Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Difference between ISO 27001 and locally published ISO 27001
Answer: I'm not familiar with the Colombian standards, but in most cases the local standards have the same (English) text as the original standard published by ISO, or they are directly translated into local language.
The point is - local ISO standards should not be different from the original ISO standard. -
ISO 27001 phases and corresponding outputs
Answer:
You can use the "List of documents" from our ISO 27001 toolkit which will show you the steps you need to take, and which documents we suggest filling out for each step: https://advisera.com/wp-content/uploads//sites/5/2015/06/List_of_documents_ISO_27001_Documentation_Toolkit_EN.pdf
Also, these materials might help you:
- ISO 27001 Project plan https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation
- Diagram of ISO 27001:2013 Implementation (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process -
Documenting controls from section A.14
I assume your first line refers to A.14.1.1 Information security requirements analysis and specification - we have a template called Specification of information system requirements https://advisera.com/27001academy/documentation/specification-of-information-system-requirements/
Regarding controls from A.14.2 we have this Security development policy https://advisera.com/27001academy/documentation/secure-development-policy/
By the way, ISO 27001 requires you to document only the control A.14.2.5 Secure system engineering principles.
Here are a couple of articles that will help you:
- How to set security requirements and test systems acc ording to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
- What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/ -
Asset owners
Answer:
ISO 27001 does not specify how to do this for grouped assets - theoretically you could write the names of all asset owners in one cell, but it would be more practical to write something like "all people who are using the asset".
See also this article: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Information about external providers
Answer:
I do not have enough information. Therefore, I will assume a scenario that I think adapts to the content of the finding. Perhaps your company requires that critical suppliers must have ISO 9001 certification. If that is so, the finding is requesting that you check that suppliers had made the transition to ISO 9001:2015 version. For example, last week I went to a car shop and they had their ISO 9001 certificate on the wall: it was according to ISO 9001:2008 and was outdated. I would send e-mails, or telephone critical suppliers requesting evidences of their transition to the ISO 9001:2015 version.
The following material will provide you information about external providers:
- ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Environmental aspects and risks
Answer:
There is no mandatory way about how to manage risks associated with environmental aspects. So, you can follow your suggestion if it works for you. For example, normally I have an environmental aspects and impacts register and then, for each impact I list associated risks in different columns in the same register.
The following material will provide you information about assessment of environmental risks:
- ISO 14001 – ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
- Risks and opportunities in ISO 14001:2015 – What they are and why they are important - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
- Risk Management in ISO 14001:2015 – What, why and how? - https://adv isera.com/14001academy/knowledgebase/risk-management-in-iso-140012015-what-why-and-how/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Qualification of internal auditors
Answer:
It is up to each organization to establish the competency requirements that its internal auditors must meet. Your organization can have a job description for its internal auditors where it is stated in a clear way what are the requirements. For example, I see organizations stating that internal auditors must have a 20, or 30, or 40 hours training. It is your organization that sets the bar for its internal auditors.
The following material will provide you information about internal audits:
- ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Internal Auditor Course - https://training.advis era.com/course/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Information Security Program
Answer:
An Information Security Program is a collection of the controls that an organization needs to have in place to protect information and keep information security risks at acceptable levels.
Considering that, to create a ISP you should use the templates related to Risk Management, to identify the risks and proper treatments, and use the Statement of Applicability to present the applicable controls and how they will be implemented.
You must note that this will be only part of the ISMS, and that you should consider implementing all other documents to ensure the controls you decided to implement will be monitored periodically and improved or adjusted as needed.
This material will provide you more information:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Documenting competencies
Is there a template which defines and documents competence for ISMS roles?
Answer:
Records of experience that can be used are references from previous employers or records of activities performed in the organization itself. Training and education records that can be used are certificates and presence lists.
You can use our Training and Awareness Plan template to determine and organize the required competencies for your ISMS. You can see a free demo of this template at this link: https://advisera.com/27001academy/documentation/training-and-awareness-plan/