Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Standard that requires a surveillance audit
Is there a standard that requires a surveillance audit to be conducted once a year or its the decision of the certification body.
Answer:
ISO 17021 is a standard that establishes requirements for bodies providing audit and certification of management systems. This standard establishes that the surveillance audit shall be conducted at least once a year. Or in some cases it is performed twice a year (depending of the certification body and the company). Anyway, basically there are 3 types of audit for all ISO standards:
A - First initial certification audit: It is performed only the first year
B - The surveillance audit: It is performed only after the first initial certification audit, and generally it is performed once a year, or in some cases it is performed twice a year.
C - The recertification audit: It is performed only after the first initial certification audit and the surveillance audit, when the certificate expires after 3 years.
This is a cycle (A, B, C) that is repeated after the third year, but removing the first init ial certification audit.
For more information about this, please read this article Surveillance visits vs. certification audits : https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
Communication procedure
I just need your assistance on developing a communication procedure at my company so i wanted to know if you can assist or refer me to online material that can help me.
Answer:
Yes sure, you can arrange 30-minute free consultation with our expert: https://advisera.com/27001academy/consultation/ Anyway, this article can be very interesting for you, because it is related with how to create a communication plan How to create a Communication Plan according to ISO 27001 : https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/ -
Business Continuity vs Disaster Recovery
Do we need to make business continuity procedure or documents if we just want to have ISO 27001 cert? Because every time i study ISO 27001, Business continuity is there in the discussion.
Answer:
ISO 27001 talks about Business Continuity, and it is an important point in the Annex A of the standard (domain "A.17 Information security aspects of business continuity management"). But you can implement only a Disaster Recovery Plan (DRP) as a minimum to be compliant with A.17.1.2 and A.17.2.1 of the ISO 27001:2013, which is more related to the recovery of the IT infrastructure. Finally, keep in mind that your DRP should be based on the results of the risk assessment.
To see more in detail the differences between Business Continuity Plan and the Disaster Recovery Plan, you can see this article Disaster recovery vs Business continuity : https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
An d also can be interesting for you our template Disaster Recovery Plan : https://advisera.com/27001academy/documentation/disaster-recovery-plan/ -
Check controls
How often should the security controls be check-listed?
Answer:
You can check your list of controls as many times as you like in 1 year, but as a minimal you can check this list once a year in the Internal Audit. To perform this check, you can use the Statement of Applicability, because it contains the applicability of all controls.
By the way, if you need information about how to make an Internal Audit, this article can be interesting for you How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Inventory of assets
I have been tasked by my couny government employer to formulate and draft an asset management policy from scrach and i have no idea of where to start.
Kindly send me samples for cities in Africa,Europe and North America etc for comparison and then advice on were to start and the road map, key milestones and any other information you think i might need.
Answer:
I am sorry but we work only with documents that are mandatory for the implementation of the ISO 27001 (and ISO 22301), and it is not mandatory to have an asset management policy. A mandatory document is the inventory of assets, and I think that this article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Also if you want to see the list of mandatory documents, you can see this List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Anyway, I think that you can use the first article to write your own asset management policy, identifying requisites and establishing them in your policy. For example: Assets can be Hardware, software, information, etc. -
Transition course
May I ask if there is a transition course for Auditors/Lead Auditors ISO27001:2005 to ISO 27001:2013?
Answer:
There are courses for the transition, generally certification bodies have one (BSI, Bureau Veritas, etc). So, I think that you should contact the certification bodies that are active in your country.
To know more about the changes of the ISO 27001:2013, you can see this article Infographic: New ISO 27001 2013 revision What has changed? : https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/ . And also this free webinar How to make the transition from ISO 27001 2005 to 2013 revision : https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/ -
Implementación de ISO 27001 con ISO 9001
Nuestra empresa es un pequeño call center, estamos interesados en la acreditación de las Normas ISO, en este caso ISO 27001, ya que nuestros clientes al momento de solicitar nuestros servicios solicitan planes, políticas y procedimientos para el cuidado de su información. Por ello queremos estar acreditados y con ello poder ofrecer el mejor servicio posible.
Cabe señalar que aun no contamos con la acreditación en el ISO 9001, de hecho estamos también en vista de iniciar el proceso para dicha acreditación.
Mi duda es que si es mejor esperar a estar acreditados en el Sistema de Gestión de Calidad antes de iniciar el proceso del ISO 27001.
Respuesta:
Si quieres certificar ISO 27001, puedes hacerlo sin ISO 9001, quiero decir, ISO 9001 no es necesaria para implementar ISO 27001, aunque puede ser un camino, porque ambas normas tienen muchos puntos en común. En cualquier caso, creo que si tienes claro que tu negocio necesita ISO 27001, la mejor opción para ti es implementar ISO 27001 directamente, sin ISO 9001.
Para la implement ación de la ISO 27001, este artículo puede ser interesante para ti "Lista de apoyo para implementación de ISO 27001" : https://advisera.com/27001academy/es/blog/2010/09/28/lista-de-apoyo-para-implementacion-de-iso-27001/iso-27001/#
Y si decides implementar primero ISO 9001 y después ISO 27001, este artículo puede ser también interesante para ti "Usar la ISO 9001 para implementar la ISO 27001" : https://advisera.com/27001academy/es/blog/2010/04/02/usar-la-iso-9001-para-implementar-la-iso-27001/ Y también este webinar gratuito (en inglés) ISO 27001 implementation: How to make it easier using ISO 9001 : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
Is the requirement/business related to information security need to be identify?
Is the requirement/business related to information security need to be identify? Or only customer name?
If let say I have 100++ customer contract or more so I need to identify all of them to find which requirement related to information security? Look many.
Answer:
If you have standardized contracts with your customers, and therefore the same security clauses in each contract, you can list all the customers as one item only, specifying security clauses. If not, you need to identify the name of your customers (only those that are relevant), and requirements for each one (but only requirements relevant to information security). This is so, because the standard establishes in the clause 4.2 a) The organization shall determine interested parties that are relevant to ISMS and in the clause 4.2 b) The organization shall determine the requirements of these interested parties
I think that if you consider only relevant clients that are relevant to the ISMS (think only in those which can influence the security of the information within your ISMS scope), you can reduce your list.
Remember that we have a procedure for the identification of requirements that can help you. You can see a free version clicking on Free Demo tab here Procedure for Identification of Requirements : https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/ -
Risk Assessment and Risk and Control Self-Assessment
What do you mean by Risk Assessment (RA)? Is it same to Risk and Control Self-Assessment (RCSA).
Answer:
In accordance with the definition of "ISO 27000:2012 Overview and vocabulary, Risk Assessment is: overall process of risk identification, risk analysis and risk evaluation. However, RCSA basically provides a complete method for the identification, analysis, evaluation and treatment of risks.
So, when we talk about risk assessment (it includes identification, analysis and evaluation), we also need to talk about risk treatment, because both things are necessary in a methodology for the management of risks, but they are different things. For more information please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
So, risk assessment it is not the same that RCSA. A methodology which defines the ris k assessment & risk treatment, provides the same things which RCSA provides for the management of risks (identification, analysis, evaluation, treatment). -
Use of logo
I would like to ask you about 'Use of Logo' in ISO 27001:2013. Actually, we're scheduled for our Final Surveillance/Transition audit in a week's time and I received the audit plan from the Auditor. This is what he has mentioned in the Audit plan.
ISMS Transition
ISMS Elements (Management Review, Internal Audit, Risk Management, Use of Logo, Corrective Action) and Discussion of all outstanding issues from previous visits.
I would like to know what is this 'Use of Logo' as I didn't find such thing in ISO 27001:2013 (May be I missed it). What controls are related to this and how can we ensure compliant to this ISMS element.
Answer:
Use of logo is something the auditors must check during the surveillance visit - they need to check if the certification logo for ISO 27001 certificate was used in appropriate places. For example, if only IT department was ISO 27001 certified, your company cannot use the certification logo in the context of e.g. the manufacturing facility.
Maybe this article about the questions that an auditor can ask you in the audit can be interesting for you Which questions will the ISO 27001 certification auditor ask? : https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
You can also review this checklist of implementation to check your implementation ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/