Search results

Short way to get certified as ISO 27001 and 27002

First is important to note that only ISO 27001 is a certifiable standard. ISO 27002 is a support standard which provides guidance and recommendations for implementation of controls from ISO 27001 Annex A.

Considering that, in a general way, after getting support for the certification (through approval of an ISO 27001 certification project plan) and approval of the Procedure for Document and Record Control, you should consider these for implementation:

1. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
2. development of risk assessment and treatment methodology;
3. perform a risk assessment and define the risk treatment plan;
4. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
5. people training and awareness;
6. controls operation;
7. performance monitoring and measurement;
8. perform internal audit;
9. perform management critical review; and
10. address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you a further explanation about ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

To see how documents compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

As for the shortest way to get ISO 27001 certified, it would involve hiring a consultant, because this approach will rapidly provide the knowledge, expertise, and methods to implement the standard, although it is the most expensive approach.

Other approaches that can be adopted are implementing the standard using your own employees (the cheapest and longest way), and implementing the standard with a DIY approach and using external know-how (a mid-term approach).

These articles will provide you a further explanation about implementation approaches:

• 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
• 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
• Do you really need a consultant for ISO 27001 / BS 25999 implementation? https://advisera.com/27001academy/blog/2011/12/06/do-you-really-need-a-consultant-for-iso-27001-bs-25999-implementation/

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/

ISO 14001 New Objectives within a small business

In environmental management systems I’m always going back to the list of significant environmental aspects and impacts to renew the list of environmental objectives. Also, I try to connect environmental objectives with business objectives. For example, if an organization competes based on price what significant environmental objectives can best contribute to reduce costs?

Please check this information below with more detailed answers:

• How to Use Good Environmental Objectives - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-use-good-environmental-objectives/
• Examples of ISO 14001 objectives based on the different company sizes - https://advisera.com/14001academy/blog/2019/10/22/iso-14001-objectives-examples-for-different-company-sizes/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISMS scope of a digital bank

You can define the scope in terms of only the part of the organization (i.e. the Database), but in general, for small and mid-sized business, the best approach is to include the entire organization in the ISMS scope, because the effort to separate the scope for such organizations may not be worthy.

These articles will provide you a further explanation about the scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Patch Management Policy and Vulnerability Management Policy

Patch management and vulnerability management would be best covered in A.12.1 - Security Procedures for IT Department, located on folder 08 Annex A Security Controls >> A.12 Operations Security since it involves change management.

This article will provide you a further explanation:

• How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

ISMS scope of a digital bank

Você pode definir o escopo em termos de apenas uma parte da organização (ou seja, o Banco de Dados), mas em geral, para pequenas e médias empresas, a melhor abordagem é incluir toda a organização no escopo do SGSI, porque o esforço para separar o escopo para tais organizações pode não valer a pena.

Estes artigos fornecerão uma explicação adicional sobre a definição do escopo:

• Como definir o escopo do SGSI https://advisera.com/27001academy/pt-br/knowledgebase/como-definir-o-escopo-do-sgsi/
• Problemas com a definição do escopo da norma ISO 27001 https://advisera.com/27001academy/pt-br/blog/2010/12/21/problemas-com-a-definicao-do-escopo-da-norma-iso-27001/

Esses materiais também irão ajudá-lo com relação à definição do escopo:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

BCP implementation

Once you have identified the disruptive scenarios you have to handle, broadly speaking, the development of a continuity plan based on ISO 22301: 2012 requires the development of:

• incident response plans, with emergency actions to be performed right after the disruption being identified;
• continuity actions to bring activities back to the minimum agreed levels;
• recovery actions to bring activities back to normal operations.

These materials will provide you a further explanation about developing a continuity plan:

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
• How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
• Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

To see how a Business Continuity Plan compliant with ISO 22301 looks like, I suggest you see the free demo of our Business Continuity Plan at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/

Appointment letters

Thank you, Rhand! 

ISO 27001 - Cloud Services

The ISMS scope states the information you want your ISMS to protect, so what you want to protect (in your example data and application software) needs to be stated in the ISMS. The detail that it is located in a cloud solution can be kept to be stated during the Risk Assessment.

This article will provide you a further explanation about the scope definition in the cloud:

• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

About implementing ISO 27001

1 - My situation is that I am an intern at a small company whose servers are in the cloud (***), and they have a website of their own. So my question is implementing ISO27001 would be meaningless for such architecture, if not how should i define the context of the organization in such a case.

SO 27001 aims the protection of information regardless of where it is, so it is also applicable when the information to be protected is hosted in a cloud solution.

The definition of the ISMS scope when information is on a cloud solution will depend on the control you have over the cloud

• for IaaS, the scope excludes physical infrastructure and virtual machines
• for PaaS, the scope excludes virtual servers, and, to some degree, applications
• for SaaS, the scope excludes datacenter facilities’ physical location, hardware, and software

This article will provide you a further explanation about defining a scope considering cloud models:

• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

2 - Also what sources would help a beginner like me to achieve this implementation of the standard. By the way, I started the course online in advisera titled "ISO 27001:2013 Lead Implementer Course" is it a good start?

To help beginners to implement ISO 27001 Advisera provides several articles and downloadable materials the can provide guidance.

Additionally, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This toolkit has the mandatory and most commonly used documents for an ISO 27001 implementation, and they include comments that can help to customize the documents to your organization's needs.

Regarding the Lead Implementer course, it is a good way to start an understanding of how to implement ISO 27001.

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/