Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Audit

    I’m assuming that by external audit you refer to the certification audit.

    Considering that, it is important to note that an internal audit is a mandatory requirement for ISO 27001 certification, so it needs to be performed before the certification audit.

    To perform an internal audit you should consider these steps:

    • Develop an internal audit procedure
    • Plan your audits, considering dates, criteria, and scope
    • Develop checklists to help you not forget something during the audit
    • Elaborate on the audit report which will include the non-compliances and other findings

    These articles will provide you with a further explanation of internal audit:

    These materials will also help you regarding internal audit:

    To see what internal audit documents compliant with ISO 27001 look like, please take a look at this toolkit:

  • Aruba Products

    Thank you!

  • ISO 27001 query

    1. Can I seek your advise on the how much is the RTO usually set for a company offering SaaS based solutions? Does the ISO 22301 define any times? I understand that it depends on various org-specific factors, but want to get a idea on industry best practices.

    ISO 22301 does not prescribe RTO values. Instead, it provides a framework for organizations to understand their business continuity needs and define the proper RTO values according to the criticality of their services and risk tolerance. Normally RTOs are measured in terms of hours, minutes, or seconds, with lower numbers representing less downtime but greater costs in investments.

    You should avoid taking as reference values from other organizations because RTOs need to be based on the specificities of your own business.

    For further information, see:

    2. We also had the below queries relating to BYOD, in case we want to implement a BYOD policy:

    Should the organisation ensure an anti-malware / anti-virus solution has been installed on all personal devices?

    Please note that security controls to be implemented need to be based on the results of risk assessment and applicable legal requirements.

    In case you do not have any relevant risk, or laws, regulations, or contracts demanding an anti-malware / anti-virus solution, you do not need to implement it. However, in most cases, we see companies implementing anti-malware on all laptops.

    For further information, see:

    3. What are the minimum device management controls that the org should have control over?

    I understand that these are not specifically defined in the ISO 27001 standard, and therefore need your advise on what controls are considered bare minimum, and as per industry best practices, to help us pass the certification.

    The same answer from the previous question applies here. You need to perform a risk assessment and evaluate applicable legal requirements to identify relevant controls to be implemented for device management.

    Please note that simply applying best practices will not help you with the certification process, because the certification auditor will look for if you have implemented controls based on risk assessment and evaluation of legal requirements properly performed. Further, there are no "industry best practices" that would be universally accepted.

    This material may help you:

    • Checklist of Cyber Threats & Safeguards When Working From Home https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home

    • Documentation requirements for the HR department according to ISO 9001

      Regarding the Human Resources department, one can think about:

      • Clear responsibilities and authorities for each job function (clause 5.3)
      • Clear competence requirements regarding each job function (clause 7.1.6)
      • Competence gaps determination and actions to close those gaps (clause 7.2)
      • Monitoring human resources department performance (clauses 9.1.1 and 9.1.3) 

      Based on this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ mandatory documentation requirements are:

      • Records of training, skills, experience, and qualifications (clause 7.2)
      • Monitoring and measurement results (clause 9.1.1) 

      Regarding the Controlling department one can think about:

      • Preparing information for the top management (clause 9.3)
      • Supplying information for decision-making processes (clauses 9.1.1 and 9.1.3)
      • Maintaining IT systems (?) (clause 7.1.3)
      • Relevant communication (clause 7.4) 

      Based on the same article mandatory documentation requirements are:

      • Results of the management review (clause 9.3
      • Monitoring and measurement results (clause 9.1.1)
         

    • Secure coding

      I’m assuming this text is from the Secure development policy.

      Considering that, please note that the comments included in this section provide some examples of practices and principles for secure coding.

      Regarding a second layer of the document (i.e., specific procedures), please note that since each organization has its own specific set of procedures and principles for coding development and maintenance (based on the programing language used, development framework, etc.), it is unfeasible to provide a set of templates that covers existent possibilities.

      What you can do is refer to your already written procedures principles in this Policy. In case you still need to develop such documents, then you can use the blank template that is included in your toolkit to develop them.

      In case you need additional support, you can schedule an online meeting where one of our experts will help you develop these documents. To schedule a meeting, please click here: https://advisera.com/consultations/

    • Information Security Plan

      In the context of ISO 27001, the “Information Security Plan” is the Risk Treatment Plan, where you define all actions necessary to treat the relevant risks.

      Before developing the Risk Treatment Plan, you need to several steps. For detailed information, see:

      To develop the Risk Treatment Plan itself you should consider these steps:

      • definition of security controls to be implemented
      • who is responsible for implementing them
      • what are the deadlines for the implementation
      • which resources are needed (i.e. financial and human)
      • how the results will be evaluated

      This article will provide you with further explanation about implementing the Risk Treatment Plan:

      These materials will also help you:

      • Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
      • ISO 27001 Free online training ISO 27001 Foundations Course http://advisera.com/training/iso-27001-foundations-course/

      • How to make company auditor?

        To become an organization that can certify other organizations against an ISO standard, like ISO 27001, the organization needs to undergo an accreditation process performed by an accreditation body against ISO/IEC 17065. In general, each country has one accreditation body (e.g., UKAS for the UK, or ANAB for the USA).

        Considering that, you need to contact the accreditation body from the country you want to become a certification body and ask for the details of its accreditation process.

        You can have an overview of ISO/IEC 17065standard here: https://www.iso.org/obp/ui/#iso:std:iso-iec:17065:ed-1:v1:en

      • ISO 27001:2022 mandatory documents and records

        1 - I have read your webpage article on: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-revision
        and the content of “List_of_documents_ISO_27001_2022_Documentation_Toolkit_EN.pdf”.  If I understand it correctly they both relate to ISO 27001 2022. Correct?

        Your understanding is correct. Both the article and the file are related to the current ISO 27001:2022.

        2 - Can you explain to me why i.e information classification policy, confidentiality statement, training and awareness are mentioned as mandatory in the PDF file and is NOT listed as mandatory on the webpage?

        First is important to note that the article focuses on controls that require documentation, and the List of documents focuses on which documents cover which controls.

        Considering that, no control requires an Information Classification Policy to be documented (that’s why it is not mentioned in the article), but since the Information Classification Policy in the toolkit covers control A.5.10 (Acceptable use of information and other associated assets), and this control requires documentation, then the Information Classification Policy needs to be documented in case the control A.5.10 is applicable.  

        Regarding the Confidentiality Statement, it is one example of a document related to the “Definition of security roles and responsibilities”, which in the article is implemented by means of “Agreements, NDAs, and specifying responsibilities in each security policy and procedure”.

        As for the Training and Awareness Plan, it is one example of a record related to “Training, skills, experience, and qualifications”.
Page 37-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +