Search results

Home / Search

Category:
Select
Select

11288 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Using HLS to combine 27001 with other standards

    I'm assuming that by HLS you mean High-Level Structure.

    Considering that, please note that all ISO management systems reviewed/released since 2012 have the same basic structure:

    • organizational context
    • leadership 
    • planning 
    • support
    • operation 
    • performance evaluation 
    • improvement 

    This allows the standards they make use of similar requirements, which makes requirements mapping integration easier.

    For further information, see:

  • If 27001 was fully implemented and certified, would you pass a SOC 2 type 2 attestation?

    Being certified against ISO 27001 does not ensure full compliance with SOC 2 type 2.

    Please note that ISO 27001 can help implement some SOC 2 requirements, but SOC 2 has requirements of its own that are not covered by ISO 27001.

    For further information, see:

  • ISO 27001 certification needed

    From your question I'm assuming you are referring to the following training: foundations, internal audit, lead auditor, and implementer.Considering that, you should consider at least the Foundations course, to have an understanding of the standard's requirements, and internal audit, to know how to audit the standard.

    The lead auditor and implementer courses are more related to those who want to have a career in ISO 27001.  

    For further information, see:

  • Could your toolkit be applied to public second-floor bank?

    Yes, the EU GDPR Documentation Toolkit can also be applied to a bank. The EU GDPR Documentation Toolkit was designed to help any organization become GDPR-compliant by following a step-by-step approach, filling in the templates in each directory. The toolkit contains all the documents needed for GDPR compliance, what is really important is to follow the steps indicated in the project template document, to map all the personal data processing operations in the organization, identify all the risks related to personal data processing, perform DPIAs and address all the risks with technical and organizational measures. We also have articles and courses that can help you better understand GDPR requirements.

    Please also visit these links:

  • ISO 27001 change process: 2013 to 2022

    Your positive energy and enthusiasm radiate through your writing It's obvious that you are truly passionate about what you do

  • Confidentiality Level & the ISO 27001 Standard

    1 - Should all documents have a confidentiality level?

    First is important to note that defining confidentiality level for documents is necessary only if control A.5.12 Classification of information is identified as applicable in the Statement of Applicability.

    Considering that, only documents with information considered relevant to the Information Security Management System scope must have a confidentiality level.

    For example, in case financial information is not included in the ISMS scope, then documents with financial information do not need to have a confidentiality level.

    This article will provide you with a further explanation of information classification:

    2 - Also in the standard Annex A there is a table of 'A' numbers, example A.12.1.3 how do I link these to the clauses in the standard? Example 9 Performance evaluation?

    Please note that there is no connection between individual clauses to particular controls.

    This is so because the purpose of the main part of the standard (clauses 4 to 10) is to manage security (e.g., risk management, internal audit, etc.), whereas the purpose of Annex A is to decrease risks with controls. 

    For further information, see:

  • MSA for multi measurement function equipment

    I would like to higlike for this topic, If the mesaurement equipment has been associated in control plan(s) and CPs specified mutliple measurement function unit you have to undertake MSA study for each functinal unit.

  • Trying to map additions

    1 - I have the new Advisera ISO 27001 2022 Toolkit. I am trying to map additions caused by the new version of the ISO 27001 2022 standard’s main part (clauses 4 to 10) from the Toolkit, e.g., 6.3 and 8.1 among others, but cannot seem to find them.

    Are the standard’s changes such in nature that they can be seemed already included to the old version of the document templates? or why I cannot find them? 

    Answer:  Your first assumption is correct. Please note that changes in the main clauses of the standard are minor and require no changes in the templates like ISMS Scope, top-level Information Security Policy, Risk assessment methodology, etc. 

    2 - Can ISO 27001 2013 certified company make all the changes required for the new ISO 27001 2022 version, and if compliant, certify against 2022 version in the middle of the 3 year validity period in one of the surveillance audits?

    Answer: Yes, you can make the transition to the 2022 revision during a surveillance audit, but latest by October 2025.

    For further information, see:
    - ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

    3 - It probably is required to have internal audit done against 2022 version before certification?

    Answer:  Your assumption is correct. You will need to perform an internal audit against the 2022 version before certification.  

  • Procedure for document and record control

    Please note that in the text you presented, the fields represent the way you use to record external documents used by the organization, considering physical and electronic forms (details about how to fill in the document can be found in its document wizard).

    For example, for physical media, you can use a register of external correspondence, and for electronic documents, you can use Customer Relationship Management software.

    In case you have a small number of external documents to manage, you can use Conformio to make such control.

  • Code of Conduct

    First is important to note that ISO 27001 does not require a Code of Conduct.

    Regarding information security, all necessary security rules to be compliant with ISO 27001 are already covered through Conformio documentation (the document that covers general security rules for all employees is IT Security Policy), and writing another document to cover security rules would only increase administrative effort. 

    In case you want to create a Code of Conduct to cover non-security topics, you should:

    • identify the practices and behaviors the organization expects from its employees, contractors, customers, and suppliers.
    • define how to approach these requirements considering the organizational culture and available resources

    To help you with that you can assess legal requirements (e.g., laws, regulations, and contracts) the organization needs to fulfill, as well as map internal and external relationships you need to maintain.

    Examples of topics to be considered are:

    • Unacceptable behaviors and their consequences
    • Legal compliance
    • Employee rights
    • On-the-job training guidelines
    • Internal practices (e.g., dress code, inclement weather policy, etc.)
    • External practices (e.g., contact with authorities, etc.)

    This article will provide you with further explanation about developing documents (it is focused on the development of ISO 27001 documents, but you can apply these concepts for non-information security topics):
Page 50-vs-13485 of 1129 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +