Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk Assessment responsibilities
Answer: ISO 27001 does not prescribe who must perform risk assessment, but common practice is that people who have the most knowledge and understanding of related processes should perform the risks assessment. So, in case of IT or Cybersecurity Risk Assessment, you should consider someone from your IT staff.
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
2 - Do you have a sample Risk M anagement and Risk Assessment RACI chart ?
Answer: ISO 27001 does not require such chart to be developed, and to make documentation simpler to small business, our templates document roles and responsibilities as part of policies and procedures.
If you want to know how the documentation of a risk assessment and treatment process looks like, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/ -
Risk Assessment
Is it a common practice? Since according to the general understanding of ISMS development I assume that risk assessment should go first.
Answer:
Developing policies and procedures before risk assessment is performed is not a common practice and it is not recommended, because this increase the risks of rework. Even if it seems obvious that some policies are mandatory and you know what should be defined in those policies, if during the risk assessment you identify unacceptable risks you have not thought about earlier, you will have to work on the document again, perhaps needing to make big changes.
Another problem is that if you include in the policy something to treat a risk you think is unacceptable, but in reality the risk is acceptable if you follow the right order and perform risk assessment first, then you are making your policy unnecessary complex and wasting resources.
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Templates content
Answer: First it is important to note that SoA is about applicability of controls. Policies and procedures are examples of methods to be used to implement controls, considered applicable because of unacceptable risks, legal requirements or top management decisions. It is also true that you can simply use one phrase on SoA to explain how a control will be implemented, and not develop a more complex document.
Considering that, if a control is considered not applicable, an example of good justification is "there are no unacceptable risks or legal requirements which require the implementation of this cont rol".
This article will provide you further information:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
2. Measurement Report: evaluation frequency (which evaluation frequency is recommended?)
Answer: There is no "standard" evaluation frequency that can be defined, because there are many many variables to be considered: level of risk involved, measurement complexity, time to process data, etc. This definition should be made on a case by case basis.
This article will provide you further information:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
3. A.11.2.5: Do employees really need written permission?
Answer: The proper term here would be "recorded" permission, which could be either written or included on a computerized information system. The point here is that you must preserve evidences that an authorization was given, so it can be traceable for operational or audit purposes in case of need.
See this article for further information:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
4. A.14: Does a webhosting company (which isn't developing software) have to comply with any of the controls in this chapter at all? I'm really stuck here.
Answer: If an organization does not have a software development process, the only other reason to consider some of controls from section A.14 is when performing system acquisition (e.g. buying a third-party CRM), mainly those related tor definition of security requirements and system acceptance. -
ISO 27001 Toolkit content
Answer:
Some templates include comments with suggestions on how to implement some controls, but these are not detailed technical specifications. ISO 27001 does not focus on technical specifications, but you can rely on other sources like ISO 27002 and NIST SP series.
For more information please read:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
2. Is it included in the ISO 27001 Document Package any template in order to compare the progress made with respect to the starting point?
Answer:
The Project Plan template that is included in the toolkit, on folder 01 Project Plan, can enable you to track the main milestones and the progress of the project.
You also can use this free ISO 27001 Gap Analysis Tool to evaluate how much of ISO 27001 you have implemented: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/ -
Management review policy
Answer:
ISO 27001 does not require a specific management review policy to be documented. The requirement for top management to review the ISMS can be found on the Information Security Policy, section 4.5. This template can be found on folder 04 Information Security Policy.
It is important to note that in large majority of cases smaller companies do not write separate Management Review Policy, this is why we didn’t include it into the toolkit.
This article will provide you further explanation about mandatory documents for ISO 27001:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Scope and external providers
If I understood well your question, this is the answer - If your activity covers just warehousing operation, then your scope will include just this activity and the processes involved in it. Same thing will be for ISO 45001 and ISO 14001, just with a different approach, ISO 45001 in occupatonal health and safety and IsO 14001 in environmental protection. -
Controlling outside manufacturer
Answer:
Why do you want to have a similar process control at your outside manufacturer? You want good products, timely delivered and at a fair price, and those outcomes can be controlled by you. Perhaps your outside manufacturer has different equipment, different manufacturing experience, different people with different knowledge and experience. I’m more in favor of working the interfaces between organizations to make transactions the more seamless possible and give freedom to how people or organizations attain mutually agreed objectives. One of the reasons for the success of ISO 9001 since 1987 is allowing companies to have their own quality management systems instead of several, according to the flavor of the week and the flavor of the week is determined by which customer will be visiting us this week. I experienced that when of my consulting clients had visits/audits from French customer, then English customer and then German customer. Another topic is what is your companies’ dimension and power to impose your own ways of controlling to an outside manufacturer working for several clients.
The following material will provide you information about subcontracting:
ISO 9001 – How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
Understanding outsourcing according to ISO 9001: A case study - https://advisera.com/9001academy/blog/2019/03/19/understanding-outsourcing-according-to-iso-9001-a-case-study/
Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
Book – Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Documents review
Answer:
Both approaches are valid, but we suggest you to only update the latest version date, including in the history of changes that in the last performed review no changes were needed and the document remains current. This way you keep the change of versions only to situations where changes in the content were made.
This article will provide you further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
ISO 27001 Lead auditor course
To work for ISO 27001 certification certification bodies you have to have experience on auditing against ISO 27001, but you have to check with the certification body you want to work for if your previous experience may be used to reduce the number of required audit hours related to ISO 27001. -
ISO 27018
Answer:
ISO 27018 is not a certifiable standard. It can be used to support implementation of controls of ISO 27001 Annex A (this one is a certifiable standard), providing additional guidance to implement security practices to protect privacy in the cloud.
Some certification bodies are issuing unofficial ISO 27018 certificates but only for those organizations already ISO 27001 certified.
This article will provide you further explanation about ISO 27018:
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/