Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 and ISO 20000
a. What are the differences between ISO27001 and IS02000?
b. If an organisation is ISO27001 certified and intend to go for ISO2000 certification
1. what are the additional areas needed and to prepare?
2. Generally how long will it take to be ISO20000 certified?
3. How should one advise them on what is needed for the ISO20000?
Answers:
Point a: ISO 27001 establishes requirements for an Information Security Management System, and ISO 20000 establishes requirements for an Service Management System, so ISO 27001 is related to Information Security, and ISO 20000 is related to IT service management.
Point b.1: There are many things, because the objective of both standards is different. For example, in ISO 20000 you need a Configuration management process, or business relationship management process, or service level management process, etc.
Point b.2: It depends on the company, but between 8-12 months
Point b.3: If you want to implementation the ISO 20000, we have free resources, for example ISO 20000 implementation diagram: https://info.advisera.com/20000academy/free-download/iso-20000-implementation-diagram/. Also you can use our toolkit: https://advisera.com/20000academy/iso-20000-documentation-toolkit/ you can see a free version of each document if you click on Free Demo tab -
Methodology for the risk assessment & treatment
What type of GRC (governance risk compliance) you recommend to implement an ISMS ( ISO 27001 /27002)? btw I'm about to test eArcher GRC, I don't know if it is supporting all ISO 27001 exigences...
Answer:
For the implementation of the ISO 27001 you need to develop a methodology for the risk assessment & treatment, and for to do this, you can use the ISO 27005 which is a code of best practices for the development of a methodology for the risk management. Anyway, we have all necessary templates for the implementation of the ISO 27001 (including all related to the risk management), so you can use it. You can see a free version of all documents if you click on Free Demo tab, so here is our methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/ and here you find all our templates for the implementation of the ISO 27001: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
And we do not have information about eArcher GRC, but again, you can try our templates and use them for the implementation of the risk management in your business. -
Searching jobs as internal auditor
Hi, I have question that an internal auditor should be a ca qualified or not? Because when I am trying to search job in job portal with internal auditor or information security internal auditor, then listed jobs were requiring ca qualified also. So, what is the right keyword to search job as an internal auditor because I have read here tht we have at least two yrs experience to do iso27001 lead auditor course.
Answer:
If you are searching jobs as internal auditor, you should use keywords according to your skills: ISO 27001, ISO 27002, ISO 27005, ethical hacking, IT management, Linux/Windows/Mac environments, programming languages, etc. On the other hand, you can do the ISO 27001 lead auditor course when you want, there is no problem with your experience, but if you want to work with a certification body, you need to have perform the ISO 27001 lead auditor course, and depending of the company, you will need some years of experience (minimum 2).
Finally, I recommend you to read this article Qualifications for an ISO 27001 Interna l Auditor : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
Also if you are interested in information about CISA or ISO 27001 lead auditor certification, please read this article CISA vs. ISO 27001 Lead Auditor : https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/ -
Cloud computingISMS compatible with software development process
No sorry, this is not our business, we have all necessary templates for the implementation of the ISO 27001 (and other standards like ISO 22301, ISO 20000, etc), but we do not sell the document of the standards, because them are developed by ISO.org and you can buy them directly on her official site.
Anyway, if you are thinking to implement the ISO 27001, maybe this article can be interesting for you "ISO 27001 implementation checklist" : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Question 1: In a project Terms of Reference we have been asked to prepare a report to prove that the newly established or updated software development process (analysis, design, development, testing and maintenance) is ISO 27001:2013 compat ible. This is for an MIS system. Is this possible? My understanding is that ISO 27001 refers to an ISMS, not to just any software development. Have I misunderstood?
Question 2: Also the report has to be signed by a competent ISO 27001 specialist - but I don't know if such a specialist would be willing to sign a report for something that has not yet been developed
Answers:
Answer 1: You are right, ISO 27001 establishes requirements for an Information Security Management System, and it is compatible with software development process. So much so, that you can find in the Annex A of the standard security controls like: A.14.2.1 Secure development policy, A.14.2.2 System change control procedures, A.14.2.3 Technical review of applications after operating platform changes, etc. Anyway, the report that you mean can be developed only if you have implemented the ISO 27001 in your organization, if not, the report will be empty.
Answer 2: Yes, you need an internal auditor qualified in ISO 27001, but in this case if the software is not developed, it is hard to prove that the security controls are in place, and it is very important if you want to show that you have implemented the ISO 27001 in your organization. -
Mandatory documents and records
In the list of required documents, one item " Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)". which document in your tool kit covers this?
Answer:
For the risk assessment we have a template with the following information: categories of assets, catalogue of threats, and catalogue of vulnerabilities. Also the template include a table where you can include information about each asset. This is all that you need, related to the risk assessment, for the implementation of the ISO 27001. If you want, you can see a free version of this document (click on Free Demo tab) Risk Assessment Table" : https://advisera.com/27001academy/documentation/risk-assessment-table/
Keep in mind that this point Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3) is a mandatory record, this is not a mandatory document. We provide templates for documents, but records must be created by each organization - for example, your server will automatically log all the outages of the server, so these will be your records of security events. -
Copy of the ISO 27001 and issues
1. For the ISO27001:2013 standard, shall our company buy a copy for each of the staff? Or just buy some copies for upper management and internal auditors?
2. What is issues in ISO27001:2013? Is it the similar as preventive action in 2005? From my understanding, previously in 2005 preventive action means non-severe issues. But still need managers/staffs to follow up to prevent it from happening again in the future.
Answer:
Point 1: I think that only two persons in your company (project manager for ISO 27001 and internal auditor) need to read the standard, so 2 copies of the standard is enough. The important here is that the staff need to be conscious in information security, and it can be achieved with training performed by a professional in information security. In our section of free downloads https://advisera.com/27001academy/free-downloads/ you can find resources that can help you to do this, for example Why ISO 27001 Awareness presentation.
Point 2: Are different things. Issues are related to the context of the organiz ation and the definition of the scope, while the preventive actions are not explicitly present in the ISO 27001:2013 but you can see the risk management as a global preventive action. About the issues and the context of the organization, you can read this Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/, and regarding changes in the risk management you can read this What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Finally can be interesting for you this article about how to make a transition from ISO 27001:2005 to ISO 27001:2013 How to make a transition from ISO 27001 2005 revision to 2013 revision : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ -
Scope in the ISO 27001:2013
Not necessarily. The new revision of the standard, the ISO 27001:2013, has new requisites and your organization has to adapt to them (I suppose that still has the ISO 27001:2005), but it does not imply that you have to change the scope. Anyway, some certification bodies consider as a major non-conformity if your organization still has the old ISO 27001:2005. For more information about changes between old and new version of the standard, please read this article How to make a transition from ISO 27001 2005 revision to 2013 revision : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
Finally, this article also can be interesting for you "How to define the ISMS scope" : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Differences between ISO 22301 & ISO 31000
thank you.
Answer:
Both standards have different objectives. ISO 31000 is a standard that gives you a guide of best practices for the risk management (any type of risks: information security, environmental, financial, etc). On the other hand, ISO 22301 establishes requirements for the implementation of a Business Continuity Management System, where you need to management risks to avoid interruptions of the business continuity. So, for the implementation of the ISO 22301, you can use the ISO 31000 (but it is not mandatory). Anyway, there is another ISO also related to risks: ISO 27001, which core is the risk management (although only for information security), and in this case there is another guide of best practices focused on information security: ISO 27005 (has the same structure that the ISO 31000).
Finally, this article about ISO 31000 and ISO 27001 can be i nteresting for you ISO 31000 and ISO 27001 How are they related? : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Disaster Recovery Plan ISO 27001
I don't want to implement full Business Continuity, only be complaint with ISO27001 requirements regarding A.17 Information security aspects of business continuity management.
Answer:
Yes, with our template Disaster Recovery Plan 27001 you can cover all requirements established in the Annex A.17. The business continuity is treated in depth in the ISO 22301, but in the ISO 27001 with a Disaster Recovery for the IT infrastructure is enough.
Please let us know if you have more doubts regarding the documentation. -
Clauses 4.1 and 4.2 in a software development organization
Your question is very common, and these are points where ISO 27001 has been aligned with other ISOs, but dont worry we can help you to understand this point. Regarding to the context, please read this article, will be very helpful for you Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/. For example, for internal issues you must to make sure that your information security objectives are aligned with the business strategy. In your business: improve the security of the source code establishing security controls.
Regarding to the interested parties, please read this article How to identify interested parties according to ISO 27001 and ISO 223 01": https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//. In your case, an interested party can be developers, the Internet Service Provider, etc.
Please let us know if you need more help.