Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Internal Auditor from outside

    Please note that ISO 27001 does not require the internal audit procedure to be documented, but it requires the internal auditor program and audit results to be documented, so your hired internal auditor needs to provide at least the internal auditor program and the Audit report.

    This article will provide you a further explanation about mandatory documents:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    This material will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • Questions for ISO 27001 & 22301 List of Mandatory Documents

    For questions 1 to 4, and 6 to 7, please note that there are no clauses in the Standard, nor controls from Annex A, requiring these procedures and policies to be documented, but the related annexes are mandatory because at least one of the related clauses or controls requires the information they contain to be recorded, providing evidence that these clauses and controls are implemented. Related policies and procedures are included in the toolkit because they are commonly implemented as good practice.

    Regarding question 5, you are correct, and we apologize for this mistake. The reference must be indeed A.16.1.2, nor A.6.1.2.

    For further information about mandatory documents, please read:

  • DRP aplicabilidade

    Controles não implementados informados conforme aplicáveis na Declaração de Aplicabilidade podem de fato levar a uma não conformidade, mas seu grau dependerá de outros fatores, tais como se eles estão relacionados a riscos relevantes, ou fazem com que uma cláusula obrigatória da norma não seja cumprida.

    Nas situações quando um controle ainda não se encontrará implementado no momento da auditoria de certificação, a melhor alternativa é aceitar os riscos relacionados a este controle, informar na Declaração de Aplicabilidade que o controle se encontra em situação de implementação e apresentar ao auditor as evidências do andamento da implementação.

    Desta forma a situação de implementação não pode ser caracterizada como uma não conformidade.

    Estes artigos podem prover mais informações:

    Este material também pode prover mais informações:

  • DRP applicability

    Unimplemented controls reported as applicable in the Applicability Statement may in fact lead to non-compliance, but their degree will depend on other factors, such as whether they are related to relevant risks, or cause a mandatory clause of the standard to be breached.

    In situations when a control is not yet implemented by the time of the certification audit, the best alternative to avoid a nonconformity is to accept the risks related to this control, inform in the Statement of Applicability (SoA) that the control is in an implementation situation, and present to the auditor the evidence of progress in implementation.

    This way, the implementation situation cannot be characterized as a non-conformity.

    These articles can provide more information:

    This material can also provide more information:

  • What does the graphic/pic represent?

    The picture represents that information security only can be properly managed when people, processes, and technologies are considered together.

    Improper technologies, untrained people, or undefined process, if only one of those things happen your effort to prevent incidents can be wasted.

  • VDA ISA Certificate

    Although VDA ISA requirements, part of TISAX standard, have many similarities with ISO 27001 main clauses and its Annex A controls (the excel table in the link you provided, in its tab “Information Security”, column q – “Reference to other standards”, provides a mapping between the two documents), we are not experts on VDA ISA to provide a proper answer regarding VDA ISA maturity level, because this information also depends on the fulfillment of requirements for prototype protection requirements, which are not related to ISO 27001.

    This article will provide you a further explanation about TISAX and VDA ISA:

  • ISMS Implementation Flow

    In a general way, you covered all necessary steps, but the order for an optimized implementation effort would be a bit different.

    After getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:
    1) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
    2) development of risk assessment and treatment methodology;
    3) perform a risk assessment and define the risk treatment plan;
    4) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
    5) people training and awareness;
    6) controls operation;
    7) performance monitoring and measurement;
    8) perform internal audit;
    9) perform management critical review; and
    10) address nonconformities, corrective actions, and opportunities for improvement.

    This article will provide you a further explanation about ISMS implementation:

    These materials will also help you regarding ISO 27001 implementation:

    To see how documents compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our ISO 27001 documentation toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  • Integration of 27001 and 27002 in establishment of guidance

    Please note that ISO 27002 is not mandatory to implement ISO 27001, so you only need to use information from ISO 27002 when you find it useful for the controls you need to implement.

    These articles will provide you a further explanation about ISO 27001 controls and ISO 27002:

    These materials will also help you regarding ISO 27001 controls:

  • Risk Assessment Matrix

    Please note that ISO 27001 does not prescribe how to determine risk level, only that it needs to be determined, so your risk assessment matrix can be used to fulfill the standard’s requirements.

    Only a minor suggestion to be considered (you can keep the current matrix if you like): instead of using “improbable-possible-probable”, adopt “improbable-probable-most probable”, because this way you use the same base word (probable) for the likelihood scale, making it simpler to understand, and at the same time avoiding the use of words “probable” and “possible” in the same scale, since these words can be mistaken as synonyms in some circumstances, creating confusion.

    This article will provide you a further explanation about risk analysis:

    This material will also help you regarding risk assessment:

  • 27001 questions

    1. Please confirm the following versions of the Mandatory Documents the latest/current versions: ISO 27001 – ver 3.9, 2020-02-10

    Yes, the version you stated is the latest/current version.

    2. Within the ISO 27001 Documentation Toolkit List See attachment 27001A

    No. 57, Doc Code 10, Internal Audit Procedure: This does not have a green check mark as a Mandatory Document, however No. 58 and 59 Appendix 1 and 2 has a green check mark for a mandatory document.  Should the Procedure for Internal Audit be checked as a mandatory document?  See attachment 27001A Screenshot 1.
    No. 21 – 25, although these are not checked as a Mandatory Document, do we still need to create policies for them and all other documents/appendixes that are not checked as well?  See screenshot 2. This question would apply to ISO 20000 Document Toolkit as well?

    Regarding Docs 57 to 59, please note that ISO 27001 does not require an Internal Audit procedure to be documented, only the documentation of the audit program (s) and the audit results.

    Regarding Docs 21 to 25, controls related to them only require practices to be implemented, not the development of documentation. For controls related to these documents a brief description in the Statement of Applicability about how they are implemented would be enough. Provided templates are used because most organizations understand consider them good practice, even if they are not mandatory by the standard.

    Regarding Doc 26, control A.12.1.1 (Documented operating procedures), covered by this template, requires operating procedures to be implemented, so if this control is applicable in your case you need to document the procedures.
Page 184-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +