Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Information Security Plan

    In the context of ISO 27001, the “Information Security Plan” is the Risk Treatment Plan, where you define all actions necessary to treat the relevant risks.

    Before developing the Risk Treatment Plan, you need to several steps. For detailed information, see:

    To develop the Risk Treatment Plan itself you should consider these steps:

    • definition of security controls to be implemented
    • who is responsible for implementing them
    • what are the deadlines for the implementation
    • which resources are needed (i.e. financial and human)
    • how the results will be evaluated

    This article will provide you with further explanation about implementing the Risk Treatment Plan:

    These materials will also help you:

    • Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
    • ISO 27001 Free online training ISO 27001 Foundations Course http://advisera.com/training/iso-27001-foundations-course/

    • How to make company auditor?

      To become an organization that can certify other organizations against an ISO standard, like ISO 27001, the organization needs to undergo an accreditation process performed by an accreditation body against ISO/IEC 17065. In general, each country has one accreditation body (e.g., UKAS for the UK, or ANAB for the USA).

      Considering that, you need to contact the accreditation body from the country you want to become a certification body and ask for the details of its accreditation process.

      You can have an overview of ISO/IEC 17065standard here: https://www.iso.org/obp/ui/#iso:std:iso-iec:17065:ed-1:v1:en

    • ISO 27001:2022 mandatory documents and records

      1 - I have read your webpage article on: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-revision
      and the content of “List_of_documents_ISO_27001_2022_Documentation_Toolkit_EN.pdf”.  If I understand it correctly they both relate to ISO 27001 2022. Correct?

      Your understanding is correct. Both the article and the file are related to the current ISO 27001:2022.

      2 - Can you explain to me why i.e information classification policy, confidentiality statement, training and awareness are mentioned as mandatory in the PDF file and is NOT listed as mandatory on the webpage?

      First is important to note that the article focuses on controls that require documentation, and the List of documents focuses on which documents cover which controls.

      Considering that, no control requires an Information Classification Policy to be documented (that’s why it is not mentioned in the article), but since the Information Classification Policy in the toolkit covers control A.5.10 (Acceptable use of information and other associated assets), and this control requires documentation, then the Information Classification Policy needs to be documented in case the control A.5.10 is applicable.  

      Regarding the Confidentiality Statement, it is one example of a document related to the “Definition of security roles and responsibilities”, which in the article is implemented by means of “Agreements, NDAs, and specifying responsibilities in each security policy and procedure”.

      As for the Training and Awareness Plan, it is one example of a record related to “Training, skills, experience, and qualifications”.

    • Work from home auditing

      Organisations can audit their employees while they work from home, but the auditing should take into consideration a balance between employees’ right to privacy and the organisations’ legitimate needs to protect their digital assets from unauthorized exposure. On one hand, companies should evaluate the risks that are coming with a work-from-home or hybrid work environment: data theft, data losses, data unauthorized exposure, lack of efficient control mechanisms, and access from unsecured hardware. On the other hand, companies should evaluate whether the level of employee monitoring at home – logon/logoff times, navigation history, activity time, etc are justified in order to address the abovementioned risks. Companies must demonstrate adherence to the principle of data minimization, from Article 5 GDPR - Principles relating to the processing of personal data - that requires data controllers to make sure that the minimum amount of personal data is processed in order to achieve a processing purpose.

      We highly recommend performing a Data Protection Impact Assessment (DPIA) before implementing technologies and policies/procedures to monitor employees that work from home.

      Please find more details at these links:

    • Data privacy question

      According to Article 38 GDPR - Position of the data protection officer, para 6, “The data protection officer may fulfill other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests”. In smaller companies, the CISO just performs security audits without taking critical decisions, so the CISO position would not be in a conflict of interest with the DPO position. This is what the Belgium DPA states, that a case-by-case analysis should be done, on whether, actually, the DPO position would be in conflict with the CISO position. In bigger companies, the CISO's position might be in a conflict of interest if he/she is responsible for setting up and monitoring security controls in the organization, including security controls that might intrude on the privacy of employees. Such situations should be avoided.

      Please also consult these links:

    • Clarification about controls of ISO 27001:2022

      Please note that the prefix “A” before the control ID is used to relate a control to ISO/IEC 27001 Annex A. Any control identified without the prefix “A” refers to ISO/IEC ISO 27002:2022.

      ISO/IEC 27001:2022 defines requirements for the implementation of an Information Security Management System (ISMS).

      ISO/IEC 27002:2022 provides guidelines for the implementation of controls from ISO/IEC 27001 Annex A. ISO/IEC 27002 is not mandatory for the implementation of ISO/IEC 27001.

      For further information, see:

      This material can also help you:

    • Questions about toolkit templates

      1. In document 04-Information Security Policy, the item "4.4 Business Continuity" of the document index does not appear in the body of the document, please indicate if we remove this point from the index or you send the text of the missing part?

      Please note that section 4.4 is required only in case you are implementing also business continuity.

      In case you are not implementing business continuity you can delete this section.

      2. For the appointment of the security officer and security committee, do you have a standard document that allows us to carry out the board of directors minutes for the appointment, and the appointment of the role or position to the corresponding person or if this is going to be a external entity that provides the consulting service?

      Please note that ISO 27001 does not prescribe a document for security officer/security committee appointment, so organizations can adopt their usual documents for the appointment of roles.

      As models you may evaluate the following documents compliant with EU GDPR, and adjust them to your needs:

    • Change management

      Any change in the processes and products influence the quality of the product and possibly safety. Therefore, any change directly influences the quality management system. You can elaborate on how will you manage changes in the Management review procedure, but, as I mentioned in the previous answer you can make a separate documented procedure

    • Internal audit section of ISO 27001:2022

      In “Operating the ISMS” the users identified in the various security policies and procedures need to perform defined activities, generate required records, and perform corrective actions as needed as a consequence of improvements needed in the operation of the ISMS.

      In “Monitoring and measuring the ISMS” the users identified in the various security policies and procedures need to collect information about processes and objectives performance and evaluate if expected results are being achieved.

      The template Measurement Report, included in your toolkit, in folder 12 Managemenr review can help you.

      In terms of the project team, in both steps project team members need to be ready to support users, by answering their doubts, and evaluating, based on users’ feedback, if documents need adjustments.
Page 37-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +