Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
When to use tools for ISO 27001
Ive already downloaded you template previews, and were about to buy the set. Now I wonder how I can manage and publish the resulting documents.
Ive had a look at some Content Management Systems, but there are just so many, and finding the right information on them is quite difficult.
I want a CMS to help me
- view and edit MS Office documents right from the tool,
- version my documents,
- support a document approval workflow,
- publish current versions of my documents to just the intended audience, but some public documents should be available without authentication
- grant certain users edit rights on certain documents,
- grant certain users to publish their documents under certain folders,
- notify authorized users of new publications and versions,
- reminds me when documents reach the end of their review cycle.
Do you have any recommendations on a CMS (or similar) which gives me this functionality (and anything beyond which I might have missed in my listing)?
I would very mu ch appreciate an answer from you.
Answer:
I am sorry but this question is out of our support because it is not directly related with our purpose. Anyway, I think that Microsoft SharePoint is compliant with most of all your requirements, and you can use it for the implementation of the ISO 27001. You can find more information about SharePoint in the official site of Microsoft : https://products.office.com/e*****************************
Anyway, maybe these articles can be interesting for you:
When to use tools for ISO 27001/ISO 22301 and when to avoid them : https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/
Document management in ISO 27001 & BS 25999-2 : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
Integrate documentation
We would like to integrate documentation with regards to ISO 9001:2015 and ISO 27001, however, we have technical problem how to do it. There are several procedures that are common for ISO 9001 and ISO 27001, but there also separate procedures for each of these standards. We do not know how to title these procedures it should be Quality Management System and Information Security System according to EN ISO 9001, EN ISO 13485, EN ISO 17100 and EN ISO 27001 even if this particular procedure does not apply to ISO 27001 or ISO 9001? Or maybe Quality Management System procedure and later refer to relevant standards?
Answer:
You can follow the way that you want, which means that you can follow the way more easy for you. If you have various Management Systems, for me the best way is to establish an Integrated Management System, developing an unique document for those that are common: Integrated Policy, Integrated Internal Audit, Integrated Management Review, etc. And for those that are not common, you can include in the title the name of the Management System related: ISMS Risk Management, QMS Supplier Management, or even if you have 3 system and a procedure not apply to the others, you can refer in the title to the 2 systems: ISMS-QMS-name-procedure.
Finally, this procedure can be interesting for you Document management in ISO 27001 & BS 25999-2 : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
Proposal for ISO 27001 implementation
I have to submit a proposal to a large organization for conducting an assessment of their ISMS based on ISO27001.
Can you please provide me with a template or a sample proposal?
Can you also please advise what are the international standard for charging for such assignments?
Answer:
Yes of course, you can find in our section of free downloads a project proposal for ISO 27001 / ISO 22301 implementation (in a word format and also in a power point format). Here is our section of free downloads: https://advisera.com/27001academy/free-downloads/
Regarding your last question, there is no a standard, but generally the proposal is based on terms of time, so you need to calculate the estimated time for the implementation. Obviously while the consultant have more experience and skills in ISO 27001, the pay/rate will be more high (you can analyze and compare the pay/rate of various consultants with ISO 27001 experience). For the estimation of the time, this free tool can be also interesting for you Free Calculator Duration of ISO 27001/ISO 22301 Implementation : https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/ -
Risk Assessment and Risk Treatment Methodology
Which business unit operations do we make the most money from?. There are also different business continuity rules that apply, depending upon the nature of the services that are be provided to the client company. So, again our management feels comfortable if certain services are being detained, due to whatever cause, but our main service must not be disrupted.
Our company employee count is seasonal and will vary from xxx to yyy, depending on the time of the year. We are also subject to HIPAA/HITECH regulations. So, our enterprise risk management environment is a little more complex.
Do you have any recommendations on reasonably low-cost tools that can be used for risk assessment to help standardize the way it is be done, from one business unit to another?
Answer:
You can use our easy methodology, which has tools for the risk assessment & treatment, and you can buy independently of our complete toolkit, and you will also have our support in the development of your risk assessment & treatment, so I think that can be an interest ing and economical alternative for you. Here you can see a free version of our methodology clicking on Free Demo tab Risk Assessment and Risk Treatment Methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
You can also find here our ISO 27001/ISO 22301 Risk Assessment Toolkit, and you can also see a free version clicking on "Free Demo" tab "ISO 27001/ISO 22301 Risk Assessment Toolkit" : https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/ -
Data/Information Classification in Asset Value
1.- ¿Which is the input of which? or both are independent parameters? Or what is their relationship?
2.- How to use these two values in the Asset Valuation final?
Answer:
1.- They are independent parameters, but they are related because you can match an asset value in terms of confidentiality with the information classification, I mean, if you have a data base, the information classification can be Top Secret, which can be associated with the highest value in terms of confidentiality during the assessment of assets.
2.- You can establish the same criteria for the classification and for the asset valuation, so for example: Public = 1, Internal Use = 2, Top Secret = 3.
Finally, this article can be interesting for you "Information classification according to ISO 27001" : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Managing the audit process
I would like to ask some references for managing the audit process based on ISO/IEC 27001, what is the most important thing? And I should start from where?
Answer:
For managing the audit process based on ISO/IEC 27001 the most important thing is to have a procedure where you can define the steps that you need to perform each audit, although it is not mandatory to have this procedure documented. By the way, here you can see the list of mandatory documents (and non mandatory) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
So you can start establishing this procedure, defining the audit plan, the qualification of auditors, the report of the audit, etc.
You can also use our Internal Audit Toolkit, you can see a free version clicking on Free Demo tab : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
Finally, these articles can be interesting for you:
How to mak e an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Qualifications for an ISO 27001 Internal Auditor : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/ -
Examples of goals for the ISMS
When implemented an ISMS, you have no historical data to talk "reduction" inincidents properly. Do you have examples of reasonable goals for ISMS in its first cycle of operation?
For example:
"Achieving a measurement of security incident information to establish a set of values to establish a" baseline "".
"Achieving a complete cycle of continuous improvement of the ISMS on all controls applied to -
Catalogue of threats/vulnerabilities
I have a question for you regarding ISO 27002 controls and the 'business risk' associated with
failure/non-implementation of the controls - is there a catalog (or resource) for the type of risk
findings shown here (as an example) -
-Asset management program is informal and applied inconsistently across the enterprise.
Failure to track all assets could lead to incomplete application of security programs (e.g., patch management), inadequate level of security (controls) for sensitive assets, and increased spending on unnecessary assets.
-Formal data classification schema does not exist (currently in development).
Without a data classification standard in place, [Client] may not fully understand the risk presented by specific data, leading to incomplete labeling and handling of assets (i.e., inadequate security controls).
-Incident response (IR) responsibilities are only communicated through training without an overarching IR plan in place.
The lack of a formal incident response plan could lead to confusion over management and employee r esponsibilities during an incident, causing untimely or inappropriate handling of incidents that pose an immediate risk.
-Site specific business continuity plans do not include required security controls identified through business impact analysis (BIA) assessments.
Failure to identify (BIA) and incorporate security requirements (controls) within site business continuity plans could lead to an inadequate level of security during events that trigger the business continuity program.
Answer:
There is not a specific catalogue (or resource) for the type of risk, but there are catalogues of threats/vulnerabilities that you can use to calculate the risks, which can help you for the risk management. Here you can find an interesting catalogue of threats/vulnerabilities related to information security: https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Keep in mind that ISO 27001/ISO 27002 are standards related to risks about information security, not for global business risks.
Finally, this article can be interesting for you "ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Necessary documents
What are the necessary documents that an organization needs in order to become ISO27001 certified? Lastly, when and audit is updated to to changes in technology or employee status etc, what do you name that document, does it simply becomes an audit document with a version number or does it now become the main document, or is it and all the others that follow now non conformance documents?
Answer:
Regarding the first question, there are a list of mandatory documents that you need to obtain the ISO 27001 certificate. Here you can see this list List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Regarding your second question, if I understood your question correctly, you are asking about the internal audit documentation - once the audit process is finished, you need to produce the Internal audit report and initiate the corrective actions. The status of these corrective actions needs to be updated according to your Corrective action procedure, however the Internal audit report does not change. Once you perform the internal audit next year, then you will write a completely new Internal audit report. This article will also help you: Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/ -
Controls in progress
I have a question regarding, however, the certification audit process. Let's say I have defined my ISMS, I have a defined risk management process, and have selected x risks, assessed, analyzed and treated them, including writing action plans for them. When I defined my scope and wrote my SOA, there was about half controls listed which we selected for best practices purposes, and the other half based on risk treatment plan. In the process of audit for ISO27001, when we talk about Status of Implementation of these controls, can I receive the certificate if I have statuses marked as "In progress" instead of "Fully implemented"?
Answer:
From my point of view, generally it is not a problem to obtain the certificate, I mean, you can have controls in progress, but remember that you need to include in the Risk Treatment Plan, for each control, the deadline for his implementation, and also remember that you need to develop the Risk Treatment Plan after the SoA, and also remember that you need to implement all the controls that cover majo r risks before the certification. This article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment and also this article The importance of Statement of Applicability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/