Search results

ISO 27001 questions about implementation of the standard

1 - Is it a fundamental prerequisite for certification in the standard?

Process mapping is not a prerequisite for ISO 27001 certification, although it is useful to facilitate understanding of the context and the identification of risks. 

2 - How deep should the mapping and documentation for the scope be?

Since this is not a mandatory requirement, just a good practice for understanding the context and establishing the scope, the process mapping does not need to be done, or documented in the scope document.

If the organization decides to carry out the mapping, its level of detail will depend on what the organization considers sufficient to decide that the scope is properly defined.

3 - Overall, I still have a lot of questions about the topic "Organization context" and everything it should cover ...

First is important to note that the context of the organization do not need to be documented.

Considering that, the context of the organization is any internal or external factor that can affect the ISMS, and concrete examples of elements of organizational context are:

• for external issues: geographical location, public infrastructure available, political, economic, social, and technological trends, etc. 
• for internal issues: organizational culture, processes, and procedures, equipment, financial resources, etc.

Based on these you can identify elements that can help you understand how information security must be considered.

This article will provide you a further explanation about the Context of the organization for 27001:

• Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

These materials will also help you regarding the Context of the organization for 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 2700 1 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 dúvidas sobre implementação da norma

1 - É um pré-requisito fundamental para a certificação na norma?

O mapeamento de processos não é um pré-requisito para a certificação ISO 27001, embora ele seja útil para facilitar o entendimento do contexto e a identificação de riscos.

2 - Quão profundo deve ser o mapeamento e documentação para o escopo?

Uma vez que não se trata de um requisito mandatório, apenas uma boa prática para entendimento do contexto e estabelecimento do escopo, o mapeamento de processo não precisa ser feito, ou documentado no documento do escope.

Caso a organização decida realizar o mapeamento, seu nível de detalhamento vai depender do que a organização considera suficiente para que decidir que o escopo está adequadamente definido.

3 - No geral, ainda tenho muitas dúvidas sobre o tópico "Contexto da organização" e tudo o que ele deve abranger...

Em primeiro lugar, é importante observar que o contexto da organização não precisa ser documentado.

Considerando isso, o contexto da organização é qualquer fator interno ou externo que pode afetar o SGSI. Exemplos concretos de elementos do contexto organizacional são:

• para questões externas: localização geográfica, infraestrutura pública disponível, tendências políticas, econômicas, sociais e tecnológicas, etc.
• para questões internas: cultura organizacional, processos e procedimentos, equipamentos, recursos financeiros, etc.

Com base neles, você pode identificar elementos que podem ajudá-lo a entender como a segurança da informação deve ser considerada.

Este artigo fornecerá uma explicação adicional sobre o contexto da organização para 27001:

• Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

Esses materiais também irão ajudá-lo com relação ao contexto da organização para 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 2700 1 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

GDPR vs 27001

First is important to note that using ISO 27001 is not mandatory for fulfilling GDPR requirements. To perform risk assessment, you can use any approach your organization sees fit for its purpose.

Additionally, ISO 27001 does not prescribe any method to perform risk assessment, only defines requirements to be fulfilled by the adopted risk assessment process.

Considering that, the purpose of GDPR is the protection of personal information from being accessed, modified, or destroyed in an uncontrolled manner, so an example of risk assessment considering the elements you mentioned are: 
- an unattended computer storing biometric data can be stolen or invaded
- an untrained employee can inadvertently delete biometric data 
- a biometric reader can fail during a data-gathering section  

This material will also help you regarding risk management:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Document content

First of all, sorry for this inconvenience. Every time you find such discrepancies between the tutorials and documentation, please consider the information in the templates as the correct one, because they are the most updated version.

GDPR vs 27001

First is important to note that using ISO 27001 is not mandatory for fulfilling GDPR requirements. To perform risk assessment, you can use any approach your organization sees fit for its purpose.

Additionally, ISO 27001 does not prescribe any method to perform risk assessment, only defines requirements to be fulfilled by the adopted risk assessment process.

Considering that, the purpose of GDPR is the protection of personal information from being accessed, modified, or destroyed in an uncontrolled manner, so an example of risk assessment considering the elements you mentioned are:

• an unattended computer storing biometric data can be stolen or invaded
• an untrained employee can inadvertently delete biometric data 
• a biometric reader can fail during a data-gathering section  

This material will also help you regarding risk management:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Becoming accredited ISO 27001 auditor or implementer

Please note that organizations that issue certifications are certification bodies. An accreditation body is another type of organization, the organization which authorizes organizations to act as certification bodies.

Considering that, to certify an organization your company has to be accredited by an accreditation body (e.g., UKAS for the UK, or ANAB for the USA), and for this purpose, your organization has to be certified by an accreditation body against ISO/IEC 17065. You can have an overview of this standard here: https://www.iso.org/obp/ui/#iso:std:iso-iec:17065:ed-1:v1:en

This article will provide you a further explanation about accreditation and certification:

• Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/

ISO 27001 Process

Please note that included in your toolkit you have access to video tutorials that can guide you through the risk assessment and treatment processes, including the filling of the SoA. These video tutorials include examples with real data.

Since you did not say you already saw the video tutorials, I suggest you start with these and contact us if some doubts remain.

In addition to these video tutorials, I suggest you these materials (the articles are in the suggested reading sequence):

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

ISO 27001 implementation

First is important to note that although process mapping can help the implementation process, it is not a mandatory requirement for ISO 27001.

Considering that, the general steps for ISO 27001 implementation are:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform a risk assessment and define a risk tent plan (at this point you can make use of processes frameworks like ISO 38500 and ISO 20000 as a reference to help identify risks, but please note that this approach is not mandatory by the standard);
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you a further explanation about ISMS implementation:

• ISO 27 001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Regarding implementation approaches, the most common are:

• Use your own staff to implement the ISMS
• Use a consultant to perform most of the effort to implement the ISMS
• Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

Each one of them has its advantages and disadvantages. For more information, I suggest you the following materials:

• 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
• Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
• ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

How safe is a certified company with ISO 27001 and ISO 27701?

Unfortunately, we are unaware of such type of statistics (most probably because attacked organizations often keep details about incidents of the media).

What we can infer is that ISO 27001 and ISO 27701 certified organizations are recognized as more secure and resilient to attacks, because insurance companies consider their implementation as good practices and in some cases, it is a criterion to reduce the premium to be paid by companies with one or both certifications.

These links can provide more information:

• Cyber Insurance: Recent Advances, Good Practices, and Challenges https://www.enisa.europa.eu/publications/cyber-insurance-recent-advances-good-practices-and-challenges
• Cyber Security Breaches Survey 2020 https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020

For more about ISO 27001 benefits, please see:

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/