Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Maintenance of the ISMS
I am in a relatively small (around 80 people) software company that already has the 27001 certification and am in a brand new position as Process Innovation Analyst where I have to make sure the certification is updated, improved, etc.
If you have any suggestions as to how to go about making a proper maintenance of the certification I would really appreciate it.
Answer:
It is very important for us to know that our documentation can help you, we appreciate your feedback. One question, Do you have made the update to the new ISO 27001:2013? It is very important. Regarding to the maintenance, the important things is to perform each year the internal audit, management support, measure with your defined indicators, perform test to the business continuity plan, perform meetings to deal with questions related to the ISMS, review the information security policy, define new information security objectives, perform the risk assessment & treatment, etc.
For more information about the maintenance of the ISMS, please read this article How to maintain the ISMS after the certification : https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/ -
Generic SOA
There is no generic SoA, or I don't know this. To know exactly what controls you need to apply in your organization, first you need to perform the risk assessment, which give you information about risks that you need to reduce. And as you know, you can reduce risks with the security controls, and in this case you will need to apply them in the Statement of Applicability.
For more information about the steps for the execution of the risk assessment & treatment, please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Also this article can be interesting for you "The importance of Statement of applicability for ISO 27001" : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Adaptation to ISO 27001:2013
I read this information "Whilst certificates are dated for a three year period, ISO/IEC 27001:2005 will be obsolete from 1 October 2015 and therefore all certificates to the 2005 version of ISO/IEC 27001 expire on this date." from https://www.bsigroup.com/en-GB/iso-27001-i******************************************; which make me quite confuse about the exact expiry data.
Answer:
All companies with the old version of the standard (ISO 27001:2005) have a time for the adaptation to the new version (ISO 27001:2013), but I think that the dates for this adaptation depends of each company. I think that you need to ask directly to your certification body.
Anyway, our recommendation is that you implement as soon as possible the new version. There is no important changes, so it is very easy the adaptation. For know difference between old and new version of the ISO 27001, you can read this arti cle How to make a transition from ISO 27001 2005 revision to 2013 revision : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ -
Propietario de activos
En relación a los activos, el estándar ISO 27001:2013 no establece que se tenga que definir un responsable para una matriz de activos. Sólo es necesario asignar un propietario para cada activo, y en relación a los riesgos se necesita establecer un propietario del riesgo. Creo que puede ser interesante para ti conocer las diferencias entre ambos, por tanto por favor lee este artículo (en inglés) Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Por otra parte, también te recomiendo este artículo (también en inglés) "How to handle Asset register (Asset inventory) according to ISO 27001" : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
BCP and DR
Neither ISO 27001 nor ISO 22301 require you to have a disaster recovery site. However, what both of these standards require you is to define how you will be able to recover your activities if your primary location is not available any more.
Therefore, if your arrangement with a backup stored at a third party enables you to recover within the Recovery Time Objective (RTO), than this is fine. Of course, your agreement with this third party must reflect all the security risks - see this article: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
See also these articles:
Disaster recovery vs business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/
Backup policy How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/ -
Design the ISMS
For the implementation of a ISMS there are many steps, but the first thing that you need is a project plan. Also is very important (and sometimes hard to achieve) is to obtain management support. For more information about the design of the ISMS, please read this article ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Review of SOA after implementation
Yes, absolutely, you can perform a revision after the implementation and update the state of all security controls in the SoA. Finally, I think that it is interesting to know the importance of the SoA, so please read this article The importance of Statement of Applicability for ISO 27001": https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Conducting ISMS audit
I suppose that you mean internal audit, so in this case basically you have 2 options:
a.- Perform internal audit with own employees (employees who have not been involved in the implementation of the ISMS, since an auditor can not audit their own work). For this I think that can be very useful this article for your employees How to make an Internal Audit checklist for ISO 27001 / ISO 22301": https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
b.- Hiring an external consultant. In this case, the important is to look for an experienced and qualified auditor. Please read this article Qualifications for an ISO 27001 Internal Auditor : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/ -
Process of implementation for ISO 27001
Regarding to consultant, there are different options, you can find more information here 5 criteria for choosing an ISO 22301 / ISO 27001 consultant: https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
Regarding to time frame, here you can find a free calculator Free Calculator Duration of ISO 27001/ISO 22301 Implementation": https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
Regarding to certification cost, our recommendation is to request a proposal to different entities, and to know which is right for you, please use our List of Questions to ask an ISO 27001 or ISO 22301 certification body (MS Word), you can download it here: https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-certification-body/ -
Asset inventory
Why do you want to identify a business owner for the asset inventory? The standard says that it is not necessary, you only need to identify an owner for each asset (control A.8.1.2 Ownership of assets). For this identification, this article can be help you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/