Search results

ISO standards related to ISO 27001

There are 52 standards related to ISO 27001. You can recognize them by the prefix ISO/IEC 270xx. They are not related to specific clauses, but to some processes (e.g., risk management, implementation, measurement, etc.), and to controls from Annex A, where they provide detailed implementation guidance (e.g., physical security, cloud security, privacy, etc.).

The most knowledgeable and used are:
- ISO 27002 - It provides general guidance on the implementation of Annex A controls 
- ISO 27005 - It provides general guidance on the implementation of information security risk management
- ISO 27017 - It provides specific guidance on the implementation of Annex A controls for cloud environments
- ISO 27018 - It provides specific guidance on the implementation of Annex A controls for privacy on cloud environments
- ISO 27031 - It provides specific guidance on the implementation of Annex A regarding IT disaster recovery
- ISO 27032 - It provides specific guidance on the implementation of Annex A regarding cybersecurity

At ISO site you can find a complete list of related standards: https://www.iso.org/obp/ui/#search
(filtros: standard and ISO/IEC JTC 1/SC 27)

For more information see:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
- Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/
- ISO 27001 vs. ISO 27032 cybersecurity standard https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/

2 - I was keen to understand about risk, does it make sense to just use the iso risk approach or methodology like the FAIR institute? Lost here in direction to study.

Answer: ISO 27001 does not prescribe which methodology to use for information security risk management, so you can use the approach it is best for your organization (e.g., FAIR, ISO 27005, ISO 31000, NIST RMF, etc.)

These articles will provide you a further explanation about risk management:
- How to address opportunities in ISO 27001 risk management using ISO 31000 https://advisera.com/27001academy/blog/2018/04/13/how-to-address-opportunities-in-iso-27001-risk-management-using-iso-31000/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/

ITIL Processes (Practices) Referenced in ISO 20000

Process is just one part of the practice in ITIL4, so you can use it while implementing ISO 20000.

Further on, practices in ITIL4 contain Practice Success Factors and Key Performance Indicators, both of them can be used while implementing and maintaining ISO 20000:2018 based SMS.

Processes in ISO 20000:2018 are:

1. Service catalogue management

2. Asset management / Configuration management

3. Business relationship management

4. Service level management

5. Supplier management

6. Budgeting and accounting for services

7. Demand management

8. Capacity management

9. Change management

10. Service design and transition

11. Release and deployment management

12. Incident management

13. Service request management

14. Problem management

15. Service availability management

16. Service continuity management

17. Information security management

Health Inspector qualification

ISO 14001:2015 has no particular requirements concerning those that will implement an environmental management system or be responsible for its operation, maintenance and improvement.
Each organization is free to define competence requirements for that role.
Being a Health Inspector may give you some experience with regulations and with the task of working with others to follow rules. Besides that qualification I recommend learning about ISO 14001:2015 requirements, learning about good internal audit practices, and learning about good implementation practices.
 
The following material will provide you more information about training:
Free webinar - Free webinar - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Enroll for free in this course - ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
Enroll for free in this course - ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 27001 and scrum

ISO 27001 does not prescribe methods for secure software development, so organizations are free to adopt the approach that better fills their needs, and provided the adopted approach fulfills standards requirements, auditors will be ok with them. Unfortunately, we do not have details about the use of SCRUM in software development on ISO certified organizations, but regarding ISO 27001 implementation, it is an approach as useful and effective as any other project management framework.

These articles will provide you a further explanation about scrum and information security and ISO 27001 and controls do software development life cycle:
- How to use Scrum for the ISO 27001 implementation project https://advisera.com/27001academy/blog/2017/03/27/how-to-use-scrum-for-the-iso-27001-implementation-project/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

Standard contractual clause and Data processing agreement difference

The Standard Contractual Clauses are documents issued by the EU Commission and are meant to be used only when transferring personal data outside the EU. The Data Processing Agreement is to be used when both controller and processor are in the EU.

Infosec policies

If this simplified security policy covers all requirements from the standard, properly address the results of risk assessment and the legal requirements your organization must fulfill and is understood and easily handled by your employees, then it is acceptable by ISO 27001 requirements and certification auditors.

Regarding our toolkit, we haven’t found a proper policy format that would meet all those criteria, so this is why we recommend the usage of the documents from the toolkit.

These articles will provide you a further explanation about developing documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/

Risk management manual

First is important to note that usually a methodology is written, not a manual.

To develop a risk assessment and treatment methodology compliant with ISO 27001 you must consider:
1) Define how to identify the risks that could cause the loss of confidentiality, integrity and/or availability of your information
2) Define how to identify the risk owners
3) Define criteria for assessing consequences and assessing the likelihood of the risk
4) Define how the risk will be calculated
5) Define criteria for accepting risks

To see how a Risk assessment and treatment methodology, I suggest you to take a look at the free demo of our Risk Assessment and Risk Treatment Methodology at this link: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/

This article will provide you a further explanation about Risk assessment and treatment methodology:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

Scope definition and certification costs

1. In the institution, we have a core business system, which interacts and it is projected to link with other systems, so I am analyzing whether it is feasible to obtain the ISO 27001: 2013 certification only for said system and the entire infrastructure, processes, resources, and assets surrounding this management information system. Is this feasible? No implementation is required for the entire organization.

The main point when considering this approach is the effort required to keep the ISMS scope separated from the rest of the organization's elements (for small and mid-sized organizations many times the effort is not worthy, and it is better to include all the organization in the ISMS scope)

These articles will provide you a further explanation about the scope definition:- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/ 

2. The certificate logo can be used on the homepage of the management system (for an institutional presence issue).

3. I understand that you sell the documentary package, but I would like to know the approximate cost of the audit to obtain the certification.

These articles can provide you more information:- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project

Audit stages

First, it is important to note that stages 1 and 2 refers only to certification audits. Internal audits do not need to follow this approach (all activities described below are performed in a single "stage").
Considering that, ISO 27001 Stage 1 certification audit is also called "Documentation review" - the auditor will evaluate whether you have all the mandatory documentation.

You can find the list of mandatory documents in this blog post: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

Regarding stage 2, the auditor goes around your company, speaks to your employees, looks for logs and other records, observes the effectiveness of your safeguards (the controls stated as applicable in the Statement of Applicability - SoA), etc.

Learn more about it in this webinar: ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

This article will provide you a further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

EU GDPR applicability

1. Is the GDPR applicable only to companies or private persons as well?

The EU GDPR applies to the processing of personal data wholly or partly by automated means and to manual processing if the personal data form part of a filing system or are intended to form part of a filing system so you can see that there is no exclusion of private individuals. However, there are certain Supervisory Authorities ( e.g Romanian Supervisory Authority) that mentioned that GDPR only applies to companies.

2. Where do I need to publish my privacy policy?

It depends about the processing activities you want to describe. You can have a generic Privacy Policy covering the bulk of your processing activities but for very specific ones such as processing data you collect through your website or the data of your employees you need specific Policy/Notice.

3. Do I need to have an inventory of activities that I do?

Companies or institutions with fewer than 250 employees are exempt from keeping a record, if the processing is not likely to pose a risk to the rights and freedoms of the data subject, if no special categories of data are processed or if the processing is done only occasionally, as is indicated in Art. 30(5) GDPR. In practice, this exemption is rarely applicable.

4. Can I use GPS to monitor my sales agents?

You could use GPS but not to track your agents but rather the vehicles they are using. However you need let then know that this is happening via a Privacy Notice. You can find out more about Privacy Notices I from our free webinar “Privacy Notices under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).

5. Do I need the consent from my sales agents?

This depends on the jurisdiction where you are registered. You should check the Supervisory Authority website in if the country were you are registered. However, most EU countries do not require registration after the GDPR entered into force last year.