Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Questions about ISO 27001

    1- How to do a gap analysis of the status of my management system against compliance with the ISMS requirements ISO 27001:2013

    To perform a gap analysis of your ISMS against ISO 27001, please access our free tool: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

    This is a simple question-and-answer list that allows you to visualize which specific elements of an ISMS you’ve already implemented, and what you still need to do.

    2- List of documents required to comply with ISMS ISO 27001.

    Included in your toolkit you have a list of documents that shows you which are the mandatory documents to be compliant with ISO 27001.

    3. How to develop an ISMS ISO 27001 communications program to interested parties, what should this program contain?

    Please note that ISO 27001:2013 requires you to define a communication process, although there is no requirement that a communication program needs to be developed or documented.

    Considering that, communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes and interested parties. So, having a centralized communication program would overhead people responsible for communication with activities that may not be a part of their attributions. That’s the reason there isn’t a specific template for a communication program.

    The main documents in the toolkit that define how communication needs to be done (which could be considered as part of a communication program) are:

    • the Information Security Policy, located in folder 4 General Policies
    • the Training and Awareness plan, located in folder 9 Training and Awareness
    • the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
    • the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

    4. How to develop an ISMS ISO 27001 awareness program for stakeholders, what should this program contain?

    For information security these are some security practices you should consider (without more information about your context is not possible to suggest additional alternatives):

    These articles will provide you with further explanation about security practices:

    You can use the Training and Awareness Plan template, located in folder 9 Training and awareness, to document the activities to be performed.

    5. How to develop a Management review procedure program

    Please note that ISO 27001 does not require a procedure for Management Review to be documented, so to be compliant with the standard you can just use the Management Review minutes template located in folder 11 Management review.

    In case your doubt is about review periodicity, the minimum is to perform a management review once a year, or more often if any major change happens that can influence information security (e.g., there is a new client who has very particular requests regarding the confidentiality or availability of your systems). However, it could be done more often (e.g., quarterly) if the management wants to be more involved in operational issues.

    For further information, see:

  • Determining scope of certificate for company that outsources production processes

    No matter whether the production process is outsourced, that process must be in the scope. From the market point of view, regardless of the fact that production is outsourced, that company is responsible for the product. 

  • Scope question

    1 - What do we really mean when we say that something is Included in the ISMS scope? Does that mean that everything in the ISMS then needs to be applicable to the organization, site, and processes in the scope? Or if not, this needs to be described in the ISMS somewhere? (for example, if we have a sales process and this sales process doesn’t apply to an office that we say is in scope then we need to document this in the ISMS? 

    The meaning of something being included in the ISMS scope is that this thing is information, or something related to information, that the organization wants to protect.

    For example, if customer information is in the ISMS scope, then it means that this information needs to be protected. In case a sales process is in the ISMS scope, it means that all kinds of information related to the sales process need to be protected.

    In your example, in case the sales process is not related to any information you want to protect (those related to the office you mentioned), you do not need to include it in the ISMS scope (or you can explicitly state that the sales process is out of the ISMS scope).

    For further information, see:

    2 - Could we exclude offices/departments from the ISMS because we don’t share the same Core processes if we at the same time share support processes (HR process and some IT processes for example) and steering processes?

    Yes. The ISMS scope can be defined in terms of only part of the organization, but please note that for small organizations of up to 100 employees, it is better to define that all organization is part of the scope, because the effort to separate the elements that are in and out of the ISMS scope may not be worthy.

    This article will provide you with further explanation about the scope definition:

  • Question about certification requirements

    1 - Could you explain how the certification process is done and what the average costs are?

     The ISO 27001 certification process is performed in two stages:

    Stage 1 certification audit is also called "Documentation review" - the auditor will evaluate whether you have all the mandatory documentation.

    You can find the list of mandatory documents in this blog post: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    In stage 2, the auditor goes around your company, speaks to your employees, looks for logs and other records observes the effectiveness of your safeguards (the controls stated as applicable in the Statement of Applicability - SoA), etc.

    Learn more about it in this webinar: ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

    Regarding certification costs, this will depend on the size and complexity of the scope, so without more detailed information, it is not possible to provide you with a precise estimation.

    There are a significant number of variables to be considered when estimating the certification cost, such as size and complexity of the scope, number of employees, number of sites, etc.

    2 - Can Advisera do this certification?

    Currently, Advisera does not perform certification audits.

    3 - Can the certification be done online / remote or need to be done onsite? 

    Details on how the certification audit can be performed need to be evaluated on a case-by-case basis with the certification body, so you need to contact your certification body for this kind of information.

    4 - What would be the best option to prepare ourselves and get certified? What budget should I take into account? Hope to hear or read from you soon. Thanks.

    First, you should consider a gap analysis to understand your situation. You can use this tool for gap analysis: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool//

    Once you know where you are, you can consider these general steps to be prepared for certification:

    1) getting management buy-in for the project

    2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational and requirements of interested parties

    3) development of risk assessment and treatment methodology

    4) perform a risk assessment and define a risk tent plan (at this point you can make use of processes frameworks like ISO 38500 and ISO 20000 as a reference to help identify risks, but please note that this approach is not mandatory by the standard)

    5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)

    6) people training and awareness

    7) controls operation

    8 performance monitoring and measurement

    9) perform internal audit

    10) perform management critical review

    11) address nonconformities, corrective actions, and opportunities for improvement.

    This article will provide you with a further explanation of ISMS implementation:

    Regarding implementation approaches, the most common are:

    • Use your own staff to implement the ISMS
    • Use a consultant to perform most of the effort to implement the ISMS
    • Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

    Each one of them has its advantages and disadvantages.

    For more information, I suggest you the following materials:

    These materials will also help you regarding ISO 27001 implementation:

  • Training and awareness plan

    To fill in the training and awareness plan you first need to do is identify which gaps of incompetence you have (i.e., which knowledge, or skills your employees need to have). Some examples are:

    • Use of passwords
    • Backup operation
    • Software installation and patching
    • Performing of internal audit

    Second, you need to define the method to be applied: training sessions, workshops, newsletters? What will work best for your company? On which frequency to perform them (e.g., weekly, monthly, annually?)

    After that, you need to evaluate if these gaps can be fulfilled by internal personnel, or if you will need external support.

    Once you have these answers, you can start defining your training and awareness plan.

    These articles will provide you with a further explanation about awareness:

    This material will also help you regarding awareness:

  • Quality Manual

    Some labs applied to copy the whole ISO Standard as their quality manual, may I know is this acceptable? 

  • Not Applicable Controls for SAAS Environment

    Please note that the SoA needs to be developed based on the results of risk assessment and applicable legal requirements (i.e., laws, regulations, and contracts).

    In case you do not have a risk relevant enough that justifies the implementation of control, then you do not need to implement it (i.e., state it as applicable in the SoA). 

    The same applies to legal requirements. In case you do not have a law, regulation, or contract that justifies the implementation of control, then you do not need to implement it. 

    For further information, see:

    To see examples of applicable controls based on risk assessment, please, see:

  • Good Manufacturing Practice in pharmaceutical

    Yes, there is a certificate for GMP which can be provided both by the notify body or by a competent authority in a particular country (usually the Ministry of health, but you need to check how is in your country that organized). 
    A company that has ISO 13485 can not use the GMP mark without approval from notify body or competent authority.  

  • Record Control Table and Approved Supplier List

    You do not need to have a record control table as a separate document, but you do need to have a record control table within each policy or procedure where you require certain records to be created - this record control table is already included in all the document templates in Conformio.

    For further information, see:

    Regarding approved supplier lists, ISO 27001 does not require this record to be kept, so it would be a management decision to keep such a record in case it considers relevant to their processes.

  • Specific Documents

    Please note that the abovementioned clauses are covered by the following:

    • clause 4.1 - Understanding the organization and its context can be evidenced by means of documents “List of Legal, Regulatory and Contractual Requirements”, generated by the 'Register of legal, contractual and other requirements' module, and "Risk Assessment and Risk Treatment Report", generated by the 'Risk register' module.
    • clause 5.1 Leadership and commitment can be evidenced by means of documents “Information Security Policy”, “List of Security Objectives”, “Risk Assessment and Risk Treatment Report”, “Risk Treatment Plan”, and “Management review report”.
    • clause 6.1.1 General, which refers to risks related to the Information Security Management System itself, can be evidenced by means of the “Risk Treatment Plan”.
    • clause6.1.2 Information security risk assessment can be evidenced by means of the “Risk Assessment and Risk Treatment Methodology”.
    • clause 9.1 Monitoring, measurement, analysis, and evaluation can be evidenced by means of the records defined on each policy and procedure you have implemented.
Page 57-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +