Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Internal audit vs Gap analysis
I suppose that you refer to the Internal Audit when you say Fault finding, because one of the objectives of the Internal Audit is to find faults. If so, the difference between both is that the Gap analysis is performed at the beginning of the project of implementation, to compare the status of the organization with the requirements of the standard, and it is not mandatory. On the other hand, the Internal Audit must to be performed each year before the certification audit, and it is mandatory (is established as requirement in the clause 9.2 of the ISO 27001:2013).
Remember that we have an article very interesting about how to make an internal audit checklist, if you want to see it, please check out this How to make an Internal Audit checklist for ISO 27001 / ISO 22301: https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Keep documents
Answer:
The standards ISO (ISO 27001, ISO 22301, ISO 20000, ISO 9001) does not establish a specific time to keep documents, but some countries have legal regulations to keep certain documents (agreements, SLA, etc.) during a minimal time, after that it is not mandatory to continue keeping them. So, usually you can keep your documents indefinitely, but I recommend you to search information about legal regulation in your country.
Related to the version control, you mean the the version control of a Management system? For example ISO 27001? If so, can be applied to all documents in your business (all company wide), there is no problem, although in a Management System usually applies only for the documents related to the system. -
UKAS and ANAB accreditation
UKAS is a full member of European and International Mutual Recognition Agreements (such as the European cooperation for Accreditation, International Accreditation Forum and International Laboratory Accreditation Cooperation). This means that all UKAS accredited certificates and reports (with the exception of those related to EU Regulations/Directives and Schemes) shall continue to be recognised within Europe and around the world.
An ISO certificate issued by a UKAS accredited certifying body will be recognised in the EU.
Both ANAB and UKAS are members of the International Accreditation Forum, so a certification body accredited by either UKAS or ANAB should be recognised almost anywhere in the world.
-
Physical security policy and malware policy
There is a set of controls related to the Physical security in the Annex A of the ISO 27001:2013: "A.11 Physical and environmental security", but you do not need a policy for this, neither is mandatory to have a document to implement those controls. Anyway, if you are interested in the physical security, please read this article Physical security in ISO 27001: How to protect the secure areas : https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
Related to the malware, you can find in the Annex A of the ISO 27001:2013 the control "A.12.2.1 Controls against malware, but again it is not mandatory to have a document to implement this control. Anyway, you can establish a formal policy to prohibe the use of unauthorized software.
Finally I recommend you to re ad this article "How to structure the documents for ISO 27001 Annex A controls" : https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/ -
Questionnaire for ISO 27001
We do not have a specific document to produce a questionnaire for ISO 27001, but we have a methodology to identify threats/vulnerabilities and calculate risks (related to information security). With this methodology, you can identify risks and establish priorities to make a treatment of them. If you want more information about our methodology, please read this article How to write ISO 27001 risk assessment methodology : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Also you can find here a catalog of threats/vulnerabilities: https://www.infosecpedia.in************************** -
Recommendation about Business Continuity Management
If you want to implement a BCM (Business Continuity Management) in you organization it is better the ISO 22301, because it is more focused in Business Continuity. The ISO 27001 is focused in information security, and has security controls for the Business Continuity, but ISO 22301 is more extensive and precise with Business Continuity. Anyway you can combine both, and in this case you can have a management system for the business continuity and the information security in your organization, which can add value.
Finally, here you can see a webinar about ISO 27001 and ISO 22301 "Free webinar - ISO 27001 & ISO 22301: Why is it better to implement them together?" : https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
Controls in SoA
Sure, you can do it as a best practice, there is no problem, but remember include this information as justification in the SoA. -
Cloud computing
Sorry but we do not have information about fedRAMP, it is not our business. We work with ISO 27001 which is an international standard that gives you an useful tool to identify risks about information security in your organization and reduce them, so you can use it to identify risks related to a cloud based business and reduce them, which means that your business will be more secure. We have all necessary documents to do it, and also we can give you support during the implementation.
Finally you can find more information about cloud computing and ISO 27001 here "Cloud computing and ISO 27001 / BS 25999" : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/ -
Assets mentioned by the owner
From the point of view of ISO 27001, you need to identify risks related to assets, and the important here is to establish a risk owner and asset owner. Please, to see more information about the risk assessment & treatment, click here ISO 27001 risk assessment & treatment 6 basic steps: https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
If you need more information about the differences between risk owner and asset owner, please see this Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Finally, keep in mind that you need to perform the internal audit to review whether the assets perform as expected. If you need more information about how to make your own intern al audit checklist, please read this article How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Leadership and commitment and Planning - General
We did not create documents for clauses 5.1 (Leadership and commitment), 6.1.1 (Planning - General) and 8.1 (Operational planning and control) because ISO 27001:2013 does not require those clauses to be documented. Our toolkits are made for smaller and mid-sized companies, and the intention was not to create too many documents which would be an overkill for people working in those companies.
If you want to see a list with the mandatory documents (and non-mandatory), please read this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/