Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Gap assessment report
ISO 27001 does not require a Gap Assessment Report, and this is not a common document used in an ISMS, so there is no specific template available in the tookits. For gap assessment, I suggest you to take a look at our ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/. After completing the question-and-answer format you can provide your email to receive the results, informing you what you already have, what needs to be done and suggestions about what to do. -
Documentation of security responsibilities
Answer: ISO 27001 only requires the definition, designation and communication of responsibilities and authorities regarding ensuring the ISMS conforms with the standard and that reporting on the performance of the ISMS is made to top management. Other duties and responsibilities can be added if the organization identified need to do that.
You can document general information security roles and responsibilities in job descriptions, or as a part of the organizational chart, or in the Information Security Policy.
Specific security roles and responsibilities can be documented in policies, procedures, plans, and other documents that you develop as a part of the ISO 27001 implementation.
This article will provide you further expla nation about roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/ -
Risk assessment approach on ISO 27001
Answer: ISO 27001 does not prescribe an approach to perform risk assessment, so you can choose the approach that better suits your needs.
Asset-based risk assessment is easier to perform, while the process-based risk assessment can provide you a more understandable context to identify and evaluate risks.
These materials will provide you further explanation about risk assessment approaches:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Email addresses and data breaches
We have recorded this in house in the Data Breach Register, recalled the messages to minimize the impact and taken steps to prevent it happening again.
However I am unable to ascertain if this would require reporting to the ICO. My interpretation is that this would not constitute a risk for the rights and freedoms of individuals and therefore would not require reporting to the ICO. Please can you advise.
Answer:
If the only data that was disclosed to unauthorized recipients are email addresses then I would say is safe to say that there is no risk to the rights and freedoms of the data subjects and is not necessary to notify the ICO.
To learn more about data breaches check out our webinar “A How-to Guide for GDPR Data Breach Notifications” (https://advisera.com/eugdpracademy/webinar/a-how-to-guide-for-gdpr-data-breach-notifications-free-webinar-on-demand/). -
Changes in scope
Answer: Yes, it is possible to certify your company only for the first office without expanding the scope of ISO certification; however be aware that in such case the other offices will be treated as third parties, which could complicate your operations. Such solutions are better for larger companies, whereas for smaller companies we recommend that you include your whole company (i.e. all of your offices) in the scope.
This article will provide more information:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
Design and development is for more than the new
Answer:
Clause 8.3.6 applies to design and development changes. Even with an established product or service your organization can design and develop new, we hope, improved versions, because of technological changes, because of legal changes, because of customers feedback, for example.
The following material will provide you information about design and development:
- ISO 9001 – The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Company profile
Answer:
There is no requirement in ISO about that. Nevertheless, I would recommend your suggestion. I like to include in the policy and answer to the question: who are we?
The following material will provide you information about quality policy:
- ISO 9001 – How to Write a Good Quality Policy - https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Scope definition
The company I am helping have a simple function; they have developed, maintain with ongoing R&D and service through Customer Support a SaaS which is placed on line.
They also conduct Marketing & Sale activities as well as internal finance and internal HR.
They want their scope to be restricted to:
The processes and services that are in scope are to be the development, operation, administration and customer support of the Software as a Service platform ‘Human Resources Management System’, provided by XXXXX HR.
The other functions, M&S, Finance and internal HR they want to be out of scope.
The issue is that they occupy a single open plan office.
Question: Is the desired scope likely to achieve certification?
Answer: You can limit your ISMS scope to your business core offering, but for small and medium-size organizations usually it is better to include all the organization in the ISMS scope, because the effort to manage a scope that covers only part of the organization is not worthy.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
2 - Following on, may we schedule a skype call for Wed PM UK Time please?
Answer: To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/
We will contact you to confirm your suggested schedule or offer an alternative at your convenience. -
Policies, procedures and guidelines
What are differences and similarities between these?
Answer: The main difference between them would be the issues covered. A "Security Policy" handles with security in general, covering multiple subtopics (e.g., physical security, logical security, financial security, etc.). An ISMS Security Policy handles with information security (e.g., protection of information confidentiality, integrity, availability, etc.) in the context of an Information Security Management System (for ISO 27001 this policy is known as Information Security Policy). A System-Specific Security Policy handles the security considering the specificities needed for the targeted system.
Regarding similarities, all of them have the purpose to define the rules and behaviors, regarding security, that are expected to be followed by the users. Their framework also would be the same (e.g., scope, references, rules, responsibilities, etc.).
It is important to understand that for IS O 27001, only the Information Security Policy is mandatory. Other policies may be needed as result of risk assessment or legal requirements.
These articles will provide you more information:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
2 - What about Manual & Procedures – where does this documents come in?
Answer: A procedure describes how a specific activity must be performed, while a manual is a set of policies and procedures. ISO 27001 does not require documented procedures (only when specific controls are identified as applicable as result of risk assessment), and we do not recommend the use of manuals, because generally they become too big and unpractical to read or use.
This article will provide you more information:
- Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
3 - What about guidelines & standards?
Answer: Guidelines are orientations about how a specific activity must be performed, not having the mandatory aspect of a procedures (they can be followed or not). Standards are references that must be followed regarding how a specific activity must be performed (for some organizations they are the same of procedures).
This article will provide you more information (Although it is ISO 9001 related, it concepts also can be applied to ISO 27001):
- How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/ -
Filling templates
Answer: Included with your toolkit you have access to video tutorials that will help you filling the most critical documents, with real data examples.
If after the tutorials you still think you need more help, you can schedule a meeting with one of our experts, so he can help you solve your issues. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/
2. Is it possible to have the document "ISO / IEC 27001 standard" with all the measures to be respected?
In the documents to be completed from the toolkit, it is very often mentioned standard ISO / IEC 27001 clause xxx as above:
This document is not present in the toolkit that we have purchased and it seems essential to understand and be able to better complete the documents.
Answer: ISO 27001 standard is an intellectual property of ISO, and we do not have the license to sell it.
You can buy this standard at this link: https://www.iso.org/standard/54534.html
3. In the file related to the ISMS area of application, there is a table to be completed "applicability of measures".
3.1. Do we have to complete the "Justification" column even when the measure is selected?
Answer: I'm assuming this document you are referring to is the Statement of Applicability. Considering that, you have to complete the justification for when a control is selected.
3.2. Do we have to complete the column "Objectives of the measures"?
Answer: Although objectives of the measures are not mandatory to be in the SoA, we recommend you to use this column for all controls identified as applicable, because ISO 27001 required the documentation of objectives for controls or groups of controls, and this way you will have one less document to handle.
3.3 If so, can you provide us with a typical example to complete this table?
Answer: Included with your toolkit you have the access to a video tutorial that will help you fill the Statement of Applicability, with real data examples.