Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Key control activities
Answer: First of all it is important to understand that ISO 27001 controls go beyond activities in processes and procedures. They are safeguards to protect information that can be implemented as policies, procedures, physical mechanisms or technologies.
Considering that, ISO 27001 requires, as part of the information security risk treatment (clause 6.1.3.b), that controls necessary to implement the information security in the ISMS scope shall be determined. The need to identify and implement security controls for process/procedures will depend on the results of risk assessment. Since the risk assessment and risk treatment are mandatory requirements for ISO 27001 this is certainly something auditors will look for.
These articles will provide you further explanation about risk assessment and risk treatment:
- The basic logic of ISO 27001: How does information security work? https://adv isera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment and risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Maintenance of records
Answer: ISO 27001 does not specific solutions to maintain online ISMS records, so you can use solutions as simple as keeping files in corporate servers, publish information on corporate webpages or use dedicated software like our Conformio platform. You can take a free look at our Conformio platform at this link: https://advisera.com/conformio/
This article will provide you further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
Internal audits records
Whether internal audits reports are mandatory before certification 27001 ?
Answer: ISO 27001 requires in its clause 9.2.c that evidence of the audit program(s) and the audit results are retained, so the internal audit reports are mandatory for an organization that wants to be certified against ISO 27001.
This article will provide you further explanation about mandatory documentation:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision -
Secure Development Policy template content
We received this question:
>Thank you for answering my previous question. I was wondering if you have a list of the mandatory records and logs needed. If so, are the requirements for each of the records/logs the same? What are the requirements? In your documentation toolkit, in each document you have a section for "managing records kept on the basis of this document". Are all of these records mandatory? If so, are there templates included in the toolkit?
Answer: To see a list of mandatory documents and records for ISO 27001, plesase access this article:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
All these documents and records are included in the ISO 27001 & ISO 22301 Premium Documentation Toolkit you bought. Also included in the toolkit there is a List of Documents file (located in the root folder) which shows which requirements and controls are covered by each document or record.
Regarding the section "managing records kept on th e basis of this document", some records mentioned in it are not mandatory, but they needed to be mentioned because the documents require their usage.
If during the template customization you identitfy that one or more of those non mandatory records are not necessary you can exclude them without problems. -
Risk acceptance criteria
You should establish a set of criteria to be used in all you evaluations, so you can produce comparable results. If you adopt different criteria depending on the asset group, the results of that risk assessment will only be comparable to similar asset groups, which will make the evaluation of your overall risk assessment more difficult.
This article will provide you further explanation about risk assessment:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISAE 3402 and ISO 27001
ISO 27002 is a supporting standard that provides guidance and recommendations for the implementation of ISO 27001 Annex A controls.
This article will provide you further explanation about ISO 27002:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
ICT policies and controls
Answer: First of all , you have to identify which requirements your polices must comply with and, considering ISO 27001, which risk you must treat with these polices. After that you have to ensure your polices are all aligned, so no conflict rules will exist, write your polices, get them approved and train your employees, so they can know what is expected from them.
These articles will provide you further explanation about implementing policies:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- 12 steps for ISO 20000 implementation https://advisera.com/20000academy/blog/2016/09/06/12-steps-for-iso20000-implementation/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-de cide-which-iso-27001-policies-and-procedures-to-write/
2 - How would you gather IT procedures?
Answer: The way you gather your polices will depend mainly on your organizational context, but as a general model, you may consider procedures related to final users, procedures for technical staff and procedures for management personnel.
These articles will provide you further explanation about managin documentation:
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- How to structure ISO 20000 documentation https://advisera.com/20000academy/blog/2016/09/27/how-to-structure-iso20000-documentation/
3 - What steps will you take to implement ICT best practices within the organisation ?
Answer: The first step is the definition of which best practices you intend to use (e.g., ITIL, ISO, COBIT), based on requirements you have to fulfill. The following steps are the same as described in the answer for question 1.
Thes article will provide you further explanation about best practices:
- ISO 27001 vs. ISO 20000 matrix https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix
- How to integrate ISO 27001, COBIT, and NIST https://info.advisera.com/27001academy/free-download/how-to-integrate-iso-27001-cobit-and-nist -
Considering processes
Answer:
It is up to the organization to determine the processes needed for its QMS. You should consider the context of the organization and the application of risk-based thinking to determine the level to which processes need to be detailed.
The following material will provide you information about process approach:
- ISO 9001 – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Maintenance as a main process?
Yes, you can consider maintenance as a main process. -
Organizational knowledge
Answer:
I believe that the question is about organizational knowledge. Organizational knowledge is about maintaining knowledge that the organization considers to be required, for the operation of its processes and delivery of products and services according customers’ expectations, and about acquiring new knowledge based on changing needs and trends.
Maintained knowledge has everything to do with competence. Based on the process approach your organization can determine which functions play a part in each process doing what with what behavior associated. What kind of knowledge is needed to be competent?
The world does not stand still, customers change, technology change, competitors, change, the market change. How can your organization keep a radar to be aware of new knowledge that can become useful to build the future?
Personally, I like to use a matrix, 2x2:
What knowledge we know that we know?
What knowledge we don’t know we know?
What knowledge we know that we don’t know?
What knowledge we don’t know we don’t know?
When a new person is integrated in the organization, or when performance is not good, organizations give them training (a) and/or we put people working side by side with a mentor, a tutor, someone that will pass uncodified knowledge (b).
When an organization wants to learn new things that are not new in the market they go to seminars, conferences, training, asks suppliers help (c).
About d) organizations can receive technical magazines, search the internet regularly, by books and keeping an internal library, work with universities, attend conferences and seminars always on the search mode for something new that can be useful.
The following material will provide you information about the organizational knowledge:
- ISO 9001 – How to manage knowledge of the organization according to ISO 9001 - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/