Search results

Change Management Document

 For more detailed documentation for change management, I suggest you take a look at the templates in this toolkit that are compliant with ISO 20000 (the ISO standard for the management of IT services): https://advisera.com/20000academy/itsm-change-management-toolkit/

• Change Management Process
• Request for Change and Change Record
• Minutes of Meeting CAB
• Change Schedule

They can be used in an ISMS, but they are not mandatory for ISO 27001 compliance.

Statement of Applicability

You need to go through all controls listed in Annex A and explain why we have (or haven't) decided to implement them.

Please note that according to ISO 27001, the following information must be included in the SOA:

• All applied controls
• Justification for inclusions
• Implementation status
• Justification for exclusions of controls from Annex A

You can also add information you consider relevant to help manage the ISMS (e.g., a brief description of how the control is implemented).

For further information, see:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Independent Contractor Contact

1: How do I as an individual convince companies to take up my services as an ISMS expert individual contractor

 Basically, you need to demonstrate to them how you can add value to their business:

•  How your experience and skills can help them improve information security
• How well you are recognized in the market from previously delivered services (i.e., reference customers) and support to the community (through presentations, publications, training, etc.),
• How well do you know customers’ industries

For more information, see:

• 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
• How To Sell ISO Consulting Services [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/

2: if I'm ISMS expert working on my own how do I convince companies to take me on as an Independent contractor

The same answer from the previous answer applies to this question also.

Risk Treatment - Selection Of Controls

In case you want to implement additional controls to treat risk, then you need to duplicate the risk line so you can assign a new control. You need to do that for each additional control you want to use to treat the same risk.

By the way, included in your toolkit you have access to a video tutorial that can guide you on how to perform the Risk Treatment.

For further information, see:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

Scope of work

You can define the scope in terms of only part of the organization (i.e., IT department), but in general, for small and mid-sized businesses, the best approach is to include the entire organization in the ISMS scope, because the effort to separate the scope for such organizations may not be worthy.

These articles will provide you with further explanation about the scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding the scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

Regarding implementation time, it may take a couple of months for smaller companies and up to more than a year for larger organizations. You can use these values as an initial reference:

• Companies of up to 20 employees – up to 3 months
• 20 to 50 employees – 3 to 5 months
• 50 to 200 employees – 5 to 8 months
• More than 200 employees – 8 to 20 months

For further information, see:

• Time, effort, and roles for the implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#effort

Updating to ISO 27001:2022

It is possible to make the transition from an initial ISO 27001:2013 implementation project to the 2022 version of the standard to be certified against ISO 27001:2022.

For that you will need to:

• Review your mandatory documentation according to the mandatory clauses of the standard (this will require less effort because changes in the main section of the standard were minimal)
• Review your Risk Treatment results to adjust controls IDs to the new ID settings, and evaluate if new controls from the 2022 version are applicable to your organization
• Review your documents related to the treatment of risks

For further information, see:

• ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
• Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/knowledgebase-category/iso-27001-implementation/

This material can help you:

• ISO 27001 2022 Transition Toolkit https://advisera.com/27001academy/iso-27001-transition-toolkit

• Questions about vulnerability analysis

  1. The analysis of technical vulnerabilities of information assets can be done by the own organization or should they contract with an external provider specialized in security?

  ISO 27001 does not prescribe who should perform the assessment of technical vulnerabilities, so organizations are free to choose the approach that best fits their needs.

  2. The company has bought an appliance for the analysis of technical vulnerabilities of digital assets, the device will be managed by the systems area staff, and could this generate a non-compliance in the event of a third-party audit?

  Provided that the staff managing the technical vulnerabilities’ appliance devices do not own the digital assets being assessed, there will be no problem regarding compliance with ISO 27001.

  For example, systems’ owners cannot run the technical vulnerabilities' appliance over the systems they manage.

  This is so to provide assurance of independent evaluation.

  3. What are the recommendations for the management of vulnerability analysis and tests of intrusion to digital assets?

  The main recommendations for vulnerability management take into account:

  • Definition of an asset inventory, so you have the knowledge about what you need to protect
  • Definition of roles and responsibilities, so it is clear what needs to be done by whom
  • Definition of reference sources (e.g., suppliers, manufacturers, expert groups, etc.), so you can have trustful information about vulnerabilities
  • Handle identified vulnerabilities in a systematic way
  • Make records of performed analysis

  Regarding penetration tests, they should be performed considering at least these phases:

  • Planning: identification of the information systems and targets involved
  • Information gathering: collect all available information possible about the targets
  • Threat modeling: develop strategies to attack the systems
  • Vulnerability analysis: identify all vulnerabilities related to the target
  • Exploitation: effectively apply devised threats against potential vulnerabilities to try to breach the targets
  • Post-exploitation: Check what can be done once the target is breached (e.g., download files, access other systems, etc.)
  • Reporting: Document and present findings and recommendations

  For further information, see:

  • How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
  • How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/

• Set of ISO 27001 questions

  1. What is the data label? what assets does the data label apply to?
  What are the best practices for data labeling?
  Can you give me examples of data labeling?

  A data label is any mean you can use to attribute information to an information asset. In the context of ISO 27001, a data label is generally applied to show the information classification.

  The assets to which the data label applies to will depend on how you treat classified information. For example, all information classified as secret may require assets that contain them to be labeled. 

  ISO 27001 does not prescribe practices for data labeling, but some examples you may consider are:

  • adopt physical and logical data labels (e.g., adhesive labels, electronic logos, etc.)
  • place the data label in the locality of easy visualization (e.g., top of the page, top corner of a screen, etc.)
  • place the data label in an asset container (e.g., an electronic folder, a box file, etc.), so people do not need to access the asset to see the label

  For further information, see:

  • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  2. What is the relationship between the classification of assets and/or identifying the level of importance of the asset with the risk analysis? Finally, what is the asset classification for me?

  The risk analysis, along with the identification of legal requirements (e.g., laws, regulations, and contracts), is the main source of information for asset classification. The higher the risks related to an asset, the higher would be the asset classification.

  The asset classification will help you to know how to treat information. Normally, the higher the classification, the more controls you will need to implement to protect the information.

  3. The level of importance of assets calculated in the assessment of assets based on the analysis of confidentiality, integrity and availability of the assets is what is used to estimate the impact on the business if it materializes a risk?

  Please note that the thinking process is the other way around. The impact of materialized risks over confidentiality, integrity, and availability of information is that will be used to estimate the classification level of an asset.

  4. What are the information security processes that must be documented?

  ISO 27001 does not require information security processes related to information classification to be documented, but in general, organizations document an Information Security Policy as a way to make the rules on how to classify, label, and treat information, clear to all personnel that handles information that needs to be protected.

  5. How can you monitor information security risks, and the risk treatment plan?

  Monitoring of risks will depend on their nature, so here are some examples:

  • Monitoring of recorded incidents
  • Monitoring of anomalous behaviors of information systems and networks
  • Monitoring of KPIs (Key Performance Indicators) of processes related to relevant risks

  Regarding the Risk Treatment Plan, since it defines resources and deadlines for each action, you can use this information to track the implementation progress.

  For further information, see:

  • How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
  • Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

  6. Which templates can I use to monitor the risks and the risk treatment plan?

  To monitor risks you can use the Risk Assessment Table, located in folder 05 Risk Assessment and Risk Treatment. In this table, you can include new risks or update the status of currently recorded risks.

  To monitor the actions related to Risk Treatment Plan you can use the Risk Treatment Plan itself. Like in the Risk Assessment Table, you can include new actions or update the status of current actions to implement risk treatments.

  7. When I receive the toolkit update with the new version of iso 27001:2022

  All customers which bought their toolkits within 12 months from October 31st, 2022 are entitled to receive an updated toolkit. If this is your case you will receive your updated toolkit as soon as the Spanish version is released.

• Documents missing in toolkit

  I understand that but exception management and vulnerability management are the basic controls which we need to have a policy created.
  Please help me with this.

• Completing implementation

  Are you asking if it is acceptable to keep the laboratory QMS based on ISO 17025, Option A, in other words as if there was no ISO 9001 certification, even if at the same time the organization is applying for ISO 9001?
  The answer is for accreditation purposes there is no problem,  you do not have to integrate the laboratory QMS into the ISO 9001 certification. This would be in order, even from an operational perspective, if the approach to management requirements is consistent. Otherwise, it will create confusion and gaps in the systems. For example, it would not make sense if the way you address nonconformances and risks in the laboratory as part of ISO 17025 compliance, is different from how it is done for ISO 9001 QMS. My recommendation would be to keep the laboratory registers separate, but the organisations' activities just falling under ISO 9001, (for example finance) should follow a process adapted from the laboratory processes and templates.  
  
  Lastly, if the laboratory is seeking accreditation to ISO 17025, there is no need to include the laboratory in the ISO 9001 certification scope as the laboratory is considered to operate in accordance with ISO 9001 principles. Refer to Annex B of the ISO 70125 standard.