Search results

ISO 27001 implementation and budget

Regarding ISO 27001 implementation, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:

• defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties
• development of risk assessment and treatment methodology
• perform risk assessment and define the risk treatment plan
• controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)
• people training and awareness
• controls operation
• performance monitoring and measurement
• perform internal audit
• perform management critical review
• address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

About implementation costs, there are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider:

• Training and literature
• External assistance
• Technologies to be updated/implemented
• Employee's effort and time
• The certification process

Regarding ISMS maintenance costs, the above-mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.

These articles can provide you more information:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/

Filling template

An example of how you can fill in this part of the text are:

• "connecting to communication networks and data exchange must reflect the sensitivity of data and is performed by using encrypted channels for transfer of all information classified as "confidential", as defined in procedure XYZ for using encrypted channels. Information classified as "restricted" or "public" can use regular communication channels"
• "connecting to communication networks and data exchange must reflect the sensitivity of data and is performed according to the Information Classification Policy"

Information security risk management and internal audit

1. I purchased your Risk Assessment Table and Risk Treatment Table. I have completed this phase of the planning for our ISO Certification.  Now, once I have filled out the excel Spreadsheets does that count as my "Risk Report" for purposes of satisfying the mandatory document for Certification audit?
My next step is the SOA correct?

First is important to note that a "Risk Report" is not a mandatory document for ISO 27001. The standard requires retention of some documents as evidence that risk assessment and treatment was performed, and for that purpose the Risk Assessment Table, the Risk Treatment Table, the Statement of Applicability (yes, this is the next step of the risk assessment and treatment process), and the Risk Treatment Plan, are enough.

This article will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

2. What course do you recommend so I can be prepared to do an internal audit and improvement for the ISMS for my company?

As a course for internal audit I suggest you to take a look at our ISO 27001:2013 Internal Auditor Course at this link: https://advisera.com/training/iso-27001-internal-auditor-course/

In this online course, you’ll learn all the requirements and best practices of ISO 27001, but also how to perform an internal audit in your company. The course is made for beginners. No prior knowledge in information security and ISO standards is needed.

ISO/TS 29001 in addition to ISO 9001

ISO/TS 29001 main advantage is about including specific requirements of the petroleum industry. ISO 9001 has general requirements, but ISO /TS 29001 includes specific requirements relevant for the industry and its risks.

QMS for medical devices

Thanks, Carlos

Difference between ISO 9001 and ISO 17025

ISO 9001 is about implementing a quality management system and is applicable to any kind of organization. Quality management systems can be certified by a certification body.

ISO 17025 is about “General laboratory competency of testing calibration requirements” and is applicable to laboratories that produce results, like composition of a sample, that can be used in a court of law. ISO 17025 main concern is competent, impartial, and consistent operation of laboratories. ISO 17025 is mainly used by calibration laboratories. Laboratories are accredited by an accreditation body.

The following material will provide you more information about ISO 17025:

- What is ISO 17025? - https://advisera.com/17025academy/what-is-iso-17025/
- Please check our ISO/IEC 17025 Blog - https://advisera.com/17025academy/blog/
- Download free ISO/IEC 17025 materials - https://advisera.com/17025academy/free-downloads/

Expanding scope

It is possible to include this new part of the scope in the surveillance audit for year 2, provided that you inform your certification body of this change in due time, and that the new part of the scope fulfills all requirements of the standard and the risks related to integrating this new scope to the current one are assessed and treated as necessary.

Data capacity and information security

 The lack in the capacity of an asset (e.g., equipment, media, service, etc.) to store, process and/or transmit data affects directly the concept of information availability. This impact on availability can occur when an asset is destroyed, has an unplanned stop, or when it is required beyond the limit it can be used. 

Capacity of an asset has no direct impact on integrity and confidentiality.

For further information, please read:
- Implementing capacity management according to ISO 27001:2013 control A.12.1.3 https://advisera.com/27001academy/blog/2016/02/22/implementing-capacity-management-according-to-iso-270012013-control-a-12-1-3/
- Can ISO 27001 help your organization in a DDoS attack? https://advisera.com/27001academy/blog/2017/12/04/can-iso-27001-help-your-organization-in-a-ddos-attack/

Evidence for Product realization

Yes, you do need to provide evidence for this section 7, but only for those sections that are applicable for your company. Therefore, for each section that is not applicable for you, you can state that in your Quality manual. For example, section 7.5.2 Cleanliness of product is probably not applicable, then 7.5.5 Particular requirements for sterile medical devices, 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems, and 7.5.9.2 Particular requirements for implantable medical devices. For each of these sections you need to provide justification for why it is not applicable. For example, you can state „7.5.2 Cleanliness of product is not applicable since we do not produce any product“ or „7.5.5 Particular requirements for sterile medical devices is not applicable since we do not produce sterile medical devices.“

Threats to network assets

Some common threats related to network equipment like Routers, Core-Switch, and firewall are:

• Access to the network equipment by unauthorized persons
• Damages resulting from penetration testing
• Errors in maintenance
• Malfunction of equipment

This article will provide you further examples of applicable threats:
Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/