Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Accreditation body or certification body?
Answer:
Each country has an unique national accreditation body, and it tends to be a public entity, generally related to the government, so unless you are an entity of this type, you cannot be an accreditation body. Different is the certification body, which can issues certificates to companies and each country can have various entities of this type.
So, you can be a certification body in your country (like SGS, Bureau Veritas, BSI, etc.), and certify companies (ISO 27001, ISO 9001, etc), although you need to comply with requirements established by the accreditation body, so certification bodies become accredited by accreditation body.
Finally remember that our business is related to the implementation of ISO 27001 in any type of business, and if you want to be a certification body, can be interesting for your company to have a perspective from the implementation point of view, and for this, our templates can be interesting for you. You can download a free version clicking on “DOWNLOAD FREE TOOLKIT DEMO” here “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/ -
Mobile computing and teleworking
Answer:
You are right, mobile devices can be used for teleworking, but there are others devices that you can also use for teleworking (Desktops PC, laptops, remote servers, etc). In the Annex A of ISO 27001:2013, there are 2 different controls about this: “6.2.1 Mobile device policy” and “6.2.2 Teleworking”. So, basically teleworking refers to all forms of work outside the office, and mobile devices refers to all devices that you can move from the office to another site (outside the office).
To comply with both points, you can develop a policy, so maybe can be interesting for you our template (you can see a free version clicking on “Free demo” tab) “Mobile Device and Teleworking Policy” : https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/
By the way, this article about Bring Your Own Device can be interesting for you "How to write an easy-to-use BYOD policy compliant with ISO 27001" : https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
Finally, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Is assessing asset value mandatory?
It is very useful. A clarification: In your Risk value calculation, you are considering only the Impact & Probability.
Do we have to consider the Asset value also. Please clarify.
Answer:
ISO 27001 does not require you to assess the asset value - this is actually one of the greatest myths about risk assessment; what ISO 27001 does require you is to assess impact and likelihood. Of course, if you want to, you can assess asset value, but then you should assess these 3 items: asset value, threats and vulnerabilities (instead of only impact and likelihood).
This article explains this into more detail: How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment -
Perform a course?
Answer:
From my point of view, if you want to have warranties to pass the exams, will be better if you perform a course. Anyway, I don’t know your real knowledge about ISO 27001, but with the resources that you have and your experience could be enough (although my recommendation is a course)
Regarding the questions of the exam, I am sorry but we do not have this specific information, although this free webinar can help you for the preparation of the Lead Auditor exam “ISO 27001 Lead Auditor Course preparation training” : https://advis era.com/27001academy/webinar/iso-27001iso-22301-the-certification-process-free-webinar/01-lead-auditor-course-preparation-training-free-webinar/
And these articles can be also interesting for you :
“How to become an ISO 27001 / ISO 22301 consultant” : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
“How to become ISO 27001 Lead Auditor” : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Finally, as you know we have the course ISO 27001:2013 Foundations Course, but we also have the course "ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Diagram of ISO 27001 and ISO 22301 implementation
Answer:
If you need a specific diagram for the implementation of ISO 27001 and a specific diagram for the implementation of ISO 22301, you can find these diagrams in our free download section “Diagram of ISO 27001:2013 Implementation (PDF)” and “Diagram of ISO 22301 implementation process (PDF)" : https://advisera.com/27001academy/free-downloads/
Anyway, the integration of both standards is easy because there are many common points (document control, internal audit, corrective actions, management review, training & awareness, etc), and this article can help you “How to use ISO 22301 for the implementation of business continuity in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
This free webinar can be also interesting for you “ISO 27001 & ISO 22301: Why is it better to implement them together?” : http: //advisera.com/27001academy/webinar/iso-27001iso-22301-the-certification-process-free-webinar/01-iso-22301-why-is-it-better-to-implement-them-together-free-webinar
Finally, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Audit the entire standard?
Answer:
I suppose that your question is related to the internal audit. In relation with the internal audit (section 9.2 of ISO 27001:2013), the standard says: “The organization shall conduct internal audits at planned intervals….”, so you can perform the internal audit as you want, for example once a year.
There is no global accepted way, but my recommendation is that sections 4 to 10 of ISO 27001:2013 should be reviewed in each internal audit, and all security controls can be reviewed in the life cycle of the certificate (3 years), although you can also review all security controls each year (if you have budget and time the best way for me is to audit everything each year).
For the review of the security controls each company have an own method, but one example can be: first year A.5 Information Secur ity Policies, A.6 Organization of information security, A.7 Human resource security, A.8 Asset management and A.15 Supplier relationships (generally not directly related to IT), second year A.12 Operations security, A.13 Communications security, A.16 Information security incident management and A.17 Information security aspects of business continuity management and third year (A.9 Access control, A.10 Cryptography, A.11 Physical and environmental security, A.14 System acquisition, development and maintenance and A.18 Compliance).
Do you need help to perform the internal audit? This article can be interesting for you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
By the way, the new version of ISO 27001:2013 has 114 security controls, 133 had the previous version, so this article can be interesting for you “Main changes in the new ISO 27002” : https://advisera.com/27001academy/blog/2013/02/11/main-changes-in-the-new-iso-27002-2013-draft-version/
Finally, our online course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 27001 and SOC report / audit
Answer:
There are many common points between SOC II and ISO 27001:2013: risk management, internal audit, business continuity, access control, etc. If you want to know details about the similarities about both standards, and what resources can be shared, you can see the document “Trust Services Map to ISO 27001” from the official site of American Institute of CPAs (you can find the link at the end of the page) : https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/soc2additionalsubjectmatter.html
So, from my point of view, and in accordance with the document of American Institute of CPAs, ISO 27001:2013 can help you to pass the SOC audit in a successfully way.
Maybe can be interesting for you our toolkit, which includes all necessary documents for the implementation of ISO 27001 (most of them can help you with SOC). You can download a free version here (you need to click on “DO WNLOAD FREE TOOLKIT DEMO") “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Finally, can be also interesting for you our online course “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Best practices for asset identification
Answer:
I agree with you that asset identification in larger companies is a complex process that includes lots of preparation like gathering the lists of assets from various sources (e.g. accounting, legal, human resources, etc.).
However, in smaller companies it is often enough to interview the employees simply by asking them to list all the assets they use - e.g. what do they have on their desk and in file cabinets, which software and information do they have the access to through their computer, which equipment they use, etc.
This article may also help you: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Documenting the measurement of controls
Answer:
The easiest way to document the measurement is to define the information security objectives for each control (or group of controls) through the Statement of Applicability, and then regularly review if those objectives are achieved - this can be done through the Management meeting minutes, and no other documents are needed. For a smaller company, this approach is the best because it doesn't require too many documents.
There materials will also help you:
- article How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- a rticle ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- article Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
- webinar ISO 27001 and ISO 27004: How to measure the effectiveness of information security? https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/ -
ISO 9001 for the implementation of ISO 27001
Answer:
Yes, sure. It is easy to implement ISO 27001 from ISO 9001, because there are many points in common (Document management, Internal Audit, Corrective actions, Human Resources management, Management review, etc). For more information, please read this article “Using ISO 9001 for implementing ISO 27001” : https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
And also this free webinar can be interesting for you “ISO 27001 implementation: How to make it easier using ISO 9001” : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
Finally, maybe can be interesting for you our online course “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/