Search results

Adoption of ISO 27001

1. We have been told by a client (a bank) that we need to become ISO27001 accredited as a company to meet their security standards.
But we are only a small organisation and do not have in-house IT people.
Would you recommend we contract an IT consultant for some time and use your framework?

First is important to note that:

• ISO 27001 was designed to be applicable to organizations of any size and industry, so even if you are a small organization ISO 27001 can help you
•  Information security goes much beyond the IT environment (you have to handle information security risk related to suppliers, employees, physical documents, etc.)

Regarding the implementation approach, there are three major options:
a) using your own personnel
b) hiring a consultant
c) using a DIY approach with external support

All of them have their advantages and disadvantages, considering time, cost, effort, and preservation of knowledge, and you should consider these factors to decide which approach is best for you.

These articles will provide you further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
• 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

2. How do you work with clients like us? I’m not sure where to start?

Our ISO 27001 Toolkit follows the "DIY with external support" approach, and by which you stated about your business, it is the right solution for you. The templates in the toolkit are 90% completed and you only have to include the information about your organization and the specifics about the controls that will be used.

The templates have lots of comments that will help you including your information. And if you are stuck at any moment in the process, you can contact us through e-mail (there is no limit for how many emails you can send), or schedule online meetings with one of our experts.

Template content

These are two separate requirements.

The phrase about the e-mail message refers to business messages, sent through approved business channels. The phrase about the message on a message exchange system refers to personal messages posted on non-business channels.

Please note that sometimes, when people know where you work, comments posted on social media can be interpreted by others as your organization's point of view. That's why many organizations have internal rules orienting their employees to not make comments related to work (in most cases if you want to include your organization in your timeline, organizations suggest you share organization's posts). These suggestions are not requirements of ISO 27001, but good practices. You can decide for yourself whether to apply this or not. 

Developing documents

To see how documents which cover the requirements you mentioned, considering ISO 27001, looks like, I suggest you to take a look at these free demos:

• Management commitment, roles, responsibilities, and authorities: Information Security Policy https://advisera.com/27001academy/documentation/information-security-policy/
• Competence and awareness: Training and Awareness Plan https://advisera.com/27001academy/documentation/training-and-awareness-plan/
• Control of documented information: Procedure for Document and Record Control https://advisera.com/27001academy/documentation/procedure-for-document-and-record-control/

Please note that ISO 27001 and ISO 22301 does not require Context of organization and Business continuity strategy to be documented, but as a good practice you can use this template for Business continuity strategy:

• Business Continuity Strategy https://advisera.com/27001academy/documentation/business-continuity-strategy/

These articles will provide you further explanation about developing documents:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
• How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/

Regarding answers to requirements in audits, the documents themselves, and the presentation of any records listed in these templates will help you succeed in the audit.

These articles will provide you information about preparing for audits:

• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
• Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/

ISO 20000 vs ISO 9001

A Service Management System (SMS) based on ISO/IEC 20000-1uses more detailed and industry-specific requirement. Yes, we can argue that same requirements are also included in the ISO 9001:2015 QMS - although with a more generic approach i.e. on higher level. So, if you want to manage your services, SMS is right „tool“ for you.

See comparison of both standard sin this free whitepaper (please note, it's written for 2011 revision of the ISO 20000-1 standard – but it will give you good idea): ISO/IEC 20000-1:2011 vs. ISO 9001:2015 matrixhttps://info.advisera.com/20000academy/free-download/iso-iec-20000-1-2011-vs-iso-9001-2015-matrix

Roles and Responsibilities document

Ignore this question, I found the answer here: 

https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

BIA and RTO

1. How to determine RTO? It is clear for MTPD.

The RTO is defined after you cross-examine MTPD between different interdependent activities - in some cases, RTO will remain the same as MTDP, and in some cases (where the related activity requires a quicker recovery) it will be lower.

2. Who determines RTO? Department responsible for critical activities or Department responsible for resources supporting critical activities (IT, logistics, …)?

The RTO is related to business needs, so the responsible for the impacted activity must be the one to define the RTO, but is important that this person consults the responsible for supporting resources, to find the best balance between business needs and available resources (the smaller the ROT, the more resources you will need).

3. About your example during the webinar, if RTO of IT is 8 hours and RTO of one critical activity is 4 hours and this one depends on IT. So which RTO will be considered?

When considering the interdependency of activities, you always need to consider first the RTO related to the business activity. In the example, since the RTO of the critical activity is 4h, this one must be the RTO to be considered (in case you consider the RTO for IT, the critical activity will not be recovered in a proper time).

For more information, please read the following article:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
  
  

Procedure for Document and Record Control

If documents created by an employee and sent directly to the client without the approval of another person of the organization is an acceptable risk to your organization, then you can include an "exception" in this section like:

"Except for client project work documents, all other documents regardless of whether they are new documents or new versions of existing documents must be approved by [job title ]. Client project work documents are considered approved by the employee who has created/reviewed it."

Please note that as a good practice for projects, the project manager should review/approve the documents, since they will be sent to the client. 

Cyber-attack contingency plan template

Unfortunately, we do not have a specific cyber-attack contingency plan. Our templates are provided as a general basis for the development of specific contingency plan scenarios, so you can use them to define the activities, resources, and responsibilities required to be a contingency for a cyber-attack.

Please take a look at these free demos to see how contingency plan looks like:

• Business Continuity Plan https://advisera.com/27001academy/documentation/business-continuity-plan/
• Disaster Recovery Plan https://advisera.com/27001academy/documentation/disaster-recovery-plan/

This article will provide you further explanation about developing a BCP and a DRP:

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
• How to define activities when implementing business continuity according to ISO 22301 https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/

ISO 27017 certification process

My first question is about the formal process for a company to get certified ISO 27017 if it is already certified ISO 27001.
It is just about asking the audit provider to verify the additional questions and deliver the “statement of compliance.”? Or there is a certification that the company should conduct a proper and distinct audit to have it?

First, it is important to note that ISO 27017 is not a certifiable standard. What some certification bodies do is to "certify" against ISO 27017 during an ISO 27001 certification process, because ISO 27001 is the only certifiable standard in the ISO 27000 series.

Considering that, to be "certified" against ISO 27017 all you need to do is to include the applicable controls related to ISO 27017 in your Statement of Applicability (of course, as a result of performing the risk assessment and risk treatment process), update your risk treatment plan, implement required controls and notify your certification body about the changes (so it can adjust the certification/surveillance audits accordingly).

For further information, see:

• ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

My second question is : Can a company say that it is certified for the information security management for the cloud computing services just with the ISO 27001/27002?

ISO 27001 has enough security controls to allow an organization to be certified considering cloud computing services in its ISMS scope. You only would need to include controls from ISO 27017 if your organization has specific requirements demanding the implementation of ISO 27017 controls (e.g., laws, regulations or contracts).

This article will provide you further explanation about ISMS scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

Regulatory requirements

If the company implements ISO 13485/10328, with our ISO 13485:2016 Documentation Toolkit the following requirements from the FDA will be met: quality management system described in 21 CFR 820, and reports of correction and removals described in 21 CFR 806. The following requirements need to be fulfilled in addition to our toolkit: registration described in 21 CFR 807, Unique Device identification described in 21 CFR 830 or electronic records and signatures described in 21 CFR 11.

For more information, please read the following article: 

How to use ISO 13485 to fulfill FDA regulatory classes for medical devices https://advisera.com/13485academy/blog/2017/09/14/how-to-use-iso-13485-to-fulfill-fda-regulatory-classes-for-medical-devices/