Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Becoming ISO 27001 auditor
Sorry but we are not sure if you are interested in internal audits or certification audits. The Auditor training course is very recommendable for both, but also is necessary to have experience in the standard (as minimal as a junior consultant). In the case of internal audit, the pay rate depends of your experience and also depends of the company that you want to audit and her location (there are countries where the pay/rate is lower for any job). In the case of the certification audit the pay rate depends of the certification body, and here also your experience will be very important. So, while more experience you have, it will be more easy to you find jobs as auditor, and your pay rate will be higher.
If you want to become an ISO 27001 internal auditor, please read this article Qualifications for an ISO 27001 Internal Auditor: https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
Also you can read this article How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Clauses 4.1 and 4.4
There are no templates for clauses 4.1 and 4.4 because it is not mandatory. Keep in mind that only is mandatory if the standard establishes it. Example: You can see at the end of clause 4.3 The scope shall be available as documented information. And as you know, we have a template for this in the folder "03 ISMS Scope Document.
Remember that you can see the list of mandatory documents here List of mandatory documents required by ISO 27001 (2013 revision)" : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Also you can read this article "Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)": https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/ -
Structure of the Risk Treatment Plan
ISO 27001 does not prescribe the structure of the Risk Treatment Plan, but if you follow the logic of clause 6.2, then you should include the following information: what to implement, by whom, when, using which resources, etc. You can see a preview of the Risk treatment plan here (look for the "Free Demo" tab): https://advisera.com/27001academy/documentation/risk-treatment-plan/
In my opinion, the best would be to organize the Risk treatment plan according to controls - first of all RTP is based on Statement of Applicability (which is also based on controls), and second the implementation will be much easier if the planning is done control by control.
Read also this article: Risk Treatment Plan and risk treatment process Whats the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Quick Risk assessment
No, it is not correct, and it is not a control in the ISO: The System shall have a logoff button. One way to perform the risk assessment (although you can develop your own methodology): a.- Identify assets (software can be a type of asset, and an app can be an asset), b.- Identify threats related to the assets (you can do it with a catalogue), c.- Calculate risks (based on impact and likelihood). If the risk is below a level defined by the organization, it is acceptable, and there is no problem (current controls for the asset are sufficient). If the risk is above, then the organization must to apply controls to reduce it to an acceptable level. What controls? The defin ed in the Annex A of the ISO 27001.
I recommend you to read these articles:
How to write ISO 27001 risk assessment methodology : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally, here there is a free webinar that I think that can be very interesting for you The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Business Continuity
Yes, we have a template that can help you. Please see this (try our free version clicking on Free Demo tab) : https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
Also read this article How to write business continuity plans? : https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
And also, can be very interesting for you this free webinar ISO 22301 Foundations Part 3: Business Continuity Planning" : https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar/
Finally, keep in mind that the ISO 22301 is focused on Business Continuity Management, and it is more detailed for the Business Con tinuity Plan, so we can use it as reference for the development of the Business Continuity Plan required by A.17 ISO 27001 -
Disaster
b.- What constitute a disaster? Or how can You define a disaster in such a way, that both customer and possible vendor know when to activate the DR plan.
Answer:
A disaster is basically a situation when the activities are disrupted more then their RTO. You can read more about this here Activation procedures for business continuity plan : https://advisera.com/27001academy/blog/2011/09/26/activation-procedures-for-business-continuity-plan/. Keep in mind that Disaster recovery and Business continuity are not the same (basically the first is a part of the second). To know more about this, please read this article Disaster recovery vs Business continuity : https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
The RTO is the Recovery Time Objective, this means: defined time in your business which a business process must be restored after a disaster. If you need more information about this , please read: How to implement business impact analysis (BIA) according to ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
Now, do you need to write a Business Continuity Plan? Please read this article How to write business continuity plan : https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
Also can be interesting for you read this article Disaster recovery site What is the ideal distance from primary site? : https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/ -
Asset management
a.- Do we have to list assets that contains information only?
b.- I understand ISMS is about Information Security, but in our asset list we have listed equipment such as UPS, Generator, Cooling system etc. Is that OK?
c.- And since we have listed these items in our asset register, its also included in our risk register
d.- Our risk methodology is asset based ( from version 2005 ) . Now in 2013, we know that theres a flexibility, but we are still keeping it asset based. However can we include other risks that is not derived from Assets threats/vulnerabilities?
Answer:
a.- No, if you have chosen to follow the asset-based risk assessment then you have to list both the assets that contain the information (e.g. CD-s, computers, etc.) and the assets that do not contain the information but can influence the security of information (e.g. air conditioning in the server room).
b.- Yes, you can identify these assets, because they are related to the maintenance of the information systems (U PS, generator, etc), which are related to the information security.
c.- Ok, right whichever list is created first, it will serve for developing the other list.
d.- In principle, if the risk is related to the information security, yes, you can include it in your risk assessment. Also you can maintain your Risk methodology asset based. Anyway, I recommend you this article What has changed in risk assessment in ISO 27001:2013: https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Finally, if you need more information about how to identify assets, I recommend you this article How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
ISO 27001 on a personal level
Any company (small, medium and big) can implement and certify the ISO 27001, and our templates are developed for small and medium companies, so if you are interested on it, you can see our Toolkit (you can see a free version of each document if you click on Free Demo tab): https://advisera.com/27001academy/iso-27001-documentation-toolkit/
If you are new in this world of the Information security and the ISO 27001, and you want to learn more about it, can be very interesting for you to see our webinars (you can filter by ISO 27001): https://advisera.com/27001academy/webinars/
Also you can use our free resources: https://advisera.com/27001academy/free-downloads/
Finally please let me know if you have any question. -
Clause 7.2
You must prove that people involved in the implementation of the ISMS has competence to perform these tasks, and you need to have evidence that gave training to all company employees (mainly those who are involved in the scope of the ISMS) to become aware.
Finally, I recommend you to read this article, I think that will be useful for you "How to perform training & awareness for ISO 27001 and ISO 22301" : https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/ -
Your organization and your customer
So, is ISO27001 adherent for me? Or just to a company that provides services?
Answer:
In this scenario, you can implement and certify the ISO 27001 in your organization, and also your customer can implement and certify the ISO 27001 in his business. The unique difference will be the scope of the ISMS. In your case could be your development services, your informations systems that supports your services, etc. In the case of your customer the scope could be the services that they offers, the information systems that supports their services, etc. So, you could have a ISO 27001 certificate, and also your customer could have a ISO 27001 certificate but with a different scope.
If you need more information about the scope, please re ad this article How to define the ISMS scope: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/