Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Cloud computing
Sorry but we do not have information about fedRAMP, it is not our business. We work with ISO 27001 which is an international standard that gives you an useful tool to identify risks about information security in your organization and reduce them, so you can use it to identify risks related to a cloud based business and reduce them, which means that your business will be more secure. We have all necessary documents to do it, and also we can give you support during the implementation.
Finally you can find more information about cloud computing and ISO 27001 here "Cloud computing and ISO 27001 / BS 25999" : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/ -
Assets mentioned by the owner
From the point of view of ISO 27001, you need to identify risks related to assets, and the important here is to establish a risk owner and asset owner. Please, to see more information about the risk assessment & treatment, click here ISO 27001 risk assessment & treatment 6 basic steps: https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
If you need more information about the differences between risk owner and asset owner, please see this Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Finally, keep in mind that you need to perform the internal audit to review whether the assets perform as expected. If you need more information about how to make your own intern al audit checklist, please read this article How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Leadership and commitment and Planning - General
We did not create documents for clauses 5.1 (Leadership and commitment), 6.1.1 (Planning - General) and 8.1 (Operational planning and control) because ISO 27001:2013 does not require those clauses to be documented. Our toolkits are made for smaller and mid-sized companies, and the intention was not to create too many documents which would be an overkill for people working in those companies.
If you want to see a list with the mandatory documents (and non-mandatory), please read this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Clauses and controls achieved by completing the disaster recovery plan
If you refer to the ISO 27001, you can find in the Annex A of the standard, the control domain "A.17 Information security aspects of business continuity management, which is related to the Disaster recovery. If you need more information about the Disaster recovery, please read this article Disaster recovery vs Business continuity": https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/ -
Corrective actions
Question 1:
Conducting individual internal audits
The following must be documented as internal audit results:
Internal Audit Report it must be sent to [job title]
possible corrective actions must be documented in the Corrective Action Form, as required by the Procedure for Corrective Action
I think, main responsibilities of auditor is looking for nonconformities, no propose corrective action, it is responsibilities of audited
Question 2:
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
number of corrective actions identified during the audit
number of corrective actions identified during the certification audit conducted after the internal audit
My opinion, number of corrective actions is function of professional maturity audited peoples,not process efficiency
Answer 1:
Corrective actions can be identified by the organization but also by an external auditor in an internal audit, it is very common (most of reports of the auditors include corrective actions) and there is no clause in the ISO 27001 prohibiting an auditor to identify and propose corrective actions.
Answer 2:
I agree with you, but the number of corrective actions is related to the document, not to the process of Internal Audit. -
Qualitative and quantitative risk assessmentGet the ISO 27001 certification
Qualitative is when you determine the risk with nominal values: Low, Medium, High (or also can use 1, 2, 3). In this case, you will need a table with the different values that can take the risk (based on the Impact and the likelihood).
Quantitative is when you determine the risk with numeral values, which can be also based on economical values. In this case, you need a formula, for example: Risk = Impact x Likelihood. In this case impact can be in terms of money, and likelihood in terms of %
We have a webinar where we talk about the risk assessment methodology and risk assessment, and we talk also about the differences between qualitative and quantitative risk assessment, but you need to buy our toolkit to see it, please if you need more information let us know.
This is the webinar Risk Management Part 1: Risk assessment methodology and risk assessment : https://www.iso27001standard.com/webinar/risk-management-part************************************************************* have received these questions:
1. How much does it to get the ISO 27001 certificatiion for a C4 or data Centre?
2. How long would it take to certify a C4 or Data Centre?
3. Do you have a partner in Mexico who we could work with?
Answer:
Point 1: Depends on the scope (people, sites, information systems, etc. involved), but normally the budget usually be between US$ 5.000 and 20.000. Anyway, please read this article How much does ISO 27001 implementation cost? : https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
Point 2: We have a free tool to calculate it, please see it here: https://advisera.com/27001academy/es/herramientas/calculador-gratuito-del-tiempo-de-implementacion-para-iso-27001-iso-22301/
Point 3: No sorry, but we give you all necessary documents for the implementation (in spanish), and also we give you support during the implementation. -
Disaster recovery site
In the Annex A of the ISO 27001 you can see a set of controls related to the disaster recovery (A.17 Information security aspects of business continuity management), but really you only need to implement them depending on the results of the risk assessment, this means that if there are risks maybe you need to implement the A.17 to reduce them. Anyway, ISO 27001 does not require a disaster recovery site; disaster recovery site is only one of the ways to comply with A.17.2.1.
If you want to know more about the risk management, please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
Verify if a company is certified with ISO/IEC 27001
Answer:
There is 2 ways: 1.- Ask the company to show the certificate, 2.-Each certification body has this information (ISO 27001 certificate for each company). So, you need to know the certification body that issued the certificate for the company that you want, and you can to request information about a specific company. Most of the certification bodies have a web form in their website to search this information, but if not, you can directly ask to them. -
Documentation control
The documentation control is mostly for the documentation of the ISMS, and a contract can be a document in the ISMS, but anyway you can apply the documentation control to any document of your company. But for me, It is very hard to consider an email as a document, because there are different emails in a day, and you do not have a control version, changes, etc, The management of particular documents or records does not have to be defined centrally in a Procedure for Document Control - you could have e.g. Supplier Policy where you define the rules for handling supplier contracts.
Finally, please read this article if you need more information about the document management Document management in ISO 27001 & BS 25999-2 : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
ISO 27001 Lead Auditor Exam
Sorry but we do not have this type of information, we only work with the necessary documentation for the implementation of the ISO 27001. If you are interested in receive more information about this, please let us know.
Anyway, this free webinar can be interesting for you: "ISO 27001 Lead Auditor Course preparation training" https://advisera.com/training/iso-27001-lead-auditor-course/