Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 vs NIST, CIS and Common Criteria
Answer:
The main difference between ISO 27001 and other standards (like the NIST series, CIS Critical Controls) is that after the implementation of the standard, you can certify it by a third party, which give warranty that you are compliant with an international standard. You cannot certify in the same way NIST series and/or CIS Critical Controls. Regarding Common Criteria, it is also an ISO standard (ISO 15408), although ISO 27001 is related to the certification of companies, while Common Criteria (ISO 15408) is related to the certification of products.
Regarding the advantages, to be certified on ISO 27001 means that you have a certificate signed by a certification body, and this entity audit your company every year to check if your company is compliant with the standard, which can help your business to im prove your business continually.
Regarding limitations, from my point of view, ISO 27001 is only a standard that defines requirements (says you what you need to do), but does not say you how to do it, so generally you need another standards or best practices (ISO 27002, ISO 27799, etc) for the implementation of ISO 27001.
The decision should be made depending the needs of the business, I mean, if the business need a certificate signed by an third party to show to their customers that they are compliant with an international standard related to information security, the best standard is ISO 27001. If not, the company should decide the best standard depending on their needs and the benefits of each standard.
If you want to learn information about ISO 27001, our online course can be useful for you “ISO ” : https://advisera.com/training/iso-27001-foundations-course/ -
Implementing 2015 revision by using old documents
Answer:
You might implement any version of the standard you want and use existing documents from your company. The only difference is that you need to revise those documents to make sure they are aligned with the requirements of the new version. I assume that you will be using procedures for document and record control, HR, internal audit, corrective actions, etc. All these documents should be revised and slightly changed just to meet requirements of the new standard but it will save you a lot of time since the changes are minor in these areas.
For more information, see: How to make the transition fro m ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/ -
Internal audit and financial report
Answer:
It is not very common to bind financial report with internal audit report because they are quite different and are not related to each other. It wouldn't be a nonconformity to file both these reports at once but it doesn't provide any additional value.
Audit criteria represents requirements to which the system is being audited. For example, if you are conducting ISO 9001 internal audit, the audit criteria would be ISO 9001, or if you are auditing compliance to legal and other requirements, the criteria would be the legal requirements.
For more information, see Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/ -
What to include in Information security policy?
Answer:
ISO 27001 does not require you to include product and services, nor partnerships, supply chains and interested parties in your Information security policy. According to ISO 27001, this policy is a top-level document without many details - see this article: Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
Typically, you should include info rmation about your products and services in your ISMS Scope document, see this article: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
And the information about interested parties and their requirements should go to a separate list, learn about it here: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
You could include all this information in the Information security policy, but this would be very impractical.
This free online course will also be of great help to you: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
How long should the ISMS be in place before going for the certification audit
Answer:
This is different from one certification body to the other - some require you to have ISMS in full operation for at least 3 months, while others do not have such a criteria. The best would be if you ask for proposals from couple of certification bodies, and ask them this specific question.
These articles may also help you:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/ -
Procedure for document control - only for ISMS documents?
Answer:
ISO 27001 requires you to control only your ISMS documents; however if you find this system useful you can use it for all of the internal and external documents in your company.
So it is really up to you to decide to which documents does this procedure refer to - just make sure that you specify this clearly in the procedure. -
Governance framework and management reporting
Answer: ISO 27001 doesn't require having a "Governance framework" as a single document, what it does require are a couple of documents that help you manage your ISMS - Information security policy, Procedure for document control, Procedure for corrective actions, Procedure for internal audit, etc. - all of those documents you'll find in your toolkit. Regarding governance it is very important that you set general and security specific ISMS objectives, and document them. General objectives are documented either through the Information security policy or as a separate document - we do not have a template for such a separate document since it is not really needed; specific ISMS objectives are usually documented through Statement of Applicabil ity - you'll notice a column in our template for that purpose.
This article will also help you: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Regarding Management reporting, it is necessary (1) that you measure the achievement of all the objectives, (2) that those results are regularly reported to the management, (3) that you set clear responsibilities for this reporting, and (4) that during the Management review your top management reaches decisions based on these reports.
We do not have a special template for defining how the reporting is done because companies usually already have a reporting system in place - some have Balanced Scorecard, some have some other system of reporting towards the management - in my view it is important that information security reporting is included in this existing system. For management review you'll find the Management review minutes in the toolkit.
See also this article: How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/ -
Corrective and preventive actions
Answer:
I am sorry but in the new ISO 27001:2013 it is not used the term “preventive”, only is used the term “corrective” (the term “preventive” was only used in the previous version of the standard, I mean, ISO 27001:2005). Furthermore, the adequate definition is “corrective action”, not “corrective maintenance”.
Anyway, a corrective action is an action to eliminate the cause of a detected nonconformity or other undesirable situation, while a preventive action is an action to eliminate the cause of a potential nonconformity or other undesirable potential situation.
This article can be interesting for you “Practical use of corrective actions for ISO 27001 and ISO 22301” : https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
If you need information about the transition from ISO 27001:2005 to ISO 27001:2013, this article can be also interesting for you “How to make a transition from ISO 27001 2005 revision to 2013 revision” : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
And our online course can be also interesting for you because we give more information related to the corrective actions “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Information Life Cycle Management for ISO 27001
Answer:
I'm sorry, but Information Life Cycle Management is not mentioned in ISO 27001, so we do not have any materials related to it. If you could explain exactly what do you need, we will be happy to help you.
If you are interested in managing records, this article will help you: Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
By the way, this free online course will explain you all that you need to know about this standard: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/