Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Action plan for internal audit
Answer:
To perform an internal audit you should consider these steps:
- Develop an internal audit procedure
- Plan your audits, considering dates, criteria and scope
- Develop checklists to help you not forget something during the audit
- Elaborate the audit report which will include the non-compliances and other findings
These articles will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
This material will also help you regarding action pla ns:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 22301 toolkit
Answer:
ISO 22301 does not require 27001 implementation, and vice versa. What may happen is that because of business objectives and needs, or legal and contractual requirements, your organization may need to be compliant with both standards.
This article will provide you further explanation about requirements:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
2- Or if I do both, should I focus on ISO 27001 first?
Answer:
In case there is a need for both standards, to decide for which you should go first you have to consider:
- If your organization faces a multitude of non-IT threats capable to stop operations, then you should go for ISO 22301 first.
- If your organiz ation deals with digital products, and information technology processes are the heart of your organization, first you should go for ISO 27001.
This article will provide you further explanation about ISO 27001 and ISO 22301:
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/ -
Risk assessment
Answer:
If you have risks already treated you must include them in your risk assessment table, so you can monitor them in the future. As for how you should you score these kind of risks, the values of consequence and likelihood must consider the current values under the implemented controls (for risks where there are already existing controls, the likelihood and/or impact will be lower), and describe the controls applied in the last column of your risk assessment table.
By t he way, included in your toolkit you have the access to video tutorials that can help you fill in the risk assessment table, with real data as examples. -
ISO 27001 for very small business
Answer:
Certainly, it is possible to implement ISO 27001 in a small company without causing too much overhead. Advisera is specialized on supporting small and medium size organizations on the implementation of ISO management systems, ISO 27001 among them. For that purpose we developed toolkits with the minimum documentation required for certification, so organizations are not overhead with its maintenance. The templates are more than 80% complete, and you have only to adjust them considering your organizations needs. Comments included in each template will guide you on which content can be changed or deleted to fulfill your needs, and which content must be kept to ensure compliance with the standard.
For your needs I suggest you the ISO 27001 documentation toolkit. You can see a free demo of its contents at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
These article will provide you further explanation about ISO 27001 and its implementation:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
These materials will also help you regarding ISO 27001 and its implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Conformio (online tool for ISO 27001) https://advisera.com/conformio/
- Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security. -
Data transfer outside of the EU
Answer:
Based on your description, if the servers are in EU and the data does not leave those servers in order to be sent to the mother company in the US, there is no cross-border data transfer. I would also assume that the storage is provided via an affiliate of the EU based company of a subcontractor of the US company.
If you want to find out more about cross-border data transfers check out this webinar: “How to make personal data transfers to other c ountries compliant with GDPR” (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/). -
Application of controls, suppliers and HIPPA
1. Out of the two - Background Checks and signing an NDA - which one of these is mandatory? Is it mandatory to have both (or) is it fine for an organization to have the NDA signed by employees without performing background checks (or) conduct background checks but not necessary to sign an NDA? Please help clarify.
Answer: Neither is mandatory for ISO 27001. A control from Annex must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of Background Checks and/or signing an NDA
- There are legal requirements (e.g., laws, regulations) that require the implementation of Background Checks and/or signing an NDA
- There is a top management decision requiring the implementation of the Background Checks and/or signing an NDA
If none of these occur there is no need to implement a control considering ISO 27001 requirements.
These articles will provide you furth er explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
2. An employee's sole responsibility is to create a manual 3rd party or Vendor Risk Assessment (VRA) report by reviewing the documentation on the vendor's control environment shared by the client's vendors. Does it mean that the employee is conducting a risk assessment?
Answer: Risk assessment comprises of risk identification, risk analysis and risk evaluation, and documentation review is one technique to perform risk identification, but this is a very limited one (it should be complemented with interviews, expert opinion, on site observation, etc.). So this activity should be considered only as a part of a complete risk assessment process.
For more information, see:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
This material can also be helpful:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
3. What are the mandatory requirements for a health care client e.g. HIPPA?
Answer: We are not experts on HIPPA, but ISO 27799, a support standard for ISO 27001 which has a main objective to provide security controls to protect personal health information, has many common points with HIPPA, so you can use this standard to be compliant with HIPAA.
For more information, please see: How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/
4. Who from the team/organization is responsible to prepare the External Service Provider (ESP) questionnaire?
Answer: ISO 27001 does not prescribe specific roles for information security related activities, so organizations can designate any roles they see fit, or create new one if it is necessary. Considering this specific demand, the person who is currently handling external providers can be designated as responsible for this questionnaire. Another alternative is to designate this activity to the security officer, if there is such role. One important note is that since it involves external providers, legal advice should be considered, since most requirements would be in format of contractual clauses.
For more information, please see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/ -
Risk assessment report
Answer:
ISO 27001 requires to retain documented information about the information security risk assessment process, and by documented information it means information that is controlled in terms of approval, review, access and changes. If your tool can fulfill such requirements, then there is no need for a risk assessment report.
This article will provide you further explanation about control of documents and records:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding control of documents:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/oohttps://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Toolkit's content
Some of the questions may seem obvious, sorry about that. I´ll list them so I think it´ll be easier to address;
- Any document that is related to a control, marked with “*” in the LoD, is only mandatory only if such control applies, right?
- Access control policy; why is it mandatory in CoM but depends on if control is applicable in LoD?
- 8.A.8 Acceptable use of Assets (CoM) is Acceptable use p olicy (LoD)?
- A.12 Any difference between Operating procedure for IT management and Operating procedure for ICT?
- 8.A.14 Secure System Engineering principles (+ Appendix) in the Checklist, is this one the same as Secure Development Policy (+ appendix) template from the toolkit? I guess, but just to make sure
- 8.A.15 Supplier Security Policy; this one is not checked as mandatory in the LoD, but the Annex is (only if a control applies) and it is also in the CoM?
- 8.A.17 Disaster Recovery Plan (LoD) is Business Continuity Procedures (CoM), right?
- Definition of security roles and responsibilities (CoM); is this in Template 02 in the toolkit or somewhere else?...
Answer:
The general answer for your question is always to follow the content of your toolkit, in this case the list of documents file (LoD), because it is the most updated version considering the standard's requirements and templates content.
Regarding your specific questions:
- Any document that is related to a control, marked with “*” in the LoD, is only mandatory if such control applies, right?
Answer: Yes, your understanding is correct
- Access control policy; why is it mandatory in CoM but depends on if control is applicable in LoD?
Answer: If you read the article again, you will see in the first paragraph of section "Mandatory documents and records required by ISO 27001:2013" a note informing that "...documents from Annex A are mandatory only if there are risks which would require their implementation.)". So, in both documents the Access Control Policy depends on if control is applicable.
- 8.A.8 Acceptable use of Assets (CoM) is Acceptable use policy (LoD)?
Answer: These titles refer to the same template. Please consider the information in the list of documents file of your toolkit as the most updated.
- A.12 Any difference between Operating procedure for IT management and Operating procedure for ICT?
Answer: No differences.
- 8.A.14 Secure System Engineering principles (+ Appendix) in the Checklist, is this one the same as Secure Development Policy (+ appendix) template from the toolkit? I guess, but just to make sure
Answer: Secure System Engineering principles is one topic in the Secure Development Policy, which covers other controls, like Identification of security requirements.
- 8.A.15 Supplier Security Policy; this one is not checked as mandatory in the LoD, but the Annex is (only if a control applies) and it is also in the CoM?
Answer: Please consider it as not mandatory as listed in the list of documents file of your toolkit.
- 8.A.17 Disaster Recovery Plan (LoD) is Business Continuity Procedures (CoM), right?
Answer: The Disaster Recovery Plan template can be used to cover the controls related to Business Continuity Procedures on small and medium size organizations. On some organizations their requirements may define the development of additional documents.
- Definition of security roles and responsibilities (CoM); is this in Template 02 in the toolkit or somewhere else?
Answer: General roles and responsibilities can be defined in the Information Security Policy, while specific responsibilities and roles are described throughout all templates. -
Time between surveillance audits
Answer:
Surveillance audits have to be performed at least once a year. Consider a certification audit performed in November 2018, the first surveillance audit will take place in November 2019, and the second (and last) surveillance audit in November 2020. After this, in November 2020, the certificate would expire, and a company could go for the recertification audit.
Some certification bodies schedule surveillance audits within a time frame inferior to 12 months to avoid a situation where a surveillance audit find major nonconformities and there is no time to close those nonconformities until the 12 month limit after the last audit, situation that should translate into a loss of certification.
The following material will provide you information about surveillance audits:
- ISO 9001 – What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/ dit/
- free online training ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Statement of Applicability
Answer:
ISO 27001 Annex A is not to be used as a document for the ISMS. It is a reference for the definition of which controls to use to protect information and to built the Statement of Applicability. The SoA differs from Annex A because it only makes reference to the controls on Annex A (it does not contain the description of each control), and contains other information, such as which controls are applicable, whether they are implemented or not, and justi fication of controls from Annex A you are not using.
To see how a Statement of Applicability looks like, I suggest you to take a look at the free demo of our Statement of Applicability template at this link: https://advisera.com/27001academy/documentation/statement-of-applicability/
These articles will provide you further explanation about Statement of Applicability and ISO 27001 documentation:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
These materials will also help you regarding Statement of Applicability and ISO 27001 documentation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/