Search results

ISO/IEC 27001:2013 ISMS Document Implementation

I need to write up a draft an ISMS document that meets the ISO 27001 requirement for an SME. Could someone please guide me on where I can find a template of one? Otherwise, can someone provide the headings that I should include in the document, please.

ISO 45001 procedures

There are many procedures within the ISO 45001 OHSMS, and although the ISO 45001 standard gives requirements of what needs to be included, each company or organization needs to tailor the procedures they create to their unique situation. The ISO 45001 standard give descriptive requirements of what needs to be included in processes, but not prescriptive requirements that tell you how you must apply the requirements or write procedures as these differ from company to company and country to country.

You can find out more about the required documentation of ISO 45001, including explanation of each, in the whitepaper: Checklist of Mandatory Documentation Required by ISO 45001, https://info.advisera.com/45001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-45001

ISO 9001 implementation time

2 people with 50 hours each is the same as saying 2 people full time on the project. There are several variables to consider in determining the duration of an implementation project. Please test our – ISO 9001 Implementation Duration Calculator - https://advisera.com/9001academy/iso-9001-duration-calculator/

As a rule of thumb consider that small organizations up to 50 employees could implement ISO 9001:2015 in 6-8 months.

You can find more information about ISO 9001 implementation below:

- How long does it take to implement an ISO 9001-based QMS? - https://advisera.com/9001academy/blog/2016/07/05/how-long-does-it-take-to-implement-an-iso-9001-based-qms/
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Assets of Threats Diagram

If I understood correctly, you want a diagram to show the relationship between assets and threats.

Considering that, first is important to note that for certification purposes ISO 27001 does not require such a diagram. By including it in the toolkit, it would only make it unnecessarily complex.

If you need this diagram for other purposes, you can find an example on how to build such a diagram in this link: https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

This diagram shows the ISO 27001 Risk Assessment and Treatment process, considering an asset – threat – vulnerability approach.

Risk treatment plan

Good evening, I am drafting a security plan for the information assurance of an institution's computer platform. I would like to know the correct way to generate the necessary studies and the reports of recommendation and applicability for the respective assurance.

I'm assuming you are elaborating a risk treatment plan. Considering ISO 27001, the process to create a risk treatment plan is:

• develop a risk assessment and risk treatment methodology
•  perform risk assessment
• perform risk treatment
• develop the risk assessment and risk treatment report
• develop the statement of applicability
• develop the risk treatment plan

These articles will provide you further explanation about Risk assessment and treatment:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

To see how documents used in a risk assessment and risk treatment process look like, I suggest you take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

These materials will also help you regarding Risk assessment and treatment:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Certification requirements

Acceptable evidence of competence for ISO 27001 are based on experience, training or education.

Considering that, an internal audit certification is not required if you can provide other evidences, like statements of previous employers about internal audits performed by this person, or it is visible from the CV that the person has experience both in ISO 27001 and auditing.

This article will provide you further explanation about internal auditor:

• Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

This material will provide you further explanation about internal auditor:

• ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Service Management Plan in ISO20000-2018

Hi Branimir,

Thanks for the information! This helps a lot!

Regards,

Rene

Questions about ISO 27001

1. Do I need to put a justification if I didn't choose any of Annex A controls?

ISO 27001 requires a justification not only for every control from Annex A deemed as applicable but also for not applying controls. This is so to ensure that all controls where considered and that there are conscious reasons to not use controls deemed as not applicable.

For further information, see:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2. If one of control is applicable but some of that control content are not, Does I need to put justification on each point? Example: in code of practice, A.9.1.1 there's points from a to k if point J, K are not applicable shall I need to add a justification for not choosing them?

If I understood you correctly, you are mentioning the content of ISO 27002, a supporting standard for implementation of ISO 27001.

Considering that, please note that justifications are only related to ISO 27001 Annex A, which mentions only control objectives and a general description of the control (not details from ISO 27002). This way, you do not need to justify if only part of the recommendations from ISO 27002 are applied.

For further information, see:

• ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

3. if I wrote the access control policy and my scope is cloud and applications running on the cloud, and there is point in the policy applicable to some of the applications but not applicable to the rest should I add a justification for this?

Please note that the risk assessment results will provide the necessary justification for applying an access control policy to some applications and not for others (i.e., risks for some applications are deemed unacceptable and will be treated by means of an access control policy, while other applications will not have risks requiring the application of this control).

For further information, see:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

4. how can I identify controls and consequences in Risk identification?

Please note that controls are identified during risk treatment after you have identified the risks.

Regarding the identification of consequences, when using the asset-threat-vulnerability approach, you should consider the participation of personnel with knowledge on the asset, in the environment where it operates, and which depends on the asset. These are the most capable people to identify what can happen if the asset is compromised.

For further information, see:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

These materials will also help you regarding risk assessment and risk treatment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

ISO 27031

ISO 27031 is still a valid stand-alone standard. In fact, it is under review at this moment. You can see information about the status of this standard at ISO site: https://www.iso.org/standard/44374.html

This article will provide you further explanation about ISO 27031:

• Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/

Data capture

As often happens when interpretation comes, it depends on the mailing list provided to you from the sales team.

You need to consider that GDPR applies only to personal data, so, first of all, you need to evaluate if the email list your boss provided can be considered personal data. If the email address does not contain any personal data (i.e. info@company.com, sales@company.com, etc.) it can be used to send a campaign because GDPR will not apply.

On the contrary, if the email addresses provided to you are name.surname@company.com or with personal information (name, surname, initials, and anything referring to an individual), you will need to have proven opt-in from them. 

You can find more information about how GDPR impacts on marketing in our articles:

• How does GDPR affect digital marketing? https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-marketing/
• How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/

You can also learn more about GDPR with our online free EU GDPR Foundation Course: https://advisera.com/training/eu-gdpr-foundations-course//