Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Companies approved by IRCA in India
Could you please suggest me whether SGS Group at india is IRCA approved certification body for ISO 27001 Lead auditor course. And should i enrols myself there.
Answer:
Yes, SGS Group is accredited by IRCA at India for the ISMS Lead Auditor Course, although there are other companies that can be also interesting (Bureau Veritas, BSI, etc.), and my recommendation is that you request a proposal to various entities. Anyway you can find this information in the official website of IRCA : https://members.irca.org/IRCA/train***********************************
By the way, this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
And maybe can be interesting for you our online course ISO 27001:2013 Internal Auditor Course : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Actions to be taken after BCM implementation
Would you please send me the actions which needs to be taken from BCM team after implementation on day to day basis and below ;
Annual Actions?
Monthly Actions?
Quarterly Actions?
Weekly Actions?
Answer:
Most of actions have an annual frequency (review the risk assessment, perform internal audit, perform management review, perform corrective actions, etc), although there are actions that can be performed monthly/quarterly: operate the BCMS, monitor and measure the system (for example, if you have defined an indicator on a monthly/quarterly basis), meetings, etc. and on a day-to-day basis you can perform activities described in your policies and procedures. This article can be interesting for you, although is about ISO 27001 but can apply also to a BCMS because there are many similarities between both systems How to maintain the ISMS after the certification : https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/ -
Information security job titles
for now my question is about job titling and responsibilities, is there any list of information security job titles for example: info sec manager, info sec officer, info sec-???
Answer:
The most important job title about information security is the Chief Information Security Officer (CISO) (it can be also known as Information Security Officer, or Security manager), etc. This article can be interesting for you:
What is the job of Chief Information Security Officer (CISO) in ISO 27001? : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
And also this one "Chief Information Security Officer (CISO) - where does he belong in an org chart?" : https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
Finally maybe can be also interesting for you our online course:
ISO 27001:2013 Foundations Course : https://advisera.com/training/iso-27001-foundations-course/ -
Policy for utility programs
Would like to ask you an question about ISO:27002:2013 section 9.4.4. Use of privileged utility programs. Can explain what kind of policy we must make to conform to the standard?
Answer:
First you need to identify any software that you need in your organization for the activity of the business (generally installed in the system operative). Next step is to establish some rules related to the utility programs:
Delete (or not install) unnecessary utility programs
The installation of new utility programs can be only performed by authorized personnel
Create user/password for those utility programs where can access any people
Utility programs which have user/password: Create different users/password for different people (not unique user administrator or root for all
You can include these rules in an Access Control Policy, so maybe can be interesting for you our template Access Control Policy : https://advisera.com/27001academy/documentation/access-control-policy/
Finally, maybe can be interesting for you our online ISO 27 001 course "ISO 27001:2013 Foundations Course" : https://advisera.com/training/iso-27001-foundations-course/ -
Responsibilities in the Information security policy
1. who is responsible for ensuring that the ISMS is implemented and maintained according Information Security Policy, and for ensuring all necessary resources are available?
2. who will define which information related to information security will be communicated to which interested party (both internal and external), by whom and when ?
3. who has to ensure that all employees of organization, as well as appropriate external parties are familiar with Information Security Policy?
4. who is an owner of Information Security Policy?
5. who is responsible for setting the method for measuring the achievement of the objectives?
6. who will analyze and evaluate the measurement results and report them to
top management as input materials for the Management review?
Answers:
Generally speaking, ISO 27001 does not prescribe who should be doing what in a particular company, so you should define the responsibi lities that fit the best your particular situation.
To answer your questions:
1) This would be typically Chief Information Security Officer (CISO), or some other person who is in charge of coordinating the information security.
2) CISO or a person in charge of corporate communications (e.g. public relation officer).
3) Usually CISO.
4) Usually CISO.
5) CISO or some other person in a company who is in charge of controlling.
6) CISO or some other person in a company who is in charge of controlling.
There articles will also help you:
What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/ -
Relationship between CE mark and ISO 27001?
wheter it is obligatory to be in full compliance with iso 27001 when we wabt to ce mark a Class 2a md which includes collection of data and doctors Reading data on computer
Answer:
I am sorry but I am not sure what you mean, but there is no relationship between CE mark and ISO 27001.
If your question is related to regulations, unless there is a regulation in your country related to the implementation/certification of ISO 27001 (some countries have regulation for the implementation of ISO 27001 in public entities), the compliance with it is not mandatory.
Here you can see a list of international regulations related to information security and business continuity, maybe can be interesting for you Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
To make the documents helpful and ISO 27001 with other standards
I like your all three bullets of the topic to make the documents helpful. Its very interesting. By the way, I have plan to meet the top management to propose the ISO27001 certification project on a few days. Do you have any suggestions? I never ask about this topic to any person but your messages influence to change my mind.
I confuse the ISO 27001 required the related ISO standards. Can I implement the ISO27001 without comply to the ISO 22301, ISO 20000, and ISO 27005 or ISO 31000?
Answer:
The best recommendation is that you need to talk with the top management about the benefits of ISO 27001 implementation, which are mainly four: compliance, marketing edge, lowering the expenses and putting your business in order. This article can be interesting for you Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And also this free webinar ISO 27001 benefits: How to obtain management support : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
Regarding your second question, yes you can implement ISO 27001 without ISO 22301, ISO 20000, ISO 27005 or ISO 31000, although can be recommendable to use ISO 22301 for the implementation of business continuity in ISO 27001, or the integration of the implementation of ISO 27001 with ISO 20000 (or the integration of the 3 standards), and you can also use ISO 27005 or ISO 31000 as best practices for the risk management. These articles can be interesting for you:
How to use ISO 22301 for the implementation of business continuity in ISO 27001 : https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
How to implement ISO 27001 and ISO 20000 together : https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
ISO 31000 and ISO 27001 How are they related? : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Control A.5.1.1 Policies for information security - when to select it?
Answer:
I assume you refer to control A.5.1.1 Policies for information security - this control does not refer to high-level Information security policy, but to detailed policies like Access control policy, Acceptable use policy, Classification policy, etc.
As with other controls, you should select this control as applicable only if there are risks, some requirements, or if there is some other business reason. So if there are risks that require you to write the detailed policies, then you should select A.5.1.1 as applicable. See also this article: How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
By the way, in the Statement of Applicability you choose the ISO 27001 Annex A controls, not ISO 27002 controls - although, the controls are basically the same. This article will help you: ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Providing ISO 27001 audits for clients
Answer:
I assume you refer to our ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ - if you take this course, you will be able to provide internal audits for your client. However certification audits can be provided only by certified lead auditors who work for certification bodies - our internal auditor course was not designed for that purpose.
This article will help you: How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
BCP for the ISMS?
What needs to be in the BC plan for the ISMS, I could only think of the doc control system as being the key one for recovery. Is that correct?
Answer:
Really with a Disaster Recovery Plan you can cover the business continuity requirements in ISO 27001, so our template can be interesting for you (you can see a free version clicking on Free Demo tab) Disaster Recovery Plan : https://advisera.com/27001academy/documentation/disaster-recovery-plan/
Regarding the doc control system, I am not sure what you mean, but the main purpose of the document control is not related to the continuity or recovery of the business, so your second sentence is not correct, and keep in mind that the business continuity plan, the disaster recovery plan and the recovery are different things, so for more information about this you can read this article Disaster recovery vs Business continuity : https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/