Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Achieving ISO 9001:2015 certificate
Answer:
In order to get certified, the company need to implement the standard first and than to hire certification body to perform certification and issue the certificate.
The implementation include several steps, the first one is to perform GAP analysis to determine what needs to be done to achieve full compliance with the standard, and than to develop project plan with all necessary activities, responsibilities and deadlines to ensure that nothing is missed out. Next step is to create documents and make changes in activities in order to be compliant with the standard. Once the standard is implemented and all processes are in place, the company need to conduct internal audit and management review to make sure that the quality management system is compliant with the standard.
When all this activities are carried out successfully, the company can hire certification body to conduct certification audit.
For more information, see:
- ISO 9001 Certification https://advisera.com/9001academy/knowledgebase/iso-9001-certification/
- Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/ -
Support management
Answer:
I am sorry but I am not sure if I have understood your question. If you mean how to obtain support from the top management for the implementation of the ISO 27001 in the organization, you need to show the benefits that the ISMS can give to the business, that basically are 4 main points: compliance, marketing edge, lowering the expenses and putting your business in order.
For more information about these points, please read this article “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And this free webinar can be also interesting for you “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/es/webinar/iso-27001-benefits-how-to-obtain-management-support-free-webinar-on-demand/
Finally, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Merging the asset, risk assessment, risk treatment tables
Answer:
Yes, merging the Asset inventory and the Risk assessment table makes sense, especially for smaller companies; for a larger company it would be better if they separate the Asset inventory into a separate document because they would have some additional information stored there - see this article: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
However, I wouldn't recommend merging the Risk assessment table and Risk treatment table - this is because not all risks from the Risk assessment table need to be treated, and very often for one risk you would need several control s. Therefore, if you're using Excel for risk management, it is much easier to have two separate sheets for this purpose. -
Various questions about ISO 27002
2. Do you provide a 27002 tool kit as well?
3. Only large companies need iso 27002. So does that mean with the 27001 toolkit they will not be able to obtain certification?
4. Why a small or medium company will not require to have controls/guidelines in place before certification, can you please explain?
Answers:
1.- You need to implement security controls to reduce risks identified during the risk management (the risk management is an important requisite in ISO 27001). For the implementation of these controls, you can use the Annex A of ISO 27001:2013, which gives you a brief description of each control. If you need more information about the implementation of each control, you can use ISO 27002, but it is not strictly necessary, because if you know how to implement security controls to reduce your risks, you do not need to have the ISO 27002. For example, you can find in the Annex A the control A.12.3.1 Information bac kup, but if you know how to perform backups, you do not need more information about the implementation of this control, so you do not need ISO 27002 for this.
2.- Not yet, I am sorry, but we are working on it.
3.- I am sorry but I do not agree with this point. Large companies can also implement and certify ISO 27001 with our toolkit, and they will need ISO 27002 for those controls where they need information about how to implement them.
4.- I am not sure if I have understood your question, but all companies are treated here in the same way, so all companies before the certification need to implement security controls to reduce risks identified during the risk assessment.
If you don’t know our toolkit, I recommend you to download it from here (please click on “DOWNLOAD FREE TOOLKIT DEMO”) “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/
And this article about differences about ISO 27001 and ISO 27002 can be useful for you “ISO 27001 vs. ISO 27002” : https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Finally, our online course can be interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Difference between ISO 27001 certification and CISSP
Answer:
I suppose that you mean Certified Information Systems Security Professional (CISSP). Basically, CISSP is developed specifically for the qualification of professionals in information security. However the philosophy of ISO 27001 is different because is not developed for the qualification of professionals, is developed for the certification of companies. Basically ISO 27001 is an International Standard that has requisites for the establishment of an Information Security Management System, and there are companies in all the world that implement these requisites to obtain the ISO 27001 certificate.
And there are many entities that offers a ISO 27001 Lead Auditor certification or ISO 27001 Lead Implementer certification for people that is interested in implement or audit ISO 27001, but as you know it is different from CISSP.
Anyway, the knowledge that you need to obtain CISSP generally is more technical, because ISO 27001 is rela ted to the management of the information security and there are things not only related to IT.
These articles can be interesting for you :
“Qualifications for an ISO 27001 Internal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
“How to become an ISO 27001 / ISO 22301 consultant” : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
“How to become ISO 27001 Lead Auditor” : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Finally, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
ISO 9001 qualification to obtain ISO 27001 qualification?
Answer:
From my point of view, experience on ISO 9001 is not necessary to participate to ISO 27001 Lead Auditor (there are many people that start with ISO 27001 without experience or qualifications on ISO 9001). So, don’t worry, you can start with ISO 27001 when you want, furthermore your 4+ years experience in IT field can help you to understand technical controls that have the standard (although if you have experience in ISO 9001, maybe you can understand better ISO 27001 because there are many common points).
These articles can be interesting for you :
“Qualifications for an ISO 27001 Inter nal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
“How to become ISO 27001 Lead Auditor” : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
This free webinar can be also interesting for you “ISO 27001 Lead Auditor Course preparation training” : https://advisera.com/training/iso-27001-lead-auditor-course/
And of course, you can perform our online course “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Quality Manual for ISO 9001:2015
Answer:
Quality Manual is not mandatory according to the new version of the standard, however, this does not mean it is forbidden. In fact we included it in our documentation toolkit for ISO 9001:2015.
Here you can find the free preview of our Quality Manual for ISO 9001:2015 https://advisera.com/9001academy/documentation/quality-manual/
For more information about the quality manual in new version of the standard, see:
- The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/ -
Improve my employability
Answer:
From my point of view, the first question that you need to do yourself is about what the profile that you need or you want, Internal Auditor? Consultant? Ethical Hacker?
If you want to become Internal Auditor, or consultant about ISO 27001, qualifications like ISO 27001 Lead Auditor, ISO 27001 Lead Implementer, CISA, IRCA or any other related to information security can be good for you. By the way, generally the certifications ISO 27001 Lead Auditor and ISO 27001 Lead Implementer are more easy to obtain, so in your case can be the first way.
On the other hand, if you are interested in a certification more technical, for a ethical hacker profile, the certifications of SANS can be interesting for you (or certifications like CEH, CISSP, etc.).
These articles can be interesting for you:
“Qualifications for an ISO 27001 Intern al Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
“How to become an ISO 27001 / ISO 22301 consultant” : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
“How to become ISO 27001 Lead Auditor” : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
And finally, maybe our online course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Location of ISO 27001 and 22301 Clauses
Answer:
The references section the templates are referring to clauses of ISO 27001 and ISO 22301 standards - these standards are documents that are unfortunately not included in the toolkit, they can be purchased directly from the ISO website. Here are the links: https://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=54534 and https://www.iso.org/iso/catalogue_detail?csnumber=50038 -
Accreditation body or certification body?
Answer:
Each country has an unique national accreditation body, and it tends to be a public entity, generally related to the government, so unless you are an entity of this type, you cannot be an accreditation body. Different is the certification body, which can issues certificates to companies and each country can have various entities of this type.
So, you can be a certification body in your country (like SGS, Bureau Veritas, BSI, etc.), and certify companies (ISO 27001, ISO 9001, etc), although you need to comply with requirements established by the accreditation body, so certification bodies become accredited by accreditation body.
Finally remember that our business is related to the implementation of ISO 27001 in any type of business, and if you want to be a certification body, can be interesting for your company to have a perspective from the implementation point of view, and for this, our templates can be interesting for you. You can download a free version clicking on “DOWNLOAD FREE TOOLKIT DEMO” here “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/