Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Communication Plan and Corrective Actions
1.- Recently we had a transition Audit we had a Audit finding related to clause 7.4 "communication -No clear reference within ISMS doc. How this is to be managed".
2.- What is the difference between the template for CAPA & CAR ?
Answer:
Point 1: There is no mandatory to have a document for the communications, but you can read this article How to create a Communication Plan according to ISO 27001 : https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/
Point 2: The first is the procedure, and the second is the record. In the new revision of the standard (ISO 27001:2013) there is no preventive actions (has been deleted from the old version), so you do not need to manage preventive actions (although the risk management is a global preventive action). So, you only need a procedure, an a template for the register of corrective actions. Finally, I recommend you to read t his article "Practical use of corrective actions for ISO 27001 and ISO 22301" : https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/ -
Get qualifications
We have free resources that you can use to acquired proper knowledge about the ISO 27001 (presentations for training, white papers, templates, etc). You can find them here: https://advisera.com/27001academy/free-downloads/
Finally this article can be also interesting for you How to learn about ISO 27001 and BS 25999-2 : https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/ -
Security Compliance Management
Answer:
You can find this document in our toolkit List of Legal, Regulatory, Contractual and Other Requirements which is exactly related with your question. You can see it in the folder "02 Procedure for Identification of Requirements"
Also you can see here a list of legal regulations of different countries: https://www.infosecpedia.info/laws-regulatio******************************************* -
Differences between third party and suppliers
There is no important difference, because a supplier is a third party. To identify interested parties, please read this article How to identify interested parties according to ISO 27001 and ISO 22301: https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Regarding to third party agreement vs. Supplier relationships, yes, is a case of terminology, because you can establish relationships with suppliers, and they can be considered as an interested party. Anyway, I recommend you this article about suppliers "6-step process for handling supplier security according to ISO 27001" : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
The owner of the ISO 27001 has been changed to a new departmanet
No, the certification wont be voided. The important here is to adapt your implementation to the new revision of the standard ISO 27001:2013, if not, external auditor of the certification body could identify a major non-conformity in your ISMS. You can read this article about the transition from 2005 revision to 2013 How to make a transition from ISO 27001 2005 revision to 2013 revision": https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
On the other hand, it is important to know that if the scope has changed (if there are new assets), you will need to i mplement again the risk management based on the new scope, if not, again external auditor could identify non-conformities. For more information about the scope, please read this article How to define the ISMS scope : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Information Security Objectives
Information Security Objectives are not only related to confidentiality, integrity and availability, are also related with any improvement that your business hoping to achieve with the implementation of the standard. For example: reduce the number of information security incidentes not registered, improve the client satisfaction, etc.
Usually, the objectives are set at two levels: 1) General ISMS level, and 2) Security controls. Remember that for the point 1) you can use an Information Security Policy. And for the point 2), because as you know it is related to the security controls, you can use the Statement of Applicability. You can see a free version of this document here clicking on "Free Demo" tab: https://advisera.com/27001academy/documentation/statement-of-applicability/
Regarding to the Plan to achieve the objectives, you need the Risk Treatment Plan. Also you can see a free version of this document here clicking on "Free Demo" tab: https://advisera.com/27001academy/documentation/risk-treatment-plan/
Finally, I think that this article can be very useful for you "IS O 27001 control objectives Why are they important?" : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
ISO 27001 and ISO 20000
a. What are the differences between ISO27001 and IS02000?
b. If an organisation is ISO27001 certified and intend to go for ISO2000 certification
1. what are the additional areas needed and to prepare?
2. Generally how long will it take to be ISO20000 certified?
3. How should one advise them on what is needed for the ISO20000?
Answers:
Point a: ISO 27001 establishes requirements for an Information Security Management System, and ISO 20000 establishes requirements for an Service Management System, so ISO 27001 is related to Information Security, and ISO 20000 is related to IT service management.
Point b.1: There are many things, because the objective of both standards is different. For example, in ISO 20000 you need a Configuration management process, or business relationship management process, or service level management process, etc.
Point b.2: It depends on the company, but between 8-12 months
Point b.3: If you want to implementation the ISO 20000, we have free resources, for example ISO 20000 implementation diagram: https://info.advisera.com/20000academy/free-download/iso-20000-implementation-diagram/. Also you can use our toolkit: https://advisera.com/20000academy/iso-20000-documentation-toolkit/ you can see a free version of each document if you click on Free Demo tab -
Methodology for the risk assessment & treatment
What type of GRC (governance risk compliance) you recommend to implement an ISMS ( ISO 27001 /27002)? btw I'm about to test eArcher GRC, I don't know if it is supporting all ISO 27001 exigences...
Answer:
For the implementation of the ISO 27001 you need to develop a methodology for the risk assessment & treatment, and for to do this, you can use the ISO 27005 which is a code of best practices for the development of a methodology for the risk management. Anyway, we have all necessary templates for the implementation of the ISO 27001 (including all related to the risk management), so you can use it. You can see a free version of all documents if you click on Free Demo tab, so here is our methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/ and here you find all our templates for the implementation of the ISO 27001: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
And we do not have information about eArcher GRC, but again, you can try our templates and use them for the implementation of the risk management in your business. -
Searching jobs as internal auditor
Hi, I have question that an internal auditor should be a ca qualified or not? Because when I am trying to search job in job portal with internal auditor or information security internal auditor, then listed jobs were requiring ca qualified also. So, what is the right keyword to search job as an internal auditor because I have read here tht we have at least two yrs experience to do iso27001 lead auditor course.
Answer:
If you are searching jobs as internal auditor, you should use keywords according to your skills: ISO 27001, ISO 27002, ISO 27005, ethical hacking, IT management, Linux/Windows/Mac environments, programming languages, etc. On the other hand, you can do the ISO 27001 lead auditor course when you want, there is no problem with your experience, but if you want to work with a certification body, you need to have perform the ISO 27001 lead auditor course, and depending of the company, you will need some years of experience (minimum 2).
Finally, I recommend you to read this article Qualifications for an ISO 27001 Interna l Auditor : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
Also if you are interested in information about CISA or ISO 27001 lead auditor certification, please read this article CISA vs. ISO 27001 Lead Auditor : https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/ -
Cloud computingISMS compatible with software development process
No sorry, this is not our business, we have all necessary templates for the implementation of the ISO 27001 (and other standards like ISO 22301, ISO 20000, etc), but we do not sell the document of the standards, because them are developed by ISO.org and you can buy them directly on her official site.
Anyway, if you are thinking to implement the ISO 27001, maybe this article can be interesting for you "ISO 27001 implementation checklist" : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Question 1: In a project Terms of Reference we have been asked to prepare a report to prove that the newly established or updated software development process (analysis, design, development, testing and maintenance) is ISO 27001:2013 compat ible. This is for an MIS system. Is this possible? My understanding is that ISO 27001 refers to an ISMS, not to just any software development. Have I misunderstood?
Question 2: Also the report has to be signed by a competent ISO 27001 specialist - but I don't know if such a specialist would be willing to sign a report for something that has not yet been developed
Answers:
Answer 1: You are right, ISO 27001 establishes requirements for an Information Security Management System, and it is compatible with software development process. So much so, that you can find in the Annex A of the standard security controls like: A.14.2.1 Secure development policy, A.14.2.2 System change control procedures, A.14.2.3 Technical review of applications after operating platform changes, etc. Anyway, the report that you mean can be developed only if you have implemented the ISO 27001 in your organization, if not, the report will be empty.
Answer 2: Yes, you need an internal auditor qualified in ISO 27001, but in this case if the software is not developed, it is hard to prove that the security controls are in place, and it is very important if you want to show that you have implemented the ISO 27001 in your organization.