Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Clauses and controls achieved by completing the disaster recovery plan
If you refer to the ISO 27001, you can find in the Annex A of the standard, the control domain "A.17 Information security aspects of business continuity management, which is related to the Disaster recovery. If you need more information about the Disaster recovery, please read this article Disaster recovery vs Business continuity": https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/ -
Corrective actions
Question 1:
Conducting individual internal audits
The following must be documented as internal audit results:
Internal Audit Report it must be sent to [job title]
possible corrective actions must be documented in the Corrective Action Form, as required by the Procedure for Corrective Action
I think, main responsibilities of auditor is looking for nonconformities, no propose corrective action, it is responsibilities of audited
Question 2:
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
number of corrective actions identified during the audit
number of corrective actions identified during the certification audit conducted after the internal audit
My opinion, number of corrective actions is function of professional maturity audited peoples,not process efficiency
Answer 1:
Corrective actions can be identified by the organization but also by an external auditor in an internal audit, it is very common (most of reports of the auditors include corrective actions) and there is no clause in the ISO 27001 prohibiting an auditor to identify and propose corrective actions.
Answer 2:
I agree with you, but the number of corrective actions is related to the document, not to the process of Internal Audit. -
Qualitative and quantitative risk assessmentGet the ISO 27001 certification
Qualitative is when you determine the risk with nominal values: Low, Medium, High (or also can use 1, 2, 3). In this case, you will need a table with the different values that can take the risk (based on the Impact and the likelihood).
Quantitative is when you determine the risk with numeral values, which can be also based on economical values. In this case, you need a formula, for example: Risk = Impact x Likelihood. In this case impact can be in terms of money, and likelihood in terms of %
We have a webinar where we talk about the risk assessment methodology and risk assessment, and we talk also about the differences between qualitative and quantitative risk assessment, but you need to buy our toolkit to see it, please if you need more information let us know.
This is the webinar Risk Management Part 1: Risk assessment methodology and risk assessment : https://www.iso27001standard.com/webinar/risk-management-part************************************************************* have received these questions:
1. How much does it to get the ISO 27001 certificatiion for a C4 or data Centre?
2. How long would it take to certify a C4 or Data Centre?
3. Do you have a partner in Mexico who we could work with?
Answer:
Point 1: Depends on the scope (people, sites, information systems, etc. involved), but normally the budget usually be between US$ 5.000 and 20.000. Anyway, please read this article How much does ISO 27001 implementation cost? : https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
Point 2: We have a free tool to calculate it, please see it here: https://advisera.com/27001academy/es/herramientas/calculador-gratuito-del-tiempo-de-implementacion-para-iso-27001-iso-22301/
Point 3: No sorry, but we give you all necessary documents for the implementation (in spanish), and also we give you support during the implementation. -
Disaster recovery site
In the Annex A of the ISO 27001 you can see a set of controls related to the disaster recovery (A.17 Information security aspects of business continuity management), but really you only need to implement them depending on the results of the risk assessment, this means that if there are risks maybe you need to implement the A.17 to reduce them. Anyway, ISO 27001 does not require a disaster recovery site; disaster recovery site is only one of the ways to comply with A.17.2.1.
If you want to know more about the risk management, please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
Verify if a company is certified with ISO/IEC 27001
Answer:
There is 2 ways: 1.- Ask the company to show the certificate, 2.-Each certification body has this information (ISO 27001 certificate for each company). So, you need to know the certification body that issued the certificate for the company that you want, and you can to request information about a specific company. Most of the certification bodies have a web form in their website to search this information, but if not, you can directly ask to them. -
Documentation control
The documentation control is mostly for the documentation of the ISMS, and a contract can be a document in the ISMS, but anyway you can apply the documentation control to any document of your company. But for me, It is very hard to consider an email as a document, because there are different emails in a day, and you do not have a control version, changes, etc, The management of particular documents or records does not have to be defined centrally in a Procedure for Document Control - you could have e.g. Supplier Policy where you define the rules for handling supplier contracts.
Finally, please read this article if you need more information about the document management Document management in ISO 27001 & BS 25999-2 : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
ISO 27001 Lead Auditor Exam
Sorry but we do not have this type of information, we only work with the necessary documentation for the implementation of the ISO 27001. If you are interested in receive more information about this, please let us know.
Anyway, this free webinar can be interesting for you: "ISO 27001 Lead Auditor Course preparation training" https://advisera.com/training/iso-27001-lead-auditor-course/ -
Vigencia certificado personal Auditor Lider ISO 27001
Generalmente los certificados personales no tienen un tiempo de validez, o yo por lo menos no conozco ningún certificado personal (Auditor Líder ISO 27001) así. En cualquier caso, si la última capacitación en ISO 27001 fue en el 2009, será muy recomendable que realice algún curso de actualización, porque en el 2013 se realizó una revisión completa del estándar: ISO 27001:2013
Por último, este artículo puede parecerte interesante (en inglés) "How to become ISO 27001 Lead Auditor" : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Capacitacion
Hay algunas recomendaciones que puedes seguir, por favor lee este artículo (en inglés): How to perform training & awareness for ISO 27001 and ISO 22301": https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
También puedes encontrar en nuestra sección "Free Download" una presentación que puedes usar para preparar una sesión de capacitación, por favor échale un vistazo: https://advisera.com/27001academy/free-downloads/ -
ISO 27001 and ISO 27002
There is always a first time. If you refer to the implementation of the ISO 27001, it is composed of a series of stages, and depending of the company, each phase can be more or less easy. If you need a checklist for its implementation, please read this ISO 27001 implementation checklist": https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
If you refer to the implementation of the ISO 27002, also depending of the company will be more/less easy implement the security controls (related to IT, HR, legal, etc.)
On the other hand, ISO 27002 is only a code of best practices, this means that the certification bodies not certify it, so there isn´t specific audit for only the ISO 27002. Although you can see in the Annex A of the ISO 27001 all security controls of the ISO 27002 (which are audited in a ISO 27001 audit), but you can only see a brief description, in the ISO 27002 you ca n see for each control an implementation guide.
If you want to know more about the differences between ISO 27001 and ISO 27002, please read this article ISO 27001 vs. ISO 27002": https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/