Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Tema de Tesis: ISO 27001
En realidad yo quiero usar la ISO 27001 PARA UN TEMA DE TESIS y espero pueda ayudarme con algunas dudas.
Respuesta:
Claro que sí, puedes preguntarnos todas tus dudas. En cualquier caso, este trabajo académico relacionado con la implementación de un SGSI (soy el Director de dicho trabajo, desarrollado por uno de mis alumnos), puede ser interesante para ti: https://openaccess.uoc.edu/webapps/o2/bitst******************************************
También puede ser interesante este artículo (en inglés) "The biggest shortcomings of ISO 27001" : https://advisera.com/27001academy/blog/2011/03/21/the-biggest-shortcomings-of-iso-27001/ -
The Manual
During the implementation of ISO 9001, ISO 14001, OHSAS 18001 etc. as a main document one has to write the Manual which contains general information about the company, overview of procedures and records, and maybe an org chart. Please answer me how to write the ISMS Manual as a top-level document. Also I'm interested which type of documents are the documents from Annex A (procedures or something else)?
Answer:
It is not necessary by the ISO 27001 to have a manual, so we recommend you to not develop this document, and please read this article Is the ISO 27001 Manual really necessary? : https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
Regarding documents from Annex A, there can be procedures, and technical instructions, but also can be policies, and plans, but keep in mind that it is not necessary to have a document for each control. Here you can find a list of mandatory documents List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Certification bodies
When it comes to getting certified against ISO 27001 there are different certification bodies available.
Which one is generally best and on which factors can they be compared.
Will you like to share some personal experience or pinpoint me to right direction.
Answer:
Absolutely, it is an important decision and there are many companies available, and there are various parameters that you need to consider. This article can help you to choose the best certification body for your organization How to choose a certification body : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
ISO 27001 for a power plant
The documents and information you provide is very helpful.
Furthermore, I would ask, how could we approach in auditing and implementing ISO27001 for a thermal power plant, and how could we calculate its worth/cost?
Thermal power plant is a new practice to me.
Answer:
There is no specific plan to implement the ISO 27001 for a specific business, although this is one of the best points of the standard, because is developed for any type of business. Our templates are also developed for any type of business, so you can implement and certify the ISO 27001 in your organization. For the implementation, this article can be interesting for you ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding the auditing, I suppose that you mean the certification of the standard, if so, this article can be interesting How to choose a certification body : https://advisera.com/27001academy/knowledgebase/how-to-choose-a-certification-body/
Finally, this article can help you t o calculate costs "How much does ISO 27001 implementation cost?" : https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/ -
ISO 27001 for data center
If the 2 exits are controlled from unauthorized access, there is no problem with the standard, so you need a policy of control access. I think that can be also very interesting to install video cameras in these 2 exits.
In all other respects there is no problem to implement and certify the ISO 27001 in your organization, because it is for the protection of the information of any type of business. Our templates are also developed for any type of business, and also you can have our support. If you are interested, you can see a free version of each template cl icking on Free Demo tab here: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
To start a project of this type, the first thing that you need is a project plan, so this article can be interesting for you ISO 27001 project How to make it work : https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
Finally I think that this article can be very interesting for you ISO 27001 Case study for data centers: An interview with Goran Djoreski : https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ and also this article "Physical security in ISO 27001: How to protect the secure areas" : https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/ -
Economic resources
We offer the toolkit with all templates that you need to implement the ISO 27001, and it has a cost but is very cheap in comparison to other options, so I think that it is the best option for you. Furthermore you can see a free version of all documents clicking on Free Demo, and of course you can ask us any doubt that you have related to the implementation of the ISO 27001 in your organization.
Regarding the internal audit of systems and control methods, we do not have such policy (we do have an internal audit procedure that covers the whole audit process in general), but you can develop your own checklist for technical items reading this article: How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Secure development
1. A.14.2.1 Secure development policy =does this control still applicable for organization that fully outsource their development process?
2. A.14.2.2 =does this control only for during development process (i.e. coding, bug fixing), or does it includes changes when system is put into operations (i.e. new requirements, enhancement)? How does it differ from A.12.1.2? Does operating system patching/updating part of A.14.2.2 or A.12.1.2?
3. A.14.2.5 =is this only applicable for inhouse development? Is this applicable when analyzing system requirements and system design?
Answer:
Point 1:
Yes, you can apply this control, but in this case you need to request a secure development policy to the external company
Point 2:
You can consider this control for development process and also for changes in systems when you put them into operations. The control A.12.1.2 is more general (for all changes related to information security: organization, business processes, information processing facilities, etc.), and the control A.14.2.2 is specifically related to changes to systems within the development lifecycle. I think that operating system patching/updating is more related to the control A.14.2.2
Point 3:
Yes, but here you can also demand a secure system engineering principles to an external company, and yes, you can apply this control when analyzing system requirements and system design. -
Poslovnik ISMS kao generalni dokument
Prilikom implementacije ISO 9001, ISO 14001, OHSAS 18001 i sl. kao glavni dokument, izra?uje se Poslovnik koji sadri opte informacije o privrednom subjektu, pregled procedura i zapisa, eventualno, shemu organizacione strukture. Molim Vas da mi odgovorite kako izraditi Poslovni ISMS kao krovni dokument. Tako?e me interesuje u koju vrstu dokumenata spada dokumentacija iz Anex-a A (procedure ili neto drugo). Unapred zahvaljujem. -
ISO 22301 in the world
Answer:
Keep in mind that the standard is new and it is necessary time to expand to all companies of the world, but the companies interested in the standard is increasing daily, and I am sure that in the next years there will be many companies certified -
Two big doubts
Question 1: According to standard 31000 external issues can be: Setting cultural, social, political, legal, financial, technological, etc. But what information about those items I need to be in compliance with section 4.1 of ISO 27001?
Question 2: Which document should I put this information?
Answer:
Point 1: It is also the same applicable to ISO 27001, anyway this article can help you Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
Point 2: At the end of the article of the point 1, you have a link for the document Procedure for identification of requirements : https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/. You can see a free version of this template clicking on Free Demo tab, and you can use it for the clause 4.1 of the standard.