Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
CISA and CISM
Q1: The info you sent is all about training courses and exam. Because I am quite comfortable with many areas of 27001 I am just looking books to read and appear in an exam to certify as lead auditor or implementer.
Q2: Is there an exam such as the CISSP which you take after studying a body of knowledge/books written for ISO 27001 lead auditor exam
Answer:
A1: I am sorry but we do not have books directly related to ISO 27001, although this free ebook about cybersecurity can be interesting for you 9 Steps to Cybersecurity : https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/
A2: After the ISO 27001 lead auditor exam, if you pass it, you can be ISO 27001 Lead Auditor, certified by an entity (for example by a certification body), but there are other certifications related to information security and ISO 27001, the more known are CISA and CISM, so after ISO 27001 lead auditor exam, with the knowledge of ISO 27001, some other important concepts about information security, and specific information about the certifications, you can become CISA or/and CISM (although you also need to pass an exam to become CISA or CISM, and you also need to demonstrate experience in information security).
We do not have information or books about this, but you can find information in the official page of ISACA (https://www.isaca.org/pages/default.aspx). Anyway, maybe this article can be interesting for you CISA vs. ISO 27001 Lead Auditor certification : https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
And also this article Qualifications for an ISO 27001 Internal Auditor : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/ -
IT-GRC and ISO 27001
I need your little help, can you just tell me the relationship or difference between IT-GRC and ISO 27001 ?
IT-GRC is all about an integrated approach towards Governance, Risk management and Compliance, where ISO 27001 talks about all the aspects like top management and Risk management etc. So my doubt is why organizations are getting attracted towards the IT-GRC approch ? What is the main difference between them.?
Answer:
From my point of view, the main difference is that IT-GRC is related to the governance of IT, however it is not established in ISO 27001 (there are another standard for the IT governance: ISO 38500). On the other hand, the common point between both is that they are related with the risk management and the compliance of policies, procedures, laws and regulations.
Finally, IT-GRC approach can be interesting for companies that want a framework related to the governance of IT, and ISO 27001 is for companies that want to implement and certify an Information Security Management System (you cannot certify IT-GRC).
By th e way, do you know what are the 6 basic steps in the ISO 27001 risk assessment & treatment? Here you can see an interesting article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
Business continuity and crisis management
Answer:
Yes, crisis management is included in the Business continuity plan template, which is part of our ISO 22301 Documentation Toolkit - https://advisera.com/27001academy/iso22301-documentation-toolkit/
Theoretically speaking, crisis management and business recovery are separate processes, but it is better if they work together, because during the larger crisis you will probably need to recover your business operations, and to recover business operations without crisis management would be very difficult.
If there are a small incident which affect the availability of an information system in a department, probably you will need the BCP (without CM). But if there is an earthquake and all departments of the main facility cannot work, you will need to mana ge a crisis, and for this, among other things, probably you will need a BCP.
Just to mention that crisis management is not explicitly mentioned in ISO 22301, but it is de facto required through clauses 8.4.2 Incident response structure, and 8.4.3 Warning and communication. -
Rules for writing and approving documents
Answer: ISO 27001 does not require you to include users of the procedure, however it is easier if you do write this because then you know who to send the procedure to.
If I put "Approved By: ***" (which are my presidents initials) do I have to have him sign them? Or will that be sufficient?
Answer: ISO 27001 does not require the documents to be signed, however they need to be approved according to your Document control procedure.
What about documents? Does he need to approve those as well with a signature?
Answer: The same as previous answer.
Documents should reference a document # as well as the rev# date and appendix correct?
Answer: I'm not sure if I understood your question correctly, however when you write documents you should include their revision number and date; if you want you can add a code to each of your documents; when you refer to other documents, you do not need to mention all these details since this would mean when you change one document you would ne ed to change all the related documents, too.
Only procedures need to be documented as to who has them...not actual documents?
Answer: Procedures are only one type of documents - other documents might be policies, plans, reports, minutes of the meeting, other records, etc. This article will help you: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
What to list in Risk assessment table
Answer:
ISO 27001 allows you to list anything you want, however we suggest you list only assets since we recommend using the asset-based risk assessment.
Since our Risk assessment methodology templates requires listing only the assets, if you decide to list processes/activities also, you should then change the methodology document as well. -
Call Tree Test
We have implemented BCM for xxxxx according to your ISO Standard 22301. Kindly ask you, where I can find more information for Call Tree Test.
Answer:
I am sorry but we do not have the Call Tree Test in our ISO 22301 Toolkit, because it is not required by the standard. Anyway, I think that this article can be interesting for you How to perform business continuity exercising and testing according to ISO 22301 : https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/ -
SoA before or after the Risk assessment & Risk treatment
I'm new at this. I was wondering about the SoA, does it come right after the risk assessment or after the treatment plan
Answer:
The Statement of Applicability basically shows the list of all controls that you have implemented, so you will complete this document after the risk treatment, but before the risk treatment plan. If you need information about the steps of the risk assessment & treatment, please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ . This article can be also interesting for you "Risk Treatment Plan and risk treatment process - What's the difference?" : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
And also this article about the importance of the SoA can be interesting for you The importance of Statement of Appl icability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
ISO 27001 templates for AWS environment
I'm just starting to look at the ISO27001 templates you provide. Do they apply if all of our IT infrastructure is based on AWS?
Answer:
Yes sure, our templates are developed for any type of business, including your company with your IT infrastructure based on AWS. Regarding the cloud computing, this article can be interesting for you Cloud computing and ISO 27001 / BS 25999 : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/
Finally, lots of our clients are IT companies who use cloud infrastructure. If you want, we can organize a Skype call where we can show you how the documents look like, and to discuss how they can be used for the special circumstances in your company. -
Example of internal and external issues
Could you please provide all sample examples of internal and external issues?
Answer:
Examples about internal issues: you need to make sure that your information security objectives are aligned with the business strategy, perform the risk assessment, determine resources, information security roles and responsibilities, capabilities, etc.
Examples about external issues: you simply need to identify interested parties and their requirements (interested parties can be employees, clients, suppliers and partners, etc)
For more information about internal and external issues, please read these articles:
Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Various questions about the ISMS
1. How do I determine/Estimate how long it will take for the project to complete for my presentation to management?
2. How do I estimate the cost of the ISMS?
3. I have a scope defined (regulatory based) it is mainly in xxxx and xxx and a XX branch - I need to tell management how I will manage that with the remote resources?
4. Also Do you offer pre-certification audit services?
5. How do I ensure that 3rd parties abide by the control standards we expect when providing us IT services, and how can we demonstrate this to Gambling and ISO 27001 auditor authorities?
Answers:
1.- I suppose that your question is related with the time of duration of the implementation of ISO 27001. If so, to determine this time, you need to identify the number of employees, number of departments, etc. This free tool can help you Free Calculator Duration of ISO 27001 / ISO 22301 Implementation : https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
2.- There are als o some questions that you need to consider: the size of your organization, the level of criticality of the information, the technology the organization is using, etc. For more information about this, please read this article How much does ISO 27001 implementation cost? : https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
3.- From my point of view, here it is important that top management knows the remote resources, but it is not relevant that they know how you will manage them. Keep in mind that in accordance with the clause 5.1 Leadership and commitment c) Top management shall demonstrate leadership and commitment with respect to the information security management system by ensuring that the resources needed for the information security management system are available"
4.- No I am sorry, we only offer templates and support for the implementation. But before the certification is necessary to perform the internal audit (the pre-certification is not mandatory), so if you want to perform the internal audit this article can be interesting for you How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
5.- To ensure that 3rd parties meets your requirements, you can perform reviews periodically (and of course it is very important to have agreements with the definition and level of the services - SLAs). To demonstrate this to the auditors, you need records, for example minutes of meeting. For more information about records, please read this article Records management in ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/