In a general manner, to determine the time needed for each step individually you need to:
1 – Identify which result you have to deliver (e.g., information security policy)
2 – Identify which tasks are required to produce that result (e.g., interview top management, elaborate a policy draft, submit draft for evaluation, update draft if needed, approve final version, etc.)
3 – Identify how much time you need to perform each task
4 – Identify the sequence in which the tasks should be executed
After the sequencing you only have to sum the times of the most long sequence to know how much time you will spent for achieve that result. Of course this is a great simplification of t he method, but for small and medium implementations it works well.
When you consider all the steps as a whole, you can roughly consider that the steps before the risk management will take you ca 10% of the time, risk assessment ca 30% of the time, implementation of controls ca 50% of the time, and final activities (internal audit, management review, corrective actions) ca 10% of the time.
Included with the toolkit you bought you have access to Conformio platform, where you'll find ISO 27001 Step-by-step guide that also can help you.
I'm assuming you are referring to business continuity strategies. Considering that, the main variables you have to consider together with the results of business impact analysis and risk assessment are the available resources (e.g., personnel, capital, equipments, etc.), potential solutions (e.g., build/rent facilities/equipment, adopt new technologies, modify processes, etc.), business objectives, and risk tolerance. The business continuity strategies to be adopted will have to balance all this variables. For example, if technical solutions are too expensive, you may have to rely on a strategy based on administrative controls, and maybe increase your risk to lerance. On the other hand, you may identify that lowering risk tolerance is not an option (e.g., because of legal requirements), and you may have to adjust business objectives.
For the purposes of ISO 27001, "Information system" is defined by ISO 27000 (Overview and vocabulary for Information security management systems) as "set of applications, services, information technology assets, or other information-handling components".
As examples we can mention the modules of an ERP system and the MS Office Suite.
B2B Sales
Answer:
If you use the customer database to communicate with them about the contracts you have in place, for example to send them invoices, there is no problem to get in touch with the customers. Regarding the account managers being able to do that or not this is a matter of internal company rules on communication. You can also reach out to customers asking them if they want to be targeted by marketing campaigns but once a customer refuses you should not get back to him with a similar request.
For an organization to become able to audit ISO standards it has to be compliant with ISO 17021 (the standard for organizations which want to get accredited for certifying management systems) recognized by the accreditation body of the country in which it wants to work
I think there is misunderstanding here. The requirement of 4 years of experience, 2 of which is InfoSec, refers to someone that wants to work as an auditor for an certification body. This requirement is not applicable for the Lead Auditor certification purposes, so you can get the certification if you pass the ISO 27001 Lead Auditor exam.
Frequency for surveillance audits
Answer: Normally certification bodies establish an one year interval between surveillance audits, but in specific cases this interval can be shorter.
When surveillance audits are annual, in year 3 only the recertification audit is needed.
Audit competencies
Answer:
To audit other ISO management standards based on your competencies as an ISO 27001 internal auditor, you have to demonstrate verifiable evidences that you also have competencies on those ISO standards.
For example, if you have attended e.g. ISO 9001 Foundations course, or have previous experience with an ISO 9001 QMS, you can audit ISO 9001.
Although this article aims to ISO 27001, the concepts are valid for any ISO management standard.
Filling templates
Answer: The data related to "version 0.1" in the history section is only for exemplification purposes. You can change this information for your own.
2. The Risk Assessment of course is the bulk of the questions from asset owners. Some are clear such as physical equipment. Some are less obvious, for example SaaS software common these days such as CRM software, GoogleSuite, Office365 etc - do each of these get listed as a separate asset with a separate owner, or can each be listed with a central asset owner. The permutations will very rapidly end up with hundreds of assets for our 5 person company, with then thousands of Risk (by threat and vulnerability). Would you have any samples for very small start-up companies with < $1M in revenues and all assets are cloud based (SaaS, AWS, personal compute devices etc.)? I plan to do all the heavy lifting as much a s possible and will interview the other employees.
Answer: ISO 27001 does not prescribe how the inventory of assets should be developed, so you can use the organization that better fits your needs. Some suggestions are:
- Organize by SaaS provider (e.g., Google applications, Microsoft applications, etc.)
- Organize by purpose (e.g., HR applications, Collaborative applications, etc.)
The most important tip here is that you have to simplify the process by grouping similar assets.
Regarding the designation of assets owners the same applies (you can have one person responsible for all related assets, one for each asset, or a mixed approach). If several users across the company are using particular software or SaaS, then the most senior of them can be the asset owner.
About sample of assets, in this template you have a sheet with a catalogue of assets.
National Competent Authority refers to a government body that is in charge of handling matters related to medical devices in your country. In this case, it should be ANVISA. You might want to discuss with the certification body that audited for ISO 13485 if necessary before any submission.
For more information, you might want to refer to :