Search results

ISO 27001 Auditor Question

Your assumption is correct. Lack of internal audit is a major nonconformity because it is a mandatory requirement. 

When a major nonconformity is found the auditor does not need to stop the audit, however, he needs to inform the customer that it will not be possible to recommend for certification.

Regarding the suggestion of implementation training, although it is common to make such a suggestion, first you need to evaluate if the reason for failing to comply with a mandatory requirement was due to lack of knowledge about the implementation process, or other operational cause, such as lack of personnel or resources.

ISO 270001 documentation format

ISO 27001 does not prescribe a format for document creation, so you can use any format that fits your organization’s needs.

For further information, see:

• How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

ISMS scope

1. Should DC1 to be excluded from the scope and when?

From your question I'm understanding that only physical space will be rented.

Considering that, only physical space and its management should be excluded from the scope, by the time you move your assets to the rented space.

2. How to include systems hosted at DC3 in the Scope and under proper security control?

Since these systems (i.e., hardware and software) are already in the scope, as part of DC1, and DC3 is out of the scope, you need to state the systems in the scope, instead of the state of a data center.

3. What will be the recommended scope statement due to the changes?

An example of changed scope is:

"Provision of IT services of the Data Centre Facilities at DC2 & remote managed systems at DC 3 to the customers of ***."

Adoption of ITIL

Selling the idea of implementing ITIL should emphasize the high-level as well as „low-level“ benefits.

Here are a few articles that could give you an idea of how to explain potential benefits (please note, some are ISO 20000 related, but the content fits perfectly with ITIL implementation):

• How to translate ITIL/ISO 20000 language into business language understandable by your management https://advisera.com/20000academy/blog/2016/03/01/how-to-translate-itiliso-20000-language-into-business-language-understandable-by-your-management/
• How to make your investment in ISO 20000/ITIL profitable https://advisera.com/20000academy/blog/2017/05/18/how-to-make-your-investment-in-iso-20000-itil-profitable/
• 4 Crucial Techniques for Convincing your top Management to Implement ISO 20000 https://advisera.com/20000academy/blog/2017/10/31/4-crucial-techniques-for-convincing-your-top-management-to-implement-iso-20000/
• ITIL Incident Management benefits – Simple explanation for your top management https://advisera.com/20000academy/blog/2015/11/24/itil-incident-management-benefits-simple-explanation-for-your-top-management/
• 5 benefits of ITIL Change Management implementation https://advisera.com/20000academy/blog/2016/06/21/5-benefits-of-itil-change-management-implementation/

• Using HLS to combine 27001 with other standards

  I'm assuming that by HLS you mean High-Level Structure.

  Considering that, please note that all ISO management systems reviewed/released since 2012 have the same basic structure:

  • organizational context
  • leadership 
  • planning 
  • support
  • operation 
  • performance evaluation 
  • improvement 

  This allows the standards they make use of similar requirements, which makes requirements mapping integration easier.

  For further information, see:

  • How to implement integrated management systems https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/

• If 27001 was fully implemented and certified, would you pass a SOC 2 type 2 attestation?

  Being certified against ISO 27001 does not ensure full compliance with SOC 2 type 2.

  Please note that ISO 27001 can help implement some SOC 2 requirements, but SOC 2 has requirements of its own that are not covered by ISO 27001.

  For further information, see:

  • Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/2021/02/02/iso-27001-vs-soc-2/

• ISO 27001 certification needed

  From your question I'm assuming you are referring to the following training: foundations, internal audit, lead auditor, and implementer.Considering that, you should consider at least the Foundations course, to have an understanding of the standard's requirements, and internal audit, to know how to audit the standard.

  The lead auditor and implementer courses are more related to those who want to have a career in ISO 27001.  

  For further information, see:

  • Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/2021/02/02/iso-27001-vs-soc-2/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  • ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

• Could your toolkit be applied to public second-floor bank?

  Yes, the EU GDPR Documentation Toolkit can also be applied to a bank. The EU GDPR Documentation Toolkit was designed to help any organization become GDPR-compliant by following a step-by-step approach, filling in the templates in each directory. The toolkit contains all the documents needed for GDPR compliance, what is really important is to follow the steps indicated in the project template document, to map all the personal data processing operations in the organization, identify all the risks related to personal data processing, perform DPIAs and address all the risks with technical and organizational measures. We also have articles and courses that can help you better understand GDPR requirements.

  Please also visit these links:

  • EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/
  • EU GDPR Data Protection Officer Course: https://advisera.com/training/eu-gdpr-data-protection-officer-course/

• ISO 27001 change process: 2013 to 2022

  Your positive energy and enthusiasm radiate through your writing It's obvious that you are truly passionate about what you do

• Confidentiality Level & the ISO 27001 Standard

  1 - Should all documents have a confidentiality level?

  First is important to note that defining confidentiality level for documents is necessary only if control A.5.12 Classification of information is identified as applicable in the Statement of Applicability.

  Considering that, only documents with information considered relevant to the Information Security Management System scope must have a confidentiality level.

  For example, in case financial information is not included in the ISMS scope, then documents with financial information do not need to have a confidentiality level.

  This article will provide you with a further explanation of information classification:

  • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  2 - Also in the standard Annex A there is a table of 'A' numbers, example A.12.1.3 how do I link these to the clauses in the standard? Example 9 Performance evaluation?

  Please note that there is no connection between individual clauses to particular controls.

  This is so because the purpose of the main part of the standard (clauses 4 to 10) is to manage security (e.g., risk management, internal audit, etc.), whereas the purpose of Annex A is to decrease risks with controls. 

  For further information, see:

  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/