Search results

The best combination to use for IT Audit

The best combination will depend on:

• the purpose of the audit
• the legal requirements (e.g., laws, regulations, and contracts) the audit must be aligned to

Broadly speaking, COBIT covers governance aspects of IT, ISO helps cover information security aspects of IT, and ITIL covers operational and management aspects of ITIL.

These articles will provide you a further explanation about these frameworks:

• ISO 27001 vs. ITIL: Similarities and differences https://advisera.com/27001academy/blog/2016/03/07/iso-27001-vs-itil-similarities-and-differences/
• ISO 27001 vs. COBIT: A comparison https://advisera.com/27001academy/blog/2019/05/06/cobit-vs-iso-27001-how-much-do-they-differ/

These materials will also help you regarding audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

ISO 27001 compliance testing

The types of tests to be performed will depend on:

• the requirements defined
• the results of risk assessment
• the legal requirements the website must comply with (e.g., GDPR requirements for data owner management of his/her own information)

Broadly speaking, there are basically 3 types of "tests" that can be related to ISO 27001: 

• vulnerability testing (not mandatory)
• internal audit (mandatory)
• certification audit (mandatory only if you need the certificate)

Regarding the cost estimates, the best approach is to request a couple of quotations of companies which provide such tests, so you can make a comparison.

This article will provide you a further explanation about tests:

• How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
• How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/

Risk Assessment

ISO 27001 does not prescribe which methodology an organization must use for risk assessment and risk treatment, only that an approach must be defined, so organizations can adopt the approach that better fits them.

Since you are already ISO 27001 certified, the initial recommendation is for you to keep the approach adopted in the preparation for the certification (it was validated by the certification auditor), and then ask both your external consultant and the auditor about the pros and cons of each recommended approach considering your organizational context, so you can evaluate if you, in fact, need to change your current approach.

For further information, see:

• The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

BAU activities

I'm assuming that by BAU you mean "Business as Usual".

Considering that, by the size of this company, it is easier to define that only the headquarters is in the ISMS scope, and treat all other locations as outsourced parties.

In this approach, you can treat the risks related to the remote locations by means of controls from section A.15.

These articles will provide you a further explanation about the scope definition and supplier management:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Evaluating the effectiveness of the procedure

The requirements for the evaluation of the ISMS performance are stated in section 9 of the ISO 27001. It is true that the standard does not prescribe what to check, but the items included in the procedures are the most commonly used in ISO 27001 related documents, and of course, since the templates are fully editable, you can define other items for checking the effectiveness of the procedure.

This article will provide you a further explanation about performance measurement:

• How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

Recording ISMS Internal Audit Findings

 ISO 27001 does not prescribe how to record ISMS Internal Audit Findings, but the most common approach is through an Internal Audit Report.

To see how an Internal Audit Report compliant with ISO 27001 looks like, I suggest you see the free demo of our Internal Audit Report at this link: https://advisera.com/27001academy/documentation/internal-audit-report/

This article will provide you a further explanation about internal audit:

• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

ISOs 27000 and 22301

I'm assuming you are talking about ISO 27001, which defines requirements for the ISMS. ISO 27000 defines the vocabulary for ISO 27001 series of standards.

Considering that, regarding disaster recovery, ISO 27001 defines objectives and controls (what must be achieved) related to information security aspects of business continuity, on Annex A, section A.17, but it does not provide guidance on how to implement such controls.

But please note that disaster recovery is required by ISO 27001 only if you have relevant risks, or legal requirements (e.g., laws, regulations, and contracts), that require the implementation of disaster recovery.

In this case, for guidance, you can use either ISO 27002, which provides guidance on the implementation of ISO 27001 Annex A controls, or ISO 22301, but please note that neither are required to be used for ISO 27001 implementation.

These articles will provide you a further explanation about ISO 27002 and ISO 22301:

• ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
• How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/

This material will also help you regarding controls implementation:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Getting certification after risk assessment

Generally speaking, after risk assessment you need to:

• define risk treatment
• elaborate and approve the statement of applicability
• develop and implement the risk treatment plan
• operate and monitor controls (implementing corrections and improvements as necessary)
• perform internal audit
• perform management review
• implement management review decisions (including the implementation of corrections and improvements as necessary)

These articles will provide you a further explanation about ISO 27001 implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation

ISO 27001: ISMS

ISO 27001 provides a comprehensive approach for information security and Cyber Security, so an additional framework would be necessary only if:

• there are legal requirements (e.g., laws, regulations, or contracts) demanding the implementation of another framework
• there are needed controls that are not covered, or not properly covered, by controls in Annex A (e.g., NIST SP 800-53 publication also provides one family of 16 controls for the management of information security programs)

In case you do not have the above-mentioned situations, ISO 27001 is sufficient to cover cybersecurity

This article will provide you a further explanation about NIST and cybersecurity:

• How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
• ISO 27001 vs. Cyber Essentials: Similarities and differences https://advisera.com/27001academy/blog/2017/09/11/iso-27001-vs-cyber-essentials-similarities-and-differences/
• ISO 27001 vs. ISO 27032 cybersecurity standard https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/

Implementation costs for EMAS

Implementation costs for EMAS are higher than for ISO 14001. Simplifying, one can say that implementing an environmental management system according to EMAS is like implementing ISO 14001 plus certain requirements about transparency with the publication of an environmental statement about environmental performance. More transparency is always more expensive. About duration one can say that the difference can be made irrelevant.

Please check below more information:

• ISO 14001:2015 vs. EMAS: Which one to go for? - https://advisera.com/14001academy/blog/2018/04/03/iso-140012015-vs-emas-which-one-to-go-for/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/