Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Quality Manual for ISO 9001:2015
Answer:
Quality Manual is not mandatory according to the new version of the standard, however, this does not mean it is forbidden. In fact we included it in our documentation toolkit for ISO 9001:2015.
Here you can find the free preview of our Quality Manual for ISO 9001:2015 https://advisera.com/9001academy/documentation/quality-manual/
For more information about the quality manual in new version of the standard, see:
- The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/ -
Improve my employability
Answer:
From my point of view, the first question that you need to do yourself is about what the profile that you need or you want, Internal Auditor? Consultant? Ethical Hacker?
If you want to become Internal Auditor, or consultant about ISO 27001, qualifications like ISO 27001 Lead Auditor, ISO 27001 Lead Implementer, CISA, IRCA or any other related to information security can be good for you. By the way, generally the certifications ISO 27001 Lead Auditor and ISO 27001 Lead Implementer are more easy to obtain, so in your case can be the first way.
On the other hand, if you are interested in a certification more technical, for a ethical hacker profile, the certifications of SANS can be interesting for you (or certifications like CEH, CISSP, etc.).
These articles can be interesting for you:
“Qualifications for an ISO 27001 Intern al Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
“How to become an ISO 27001 / ISO 22301 consultant” : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
“How to become ISO 27001 Lead Auditor” : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
And finally, maybe our online course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Location of ISO 27001 and 22301 Clauses
Answer:
The references section the templates are referring to clauses of ISO 27001 and ISO 22301 standards - these standards are documents that are unfortunately not included in the toolkit, they can be purchased directly from the ISO website. Here are the links: https://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=54534 and https://www.iso.org/iso/catalogue_detail?csnumber=50038 -
Accreditation body or certification body?
Answer:
Each country has an unique national accreditation body, and it tends to be a public entity, generally related to the government, so unless you are an entity of this type, you cannot be an accreditation body. Different is the certification body, which can issues certificates to companies and each country can have various entities of this type.
So, you can be a certification body in your country (like SGS, Bureau Veritas, BSI, etc.), and certify companies (ISO 27001, ISO 9001, etc), although you need to comply with requirements established by the accreditation body, so certification bodies become accredited by accreditation body.
Finally remember that our business is related to the implementation of ISO 27001 in any type of business, and if you want to be a certification body, can be interesting for your company to have a perspective from the implementation point of view, and for this, our templates can be interesting for you. You can download a free version clicking on “DOWNLOAD FREE TOOLKIT DEMO” here “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/ -
Mobile computing and teleworking
Answer:
You are right, mobile devices can be used for teleworking, but there are others devices that you can also use for teleworking (Desktops PC, laptops, remote servers, etc). In the Annex A of ISO 27001:2013, there are 2 different controls about this: “6.2.1 Mobile device policy” and “6.2.2 Teleworking”. So, basically teleworking refers to all forms of work outside the office, and mobile devices refers to all devices that you can move from the office to another site (outside the office).
To comply with both points, you can develop a policy, so maybe can be interesting for you our template (you can see a free version clicking on “Free demo” tab) “Mobile Device and Teleworking Policy” : https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/
By the way, this article about Bring Your Own Device can be interesting for you "How to write an easy-to-use BYOD policy compliant with ISO 27001" : https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
Finally, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Is assessing asset value mandatory?
It is very useful. A clarification: In your Risk value calculation, you are considering only the Impact & Probability.
Do we have to consider the Asset value also. Please clarify.
Answer:
ISO 27001 does not require you to assess the asset value - this is actually one of the greatest myths about risk assessment; what ISO 27001 does require you is to assess impact and likelihood. Of course, if you want to, you can assess asset value, but then you should assess these 3 items: asset value, threats and vulnerabilities (instead of only impact and likelihood).
This article explains this into more detail: How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment -
Perform a course?
Answer:
From my point of view, if you want to have warranties to pass the exams, will be better if you perform a course. Anyway, I don’t know your real knowledge about ISO 27001, but with the resources that you have and your experience could be enough (although my recommendation is a course)
Regarding the questions of the exam, I am sorry but we do not have this specific information, although this free webinar can help you for the preparation of the Lead Auditor exam “ISO 27001 Lead Auditor Course preparation training” : https://advis era.com/27001academy/webinar/iso-27001iso-22301-the-certification-process-free-webinar/01-lead-auditor-course-preparation-training-free-webinar/
And these articles can be also interesting for you :
“How to become an ISO 27001 / ISO 22301 consultant” : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
“How to become ISO 27001 Lead Auditor” : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Finally, as you know we have the course ISO 27001:2013 Foundations Course, but we also have the course "ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Diagram of ISO 27001 and ISO 22301 implementation
Answer:
If you need a specific diagram for the implementation of ISO 27001 and a specific diagram for the implementation of ISO 22301, you can find these diagrams in our free download section “Diagram of ISO 27001:2013 Implementation (PDF)” and “Diagram of ISO 22301 implementation process (PDF)" : https://advisera.com/27001academy/free-downloads/
Anyway, the integration of both standards is easy because there are many common points (document control, internal audit, corrective actions, management review, training & awareness, etc), and this article can help you “How to use ISO 22301 for the implementation of business continuity in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
This free webinar can be also interesting for you “ISO 27001 & ISO 22301: Why is it better to implement them together?” : http: //advisera.com/27001academy/webinar/iso-27001iso-22301-the-certification-process-free-webinar/01-iso-22301-why-is-it-better-to-implement-them-together-free-webinar
Finally, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Audit the entire standard?
Answer:
I suppose that your question is related to the internal audit. In relation with the internal audit (section 9.2 of ISO 27001:2013), the standard says: “The organization shall conduct internal audits at planned intervals….”, so you can perform the internal audit as you want, for example once a year.
There is no global accepted way, but my recommendation is that sections 4 to 10 of ISO 27001:2013 should be reviewed in each internal audit, and all security controls can be reviewed in the life cycle of the certificate (3 years), although you can also review all security controls each year (if you have budget and time the best way for me is to audit everything each year).
For the review of the security controls each company have an own method, but one example can be: first year A.5 Information Secur ity Policies, A.6 Organization of information security, A.7 Human resource security, A.8 Asset management and A.15 Supplier relationships (generally not directly related to IT), second year A.12 Operations security, A.13 Communications security, A.16 Information security incident management and A.17 Information security aspects of business continuity management and third year (A.9 Access control, A.10 Cryptography, A.11 Physical and environmental security, A.14 System acquisition, development and maintenance and A.18 Compliance).
Do you need help to perform the internal audit? This article can be interesting for you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
By the way, the new version of ISO 27001:2013 has 114 security controls, 133 had the previous version, so this article can be interesting for you “Main changes in the new ISO 27002” : https://advisera.com/27001academy/blog/2013/02/11/main-changes-in-the-new-iso-27002-2013-draft-version/
Finally, our online course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 27001 and SOC report / audit
Answer:
There are many common points between SOC II and ISO 27001:2013: risk management, internal audit, business continuity, access control, etc. If you want to know details about the similarities about both standards, and what resources can be shared, you can see the document “Trust Services Map to ISO 27001” from the official site of American Institute of CPAs (you can find the link at the end of the page) : https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/soc2additionalsubjectmatter.html
So, from my point of view, and in accordance with the document of American Institute of CPAs, ISO 27001:2013 can help you to pass the SOC audit in a successfully way.
Maybe can be interesting for you our toolkit, which includes all necessary documents for the implementation of ISO 27001 (most of them can help you with SOC). You can download a free version here (you need to click on “DO WNLOAD FREE TOOLKIT DEMO") “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Finally, can be also interesting for you our online course “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/