Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
What indicates a successful implementation of the ISO 27001
What indicates as successful implementation of the ISO27001 framework - when all the documentation is completed? When some gaps identified in the self-assessment have been closed?
Answer:
From my point of view, there are many activities that must to be performed (it is not only necessary to develop documents, you need to implement them). The implementation of the ISO 27001 is like another project, so you need a project plan, and you need to perform all phases identified on it. After the implementation, there are some mandatory steps: Internal audit, Management review and corrective actions. So, if you have performed your project plan, and you have also performed the mandatory steps, you have implemented the ISO 27001 successfully in your organization, and you are ready for the certification process. Also is important to keep in mind that the implementation of ISO 27001 will be successful if you have managed to decrease the number of security incidents.
Here you can see a checklist for the ISO 27001 implementation ISO 27001 implem entation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
And this article can be also interesting for you Becoming ISO 27001 certified How to prepare for certification audit : https://advisera.com/27001academy/iso-27001-certification/ -
Identification of Requirements - level of detail?
From my point of view, in your list of interested parties it is sufficient to include the general principles. Anyway, for ISO 27001 is important that your company comply with all laws and legal regulations, but the detail is not established in the standard. For the level of detail that you need to go into, you will need information about each specific law in your country. For example, for Personal Data protection, in some countries you need to identify all personal data, the level of protection for each personal data, and implement the necessary measures, which usually are defined in the own law.
So, my recommendation is that after the identification of all legal requirements, you need to find information in your country about each law to know specifically what are the requirements (this information about the detail of each law must be public)
Remember that you can find here a list of laws and regulations on information security and business continuity "Laws and regulations on information security and business continuity" : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
Finally, have you seen this interesting article about the identification of interested parties? "How to identify interested parties according to ISO 27001 and ISO 22301" : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Obtain management support
My name is xxx, I work at xxx, we try to figure out the best way to be certificate by ISO27001.
The first step, Obtain management support, was necessary but my team and I fail to obtain this support.
Maybe you have some tips how to get the management support and "open their eyes" to the benefits of be certified.
Answer:
It is a common problem in other companies, and many times is very hard to obtain the management support, because they need to see benefits. Here you have 4 key benefits that you need to transmit to top management:
Compliance
Marketing edge
Lowering the expenses
Putting the business in order
For more information about this, you can read this article Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And also can be interesting for you this free webinar ISO 27001 benefits: How to obtain management support : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
ISO 27001 Lead Implementer / Lead Auditor
Need your advice on selection of ISO training. Which one should i opt for from the undermenitoned:
1-ISO/IEC 27001 Lead Implementer
2-ISO/IEC 27001 Lead Auditor
My current role is CISO and my team is responsible for Information Security Policy creation, implementation besides the SOC and other technical stuff.
Answer:
From my point of view both options can be interesting for you, because they can give you more experience and more knowledge about information security, although I think that in your case the first step should be Lead Implementer and after that Lead Auditor.
Regarding the Lead Implementer, this article can be interesting for you How to become an ISO 27001 / ISO 22301 consultant : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
And regarding the Lead Auditor, this article can be also interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
Finally, this article about the job of CI SO can be also interesting for you What is the job of Chief Information Security Officer (CISO) in ISO 27001? : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/ -
Technological vulnerabilities
if some bank is implementing 27001 & 22301 VAPT needs to be done mandatorily?
Answer:
In accordance with the control of the Annex A of the ISO 27001:2013, A.12.6.1 Management of technical vulnerabilities, you need to manage technical vulnerabilities, but the standard does not establish that you need to perform a complete VAPT (Vulnerability, Assessment, Penetration and Testing), so a scan of technological vulnerabilities and a plan to treat them can be enough, but from my point of view can be a best practice perform a complete VAPT.
Anyway, keep in mind that the controls of Annex A must be implemented only if after the risk assessment you identify that you need controls to decrease the risks identified (although there are some exceptions because there are a list of mandatory documents).
By the way, this control is not present in ISO 22301, so you do not need to implement this control in ISO 22301, but from my point of view can be also a best practice.
If you are interested in mandatory documents (and non mandatory) of ISO 27001:20 13, you can see this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Related to ISO 22301, you can also see this article Mandatory documents required by ISO 22301 : https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
Finally, this free webinar can be also interesting for you ISO 27001: An overview of ISMS implementation process : https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/ -
Software developmnet within the company
You can exclude the development in your ISMS scope. From my point of view, you have focused the scope in the production environment, and it is not mandatory to include also the development (although can be recommendable to include it in the future, integrating existing policies, procedures, etc. with the documentation of the ISMS). Anyway, if you need more information about the definition of the scope, you can read this article "How to define the ISMS scope" : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope -
Documents and procedures separately
-
Confidentiality level for the Business Continuity Policy
What is the confidentiality level for the Business Continuity Policy Document? I have watched the video but am unable to find the answer.
Answer:
I suppose that your question is related to ISO 22301. This standard does not establish a confidentiality level for documents, anyway, you can consider, for example, 3 confidential levels: Confidential (information only for Directors and Top Management), Restricted (information only for Managers, some areas, or some employees) and Internal (information only for internal employees). So, if the Business Continuity Policy must be a document for internal use, and must be seen by all employees, in accordance with my previous example, you can consider it as Internal.
Finally, this article about the classification of information can be interesting for you Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/, and also this article "The purpose of Business continuity policy according to ISO 22301 " : https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/ -
Justification in SoA
What the justification in SoA should be like? is it to rephrase the "Controls" in the standard Annex A?" and "What else should include in the SoA
Answer:
The justification depends on the source of each control. During the risk treatment you need to identify controls that are necessary to decrease risks, but you also identify controls that are required because of other reasons: Law, contractual requirements, or because of other processes. So, the justification could be: Implemented by contractual requirements, or Implemented for decrease risks related to or also This control is not implemented because the organization does not have teleworking if the control is not implemented.
Generally the original definition of each control of Annex A is enough (all controls were developed by experts of all world), so from my point of view you can maintain the original control, and if you want, include some actions or controls more (you can also use controls of others sources, for example PCI-DSS).
The most important is the applicability a nd the justification of each control, but as a best practice you can include also a field for the implementation method (how you have implemented each control).
For more information about the SoA, you can read this article The importance of Statement of Applicability : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
And also you can see a free version of our template about the SoA clicking on Free Demo tab here : https://advisera.com/27001academy/documentation/statement-of-applicability/ -
Procedure to become Lead Auditor
WHAT IS THE PROCEDURE FOR GETTING A DEGREE OF ISO AUDITOR AND ITS CAREER OPPORTUNITIES ?? COURSE DETAILS LIKE ELLIGIBILITY COST STRUCTURE EXAMS AND ALL ??/
Answer:
First step can be to acquire a good knowledge base about information security and ISO 27001, and for this our blog will be useful for you because we have articles, webinars, ebooks, templates, etc. You can start here What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/
After this knowledge base, you can try to become Lead Auditor (you can find many jobs as Lead Auditor). So, this article can be interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
With a good knowledge base about information security, you can also find jobs as consultant (can be interesting for you search jobs not only as Lead Auditor), so this article can be interesting for you How to become an ISO 27001 / BS 25999-2 consultant : https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
Regarding costs, it depends on the entity, but my recommendation is that you search courses in various certification bodies, for example BSI, Bureau Veritas, etc. Or local training companies in your country with good prestige.
Finally, regarding to the exam, I think that this free webinar will be interesting for you ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/