Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Should all applicable controls from Annex A to be fully implemented by the time
Answer: Ideal situation would be to implement all the controls marked as applicable in the Statement of Applicability prior to certification audit.
You could leave less significant controls to be implemented after the certification, under the following conditions: (1) to plan their implementation in the Risk treatment plan, and (2) to accept all the residual risks that were not decreased. There is no magic number on the proportion of how many controls must be implemented, and it is in the certification auditor's discretion to raise a non-conformity in su ch cases. Therefore, to be safe you should implement majority of controls prior to certification audit and make sure you implement all the most important ones. -
ISO 27001:2013
The process you have set in place seems pretty systematic, but the auditor will look at the results, not the process itself. So for example, the auditor will check if risk owners are nominated for each risk (this is something that is new in 2013 revision), he won't care how you made this transition.
These articles will also help you:
How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
What has changed in risk assessment in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/ -
2005 revision deadline
To be honest, I'm not sure how the certification body will react in this case, but basically I agree with your consultant - certification bodies should not issue certificates according to 2005 revision after September 2014. The best course of action here would be to contact your certification body and ask them about their approach.
Since you will eventually need to transition to 2013 revision, here are the steps you'll need to take: https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ -
Minimum of three months for records for certification audit
It is true that ISO 27001 does not require the minimum period of records (i.e. minimum period of the ISMS operation before the certification), however some certification bodies do have such requirements and some don't. Therefore, you should speak to the certification body you have chosen and see what criteria do they have.
This article may also help you: How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Question about CIA and asset inventory
You have to assess the impact of risks to confidentiality, integrity and availability of your information - this is part of the risk assessment process. As part of this process you can identify also the assets, but this is not mandatory.
You can find more detailed explanation in this webinar: The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
This article will also help you: What has changed in risk assessment in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/ -
Control A.12.1.1
Answer: In section A.12.1 of ISO 27001 you'll find the following objective: "To ensure correct and secure operations of information processing facilities."; further, when you read each control in A.12 you'll see they are very IT oriented. -
Question about ISO 27002
You don't have to use ISO 27002. ISO 27002 are only the guidelines that are not mandatory; you only have to comply with what is written in ISO 27001. You'll find a more detailed explanation here: ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Which assets to assess during the risk assessment
If all of these 500 applications are within the ISMS scope, they have to assess all of them. However, if you have similar applications then you do not have to perform risk assessment for each of them separately - you can treat all similar applications as a single asset during the risk assessment process.
See also these articles:
- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
- How to organize initial risk assessment according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/04/29/how-to-organize-initial-risk-assessment-according-to-iso-27001-and-iso-22301/ -
How to learn about infosec?
ISO 27001 would be a good choice if you want to focus on management part of information security - this is what you could do for a start:
1) Attend a course - this article will help you: How to learn about ISO 27001 https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
2) See our ISO 27001 free webinars: https://advisera.com/27001academy/webinars/
3) See these free ISO 27001 Free Downloads: https://advisera.com/27001academy/free-downloads/
Alternatively, you can go for certifications like CISSP and CISM - they are not related to ISO 27001.
2. I am due to go on a foundation course and then the Lead Implementer course and then next year do my Lead Auditors course do you think this is the right way to go?
Perhaps foundation course would not be needed if you already have some experience in IT - in such case you can go straight to Lead Implementer course. Read also this article: Lead Auditor Course vs. Lead Implementer Course Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
ISO27001:2013 A.14.1.3 - Protecting application service transactions
It also can apply to financial transactions (between banks, or between an entity with a bank), transactions of database (for example, 2 database that are synchronizing information through Internet), and generally any transaction that involves the interchange of information through a network between 2 applications (think also in a ERP that is connected with an external site where send or receives information).