Search results

BAU activities

I'm assuming that by BAU you mean "Business as Usual".

Considering that, by the size of this company, it is easier to define that only the headquarters is in the ISMS scope, and treat all other locations as outsourced parties.

In this approach, you can treat the risks related to the remote locations by means of controls from section A.15.

These articles will provide you a further explanation about the scope definition and supplier management:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Evaluating the effectiveness of the procedure

The requirements for the evaluation of the ISMS performance are stated in section 9 of the ISO 27001. It is true that the standard does not prescribe what to check, but the items included in the procedures are the most commonly used in ISO 27001 related documents, and of course, since the templates are fully editable, you can define other items for checking the effectiveness of the procedure.

This article will provide you a further explanation about performance measurement:

• How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

Recording ISMS Internal Audit Findings

 ISO 27001 does not prescribe how to record ISMS Internal Audit Findings, but the most common approach is through an Internal Audit Report.

To see how an Internal Audit Report compliant with ISO 27001 looks like, I suggest you see the free demo of our Internal Audit Report at this link: https://advisera.com/27001academy/documentation/internal-audit-report/

This article will provide you a further explanation about internal audit:

• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

ISOs 27000 and 22301

I'm assuming you are talking about ISO 27001, which defines requirements for the ISMS. ISO 27000 defines the vocabulary for ISO 27001 series of standards.

Considering that, regarding disaster recovery, ISO 27001 defines objectives and controls (what must be achieved) related to information security aspects of business continuity, on Annex A, section A.17, but it does not provide guidance on how to implement such controls.

But please note that disaster recovery is required by ISO 27001 only if you have relevant risks, or legal requirements (e.g., laws, regulations, and contracts), that require the implementation of disaster recovery.

In this case, for guidance, you can use either ISO 27002, which provides guidance on the implementation of ISO 27001 Annex A controls, or ISO 22301, but please note that neither are required to be used for ISO 27001 implementation.

These articles will provide you a further explanation about ISO 27002 and ISO 22301:

• ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
• How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/

This material will also help you regarding controls implementation:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Getting certification after risk assessment

Generally speaking, after risk assessment you need to:

• define risk treatment
• elaborate and approve the statement of applicability
• develop and implement the risk treatment plan
• operate and monitor controls (implementing corrections and improvements as necessary)
• perform internal audit
• perform management review
• implement management review decisions (including the implementation of corrections and improvements as necessary)

These articles will provide you a further explanation about ISO 27001 implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation

ISO 27001: ISMS

ISO 27001 provides a comprehensive approach for information security and Cyber Security, so an additional framework would be necessary only if:

• there are legal requirements (e.g., laws, regulations, or contracts) demanding the implementation of another framework
• there are needed controls that are not covered, or not properly covered, by controls in Annex A (e.g., NIST SP 800-53 publication also provides one family of 16 controls for the management of information security programs)

In case you do not have the above-mentioned situations, ISO 27001 is sufficient to cover cybersecurity

This article will provide you a further explanation about NIST and cybersecurity:

• How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
• ISO 27001 vs. Cyber Essentials: Similarities and differences https://advisera.com/27001academy/blog/2017/09/11/iso-27001-vs-cyber-essentials-similarities-and-differences/
• ISO 27001 vs. ISO 27032 cybersecurity standard https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/

Implementation costs for EMAS

Implementation costs for EMAS are higher than for ISO 14001. Simplifying, one can say that implementing an environmental management system according to EMAS is like implementing ISO 14001 plus certain requirements about transparency with the publication of an environmental statement about environmental performance. More transparency is always more expensive. About duration one can say that the difference can be made irrelevant.

Please check below more information:

• ISO 14001:2015 vs. EMAS: Which one to go for? - https://advisera.com/14001academy/blog/2018/04/03/iso-140012015-vs-emas-which-one-to-go-for/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Project before implementation

For performing a gap analysis against ISO 27001 requirements, I suggest you take a look at our ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

It is a simple question-and-answer format that allows you to visualize which specific elements of an information security management system you’ve already implemented, and what you still need to do.

In case you are a small company, the scope of the implementation will most probably be their whole company because this will be the easiest for the implementation.

This article will provide you a further explanation about the gap analysis:

• ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/

Statement Of Applicability

From our experience with our customers, smaller companies are usually at ca 100 controls, while larger ones are usually above 110.

But please note that the main criteria considered by certification bodies to justify controls applicability are results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts).

It is important to understand that because you can have similar organizations with totality different quantity of applicable controls (above or below the mentioned numbers), because they have different approaches towards risks (e.g., more risk aggressive, more cautious, etc.), and still both can fulfill the standards criteria for certification.

For further information, see:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

This material can also help you:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

Información documentada

En la última versión de la norma ISO 9001:2015 se habla únicamente de "información documentada", esta información documentada puede ser mantenida, en este caso se trataría de lo que antes denominábamos documento, o la información documentada puede ser retenida, que se trataría de lo que antes conocíamos por registro. Dicho esto, existen una serie de documentos y registros que son obligatorios para cumplir con los requisitos de la norma ISO 9001:2015 y que puede encontrar en el siguiente artículo junto con la cláusula correspondiente:

- Lista de documentos obligatorios requeridos por la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/

Otros materiales que pueden serle de utilidad para enteder la documentación obligatoria en ISO 9001:2015, son los siguientes: 

- Lista de verificación de la documentación requerida obligatoria por ISo 9001:2015: https://info.advisera.com/9001academy/es/descarga-gratuita/lista-de-verificacion-de-la-documentacion-requerida-obligatoria-por-iso-90012015

- Curso gratuito en línea - Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Libro - Gestión de documentación ISO: una guía en un lenguaje sencillo: https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/