the potential impact related to a disruptive incident with services, products, etc.

Answer: The best way to describe the impacts of disruptive incidents to the business is by performing a Business Impact Analysis, which will help you identify and demonstrate how business is impacted through time if a disruptive incident occurs.

These materials will provide you further explanation about BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/