Search results

Auditor definition

As long as Jack does not audit his own work, there is no conflict of interest in this scenario, even if John and Jack have the same boss.

This article will provide you with further explanation about internal audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Certifications merge

This situation needs to be evaluated by the certification bodies that issued the certifications, so you should contact them to receive proper clarification.

Technically speaking, the “merge” would mean an update in the scope of the certification that would receive the merged certification, and all sequential steps after a scope update (e.g., review of risks, implemented controls, etc.).

This article will provide you with further explanation about integrated management systems:

• How to implement integrated management systems https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/

BCMS | ISO 22301:2019

The duration of the implementation project varies according to many variables (e.g., available resources, experience with standard requirements, top management involvement, etc.), but for companies of up to 200 employees the implementation time is up to 8 months.

To get an insight into the time duration for your organization, please read (although the material is about ISO 27001, the same concepts apply to ISO 22301):

• Time, effort and roles for the implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#effort

• Entry into the IT department

  1 - I will like to know if iso 27001 standard talks about a single point of entry into the IT department. I will like to know if ISO27001 talks about multiple entries into the IT department and best practices.

  I’m assuming that by “single point of entry into the IT department” you mean physical access to the department.

  Considering that, ISO 27001 does not provide specifics about the implementation of security controls. It only provides a general description of the controls.

  In general terms, physical single and multiple points of entry into the IT department fall into Annex A control A.11.1.2 (Physical entry controls), as ways to implement this control.  

  For further information, see:

  • Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/

  2 - if not, what standard should I look out for

  For guidance on the implementation of ISO 27001 security controls, you should look for ISO 27002, which provides guidance on the implementation of ISO 27001 Annex A controls.

  This article will provide you with further explanation about ISO 27002:

  • ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

• Supplier Security Policy Question

  The Supplier Security Policy applies to all companies that provide or will provide services to your company, but not to your customers (customer requirements are handled through the List of Legal, Statutory, and Contractual requirements template, located in folder 2 Identification of Requirements).

  This article will provide you with further explanation about suppliers’ security:

  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • Backup and DR plans - outsourced services

    Please note that RTOs are usually set at the department level, while RPOs are set at the application level.

    Considering that you do not need to define a specific RTO for each application. They will inherit the RTO from the business departments they are related to.

    Regarding the RPO, you can group them according to their criticality or other predefined criteria (e.g., belonging to the same department or process, having a similar RPO) and defining a single RPO for the whole group. Therefore, you will have a different RPO for each of your 3 categories of applications.

    This would make your administration job easier. But you need to evaluate the impact of adopting general RTOs/RPOs considering the allocation of resources and fulfillment of legal requirements. 

    These articles will provide you with further explanation about RPO and RTO:

    • What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
    • Explanation of the most common business continuity terms https://advisera.com/27001academy/blog/2021/01/18/explanation-of-most-common-business-continuity-terms/

    • ISO 27001 Scope Document

      1 - Do we need to show network documentation of all offices in the ISMS scope, or can we put reference links to the documentation?

      For the ISMS scope document, there is no need to show network documentation, but if you want you can include reference links to detailed documentation. 

      2 - Do we need to include network diagrams of each office in the ISMS scope document?

      There is no need to include high-level topology diagrams, but if you want you can include reference like those included on page 5 of each of your documents to give an overview of the network topology.

      3 - Do we need to include the XYZ1 office in the scope as the whole outsourcing department works from XYZ2, and it's only the senior managers like the CEO and Founder who work from  XYZ1 including the IT security administrator?

      Yes, you should include the XYZ1 office in the scope, or at least the part of the office with senior management and the IT security administrator.

      4 - Will the ISMS scope focus on the outsourcing department's IT infrastructure be enough, or do we need to implement the ISMS scope to cover the *** IT operations infrastructure across the business?

      This answer will depend on the information you want to protect. In case you want to protect the information handled and processed by ***, then you need to include the IT operations infrastructure that runs across the business. If this is not the case, then the scope covering the Outsourcing departments will be enough.

    • SOA Control Objectives

      The controls listed in the SoA template included in the ISO 27001:2022 toolkit are the same ones defined in the ISO 27002:2022.

      Please note that the column “Control Objectives” needs to be filled in by the organization. Control objectives are not mandatory in SoA, but including them in the SoA will make it easier to follow them, and reduce administrative effort to keep them in a separate document.

      These articles will provide you with further explanation about ISO 27001 and ISO 27002 controls:

      • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
      • Main changes in the new ISO 27002 2022 revision https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/
      • Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/

      • Add Further Reference Documents

        You can address these requirements in your ISMS by including the ISM and the RFRR as legal requirements in the Register of Requirements module.

        In addition to including these requirements in the Register of Requirements, you need to implement the security controls related to them. These will be automatically identified in the Statement of Applicability when you define the information in the “To what area is this requirement related?” field in the Register of Requirements module for each entry.

        Considering the ISM, suggested areas are “Specifying mandatory safeguards” or “Identification of stakeholders and security requirements”.

        Considering the RFFR, the suggested area is “Risk Management”.

      • ISO 27001 - Question nonconformities

        Please note that findings do not become nonconformities because they are related to risks, but because they evidence noncompliance with defined rules (e.g., policies and procedures), planned actions (e.g., actions not executed or wrongly executed), or expected results (e.g., missing results or wrong results).

        Regarding nonconformities classification, ISO 27001 does not require them to be classified, so you can adopt criteria that best fit your needs. Associating them to a risk level is an acceptable criterion. Certification audits adopt minor and major levels to classify nonconformities, and this is also an option for you.

        This article will provide you with further explanation about the classification of nonconformities:

        • Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/