Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Audit in one location and continue in another location


    Answer:
    If your question is about that a part of the audit is performed in one location, and the audit can continue on another location in couple of days, yes, it can be possible, there is no problem from my point of view, and it can be established in the audit plan. It is valid not only for internal audits, but for certification audits as well.

    By the way, this article can help you to make an internal audit checklist for ISO 27001 “How to make an Internal Audit checklist for ISO 27001/ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    And for detailed information about the internal audit, our online course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISMS and PCI DSS


    Answer:
    From my point of view, if your company is complex, in your case can be a recommendation to limit the scope of the ISMS. I mean, the implementation of the ISMS in your company could be gradual, so maybe the first year you can implement the ISMS in a sector of the organization, next year you can implement the ISMS in another sector, and so on. Although, generally, our recommendation is , if the company is small, that the scope is for the entire organization (but I think that your case is different).

    For more information about the scope, this article can be interesting for you “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    And these articles about PCI and ISO 27001 can be also interesting for you:

    “PCI-DSS vs. IS O 27001 Part 1 – Similarities and Differences” : https://advisera.com/27001academy/knowledgebase/pci-dss/

    “PCI-DSS vs. ISO 27001 Part 2 – Implementation and Certification” : https://advisera.com/27001academy/knowledgebase/pci-dss/

    Finally, our online course can give you information about the implementation of ISO 27001 in your organization “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • First things in the ISO process


    Answer:
    The first thing, and the more important thing, is to obtain the management support. Other important things are to treat the implementation as a project, define the scope, etc. Here you can find an article with a checklist with 16 steps to implement in order, establishing top priorities (from the most critically important to the less significant issues), the ISO 27001 in your organization “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    By the way, in our free download section, you can find a template for a Project plan for ISO 27001 / ISO 22301 implementation (MS Word), a Diagram of ISO 27001:2013 Implementation (PDF) (you can use it to create a flow chart), a Project checklist for ISO 2 7001 implementation (MS Word), so I recommend you to visit our section here : https://advisera.com/27001academy/free-downloads/

    Finally, our online course can be also very interesting for you because we give detailed information about the implementation process of ISO 27001 in your organization “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • More information about the SOA


    Answer:
    I am sorry but I am not sure what you mean. Anyway, the SOA is an important document –and a mandatory document- in the implementation of the ISO 27001. This document simply includes the 114 controls of the Annex A of ISO 27001:2013, establishing the applicability of each control (and the justification of each applicability). If you need more information about the SOA, this article can be interesting for you “The importance of Statement of Applicability for ISO 27001” : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    And our online course can also give you detailed information about the SOA “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

    Finally, our template can be useful for you to implement the SOA in your organization, so you can see a free version clicking on “Free demo” tab here “Statement of Applicability” : https://advisera.com/27001academy/documentation/statement-of-applicability/

  • Template for the context of the organization


    Answer:
    Yes, you can use our templete for this (you can see a free version clicking on “Free demo” tab) “Procedure for Identification of Requirements” : https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/

    And this article can be also interesting for you “How to identify interested parties according to ISO 27001 and ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

    Finally, our online course can be also interesting for you because we also give more information about the identification of interested parties “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Specific requirements about the qualifications of an internal auditor?


    Answer:
    There is no specific requirements about the qualifications of an internal auditor, but ISO 27001 requires from the organization to select auditors to perform the internal audit. And generally, companies want - and need - auditors with experience and knowledge about ISO 27001.

    If the person is ISO 27001:2013 certified, I mean, is a Lead Auditor accredited by a company, it can be very good, but it is not mandatory, although you need to demonstrate your experience and knowledge, and for this a course can be a good option. For more information about the qualifications about an internal auditor, this article can be interesting for you “Qualifications for an ISO 27001 Internal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

    And our online course can be also useful for you, because can help you to obtain all necessary knowledge required for the internal auditor “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/

  • Best practice for residual risk?


    No - there is no best practice because each company needs to determine their acceptable level of risk based on the methodology, based on the industry they are in, based on the management intention, etc. This article may help you: Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

    However, I noticed some inconsistencies in your calculation of risk: asset value is basically the same thing as the impact, so you calculate the same value twice in your risk which is unnecessary; further, you calculate both likelihood and vulnerability, however vulnerability is (together with the threat) part of calculating the likelihood - again you have duplication.

    Thi s article will help you with defining the formula: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

  • What if supplier refuses to apply security measures?


    Answer: This depends on your reaction - if you initiated certain corrective actions, for example: warning letter to the supplier, applying some penalties, searching for a new supplier, etc. then the certification auditor will see that you manage the situation. If you stay passive, then you will have a problem with the certification.

  • Initiating failover to the secondary site


    Answer:

    I'm not sure if I understood your question correctly, but your RTO has to be calculated in such a way to provide maximum time of disruption that you can sustain for particular system, process, or part of the company. Therefore, the moment that you get disrupted (i.e. the moment when the incident strikes), the clock for your RTO starts ticking.

    The point is - you have to be very careful if you calculate very short RTO like 30 minutes - what will be the cost to prepare to be able to achieve such short recovery time? Maybe it would be better to accept higher risk and decrease the costs.

    See also this art icle about calculating the RTO: How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

  • Project Plan

    That is probably a mistake because the project plan was in the folder 00 in previous version of the toolkit so we probably delivered you previous version of "How to start using the toolkit info". Thank you for the feedback
Page 1011-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +