Search results

Question about non-compliance

The consequences may vary depending on the type of the non-compliance, but broadly speaking, ISO 27001 related non-compliances can be related to:

• Information compromise (i.e., loss of confidentiality, integrity and/or availability)
• Loss of customer trust
• Violation of legal requirements (e.g., law, regulation or contract) that can lead to fines and/or legal actions

Regarding non-compliances identified during ISO 27001 certification/surveillance audit, they can lead to problems with the certification process.

These articles will provide you a further explanation about the impacts of non-compliances:

• Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
• Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

These materials will also help you regarding the impacts of non-compliances:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

ISO Lead Auditor certification/recertification

The need for recertification/refresher courses is defined by the certification issuer (e.g., Hightrust Alliance, CISSP and ISACA for their certifications), and what normally happens regarding ISO Auditor certifications is that recertification/refresher courses are necessary only when there is a change in the related management system standard (e.g., ISO 9001, ISO 27001, ISO 14001, etc), or in the audit standard (ISO 19011), so people can keep the necessary competences for audit, and such changes do not occur annually (it takes at least 5 years for a standard to be reviewed).

External and environmental threats

ISO 27001 does not prescribe ways to implement controls, only the objective to be achieved. For guidance on implementing this control, you should consider ISO 27002, a supporting standard that provides guidelines for implementation of controls from ISO 27001 Annex A.

Common solutions to implement this control are:

• Construction hardening (e.g., reinforcement of walls, doors, and windows, possibility to access multiple providers of the same service, etc.)
• Crime Prevention Through Environmental Design (CPTED) (e.g., natural surveillance/access control)

This article will provide you a further explanation about the application of control A.11.1.4:

• How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/

Annex controls in SOA

Please note that there is no need for a folder A.5 in the toolkit because the policies needed to fulfill the controls from section A.5 from ISO 27001 Annex A are included in all other folders that make part of the folder 08 Annex A. In short, controls from section A.5 are not documents by themselves, but refer to other documents (A.5.1.1), and practices to be performed on them (A.5.1.2).

Regarding controls from section A.6.1, please note that roles and responsibilities are defined in each policy and procedure, so there is no need for a specific document to cover control A.6.1.1.

According to our experience, the BYOD and Mobile Device and Telework policies are sufficient to cover the controls of section A.6.

Additionally, is important to understand that ISO 27001 does not require every applicable control to be a separate document. In some cases, you only need to make a brief description of how it is implemented, and you can do that in our SoA template, in the column "Implementation Method".

This article will provide you a further explanation about the Statement of Applicability:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Physical access audit records

ISO 27001 does not prescribe records to be generated while managing physical access, but common records you should consider are:

• access rights granted to personnel
• access logs
• changes in access rights
• access review reports

This way you cover the main steps of access management: the definition of access rights, when they are used and changed, and when they are reviewed.

This article will provide you a further explanation about physical security:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

This material will also help you regarding physical security:

• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Key Universal Principles of Segregation of Duties

The most common criteria to be considered for segregation of duties of critical activities are:

• the person who elaborates something does not approve it
• the person how performs a task does not review it

Considering that, for example, the internal auditor/security tester should not be the same person as the service manager. The service manager defines and handles changes/incidents, while internal auditor/security tester verifies if these are effective. So, you should verify exactly which activities will be performed by each role to identify potential conflicts of interest.

For further information, see:

• Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

These materials will also help you regarding segregation of duties:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 Internal Auditor or Lead Auditor

This depends on your career objectives:
- The ISO 27001 Internal Auditor certification recognizes people capable of ISMS against ISO 27001. This allows them to perform audits in their own organizations.
- The ISO 27001 Lead Auditor certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and qualifies them to audit other organizations on behalf of a customer, or to start the process to become a certification auditor.

These articles will provide you a further explanation about personal certifications:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001 Internal Auditor training – Is it good for my career?  https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/  

These materials will also help you regarding audit training:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
- ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

ISO 27001 Lead Implementer Course

The material of our ISO 27001:2013 Lead Implementer Auditor Course is designed by Advisera, and at this moment we are working on its accreditation by Exemplar Global (formerly RABQSA), but it would not be advisable to use the learning material from one course to pass the exam of another course - therefore, if you plan to go for e.g. BSI course, you should use their learning materials.

Review ISMS document

You should review all ISMS scope content, considering the internal and external issues (e.g., internal culture, iplemented technologies, market trends, new technologies, etc.) that can affect the ISMS and its proposed objectives, as well as the defined requirements of the interested parties (e.g., contractual clauses, legislation, etc.).

A change in one of these aspects may require a change in the ISMS scope, either to add, exclude or change something in the current ISMS scope document.

These articles will provide you a further explanation about the scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

These materials will also help you regarding scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Implementation of iso 27001 controls

Since you already identified all controls that are applicable and the percentage by which they are already implemented, my suggestion for additional criteria to prioritize implementation are:
- controls which affects the highest risks (in fact this should be your first criteria)
- which controls will have a more positive impact after implementation
- which controls require less effort to be implemented

Regarding starting with those who are lower in percentage, please note that a common risk in implementation projects is that a long period without results can decrease interest in the project by its supporters, so you should balance the implementation of controls which treat the highest risks with those that deliver the quickest results (i.e., implemented and measured controls as fast as you can).

These articles will provide you a further explanation about common controls:
- The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
- How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/

These materials will also help you regarding controls implementation:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/