Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Recertification or surveillance audit?
1. We have moved into a new location and
2. We have a new name as well.
We were due for surveillance audit in March'2015. Should we get re-certified or Surveillance Audit is good enough for us?
Answer:
If your main business remained the same, I think you can go with your surveillance audit as planned, and go for the re-certification only once your certificate expires.
However, you should consult with your certification body before the surveillance audit begins. -
Annex SL Implementation for ISO 27001:2013
Annex SL is not required for the implementation of ISO 27001; you can see the steps in the ISO 27001 implementation here: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
However, Annex SL could be useful if you want to implement ISO 27001 together with some other standard like ISO 9001 or ISO 22301 - this article will explain you the details: Has the PDCA Cycle been removed from the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/
Also, this webinar may help you: ISO 27001 implementation: How to make it easier us ing ISO 9001 https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
ISO 27001 Exam
There are many courses and exams related to ISO 27001, so I'm not sure to which one do you refer to - see all the courses here: How to learn about ISO 27001 https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
If you're asking about Lead Auditor Course, this webinar will help you: ISO 27001 Lead Auditor Course preparation training https://advisera.com/training/iso-27001-lead-auditor-course/ -
Cyber Security - ISO 27001
I have downloaded a copy of your book 9 steps to cyber security - Excellent reading.
Answer:
This is correct, cyber security is not explicitly mentioned in ISO 27001 nor ISO 27002. And you are correct, the IT controls you mentioned should be used to protect your information systems from cyber threats. However, as I mentioned in my book 9 Steps to Cybersecurity, IT security is not going to be enough - other organizational controls, as well as human resources management controls (e.g., training & awareness) are also needed.
This art icle may also help you: What is cybersecurity and how can ISO 27001 help? https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/ -
Regarding ISMS certification and accreditation
This article will help you: How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
As the last date for an organization to comply with ISO 27001:2013 version is September 2015, does I need to have ISMS 2013 certification prior to that? Please do let me know in case I need to renew my certification prior to its expiry.
Answer: No, there is no requirement for individuals to renew their personal certificates.
Please provide the link to go through the presentation which you have shared with everyone. I couldn't find the same. Thanks.
Answer: I'm not sure to which presentation you refer to, but here you'll find lots of free materials: https://advisera.com/27001academy/free-downloads/ -
KPI for IT Disaster Recovery
1. RTO
2. RPO
3. Training Workshops
4. DR Drills and improvements
Please advice on how to enhance these KPI's and what more needs to be define...
Answer:
The things you mentioned are not Key Performance Indicators, these are simple necessary elements to implement disaster recovery / business continuity; here are a couple of articles that will help you with those elements:
How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
You'll find quite good guidelines for testing & exercising in NFPA 1600 - see also this article: NFPA 1600 vs. ISO 22301 Similarities and differences https://advisera.com/27001academy/blog/2013/11/05/nfpa-1600-vs-iso-22301-similarities-and-differences/ -
Information Risk Management
For doing a consultant job, use this article: How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
Risk assessment in a manufacturing company is not different from risk assessment in other types of companies. These articles will help you:
How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
ISO 22301
Here's an article that explains the differences: https://www.corexchange.com/blog/disaster-r*******************************************
Regarding the main components of the business continuity plan, this article will help you: Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/ -
Confidentiality of Government Information
Jeffrey,
Every organization (even the government agency) has confidential information - e.g. passwords, client information, personal data like employee information, etc.
Further, ISO 27001/ISMS is not only about protecting the confidentiality of the information - it is also about protecting integrity and availability of the information. For instance, what would happen if this agency loses its data or if its data got corrupted?
All of these are the reasons to implement ISO 27001, even in a government agency. -
7.2 Competence
Itommy,
Example of necessary competence could be a training plan, while example of evidence of competence could be a certificate issued at the training.
See also this article: How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/