Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Cybersecurity Framework or ISO 27001


    Answer: First of all you should consider your needs:
    - If you need quick wins to handle risks promptly and demonstrate the value of security, then you should start with Cybersecurity Framework, since it is better when it comes to structuring the areas of security that are to be implemented and when it comes to defining exactly the security profiles that are to be achieved.
    - If you have to ensure the implementation will be well integrated to other aspects and areas of your organization, and you have time to plan and implement, then you should go first for ISO 27001, since it can provide a holistic picture for the designing of the security system and how it can be managed in the long run.
    - The Cyber Security Framework is a legal issue in the United States - if you are a government agency from that country, you will need to implement it.

    If your choice is to go first for Cybersecurity Framework, it is possible to integrate the implemented controls to the future implementation of ISO 27001, so you will not lose time and effort.

    These articles will provide you further explanation about Cybersecurity Framework and ISO 27001:
    - Which one to go with – Cybersecurity Framework or ISO 27001? https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
    - How to implement the NIST Cyber Security Framework using ISO 27001 https://info.advisera.com/27001academy/free-download/how-to-implement-nist-cyber-security-framework-using-iso-27001

  • Risk management in projects


    Which of the template documents would refer to that in the best way ?

    Answer: I recommend you to use the following templates:
    - Risk Assessment and Risk Treatment Methodology
    - Appendix 1 Risk Assessment Table
    - Appendix 2 Risk Treatment Table

    All of them are located at the folder 05 Risk Assessment and Risk Treatment Methodology in your toolkit. Managing risks in a project is similar to managing risks in an organization, the difference is that a project has a defined duration and smaller scope (the project scope).

    This article will provide you further explanation about risk management in projects:
    - How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/

  • Question about course

    Answer: An ISMS scope can be defined in terms of processes (referred by products or services delivered to the clients) and/or information to be protected and the locations. In the presented question Offices London & Edinburgh are only examples (names from other cities or places could have been used)

    This article will provide you further explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  • Requirements for additional certifications


    Answer: The need for compliance with ISAE 3402, and with any other standard at all, when an organization already has ISO 27001 and it is compliant with EU GDPR (currently there are no available certification mechanisms pursuant to EU GDPR article 42 requirements - https://advisera.com/eugdpracademy/gdpr/certification/), may be required because of specific laws, contracts, agreements or other legal requirements demanding them.

    Although ISO standards are world wide recognized, and EU GDPR is mandatory on EU territory, there may be situations in specific countries which require compliance with other standards. The positive thing is that ISO standards are comprehensive enough to help fulfil some of these requirements, minimizing the compliance costs and effort.

  • Templates available


    Answer: We provide templates for all mandatory requirements for implementing an ISMS according ISO 27001, and most common used policies and procedures. They can be bought individually or as part of specific toolkits. To take a look at our toolkits, please see this link: https://advisera.com/27001academy/product-tour/

    This article will provide you further explanation about ISO 27001 mandatory documentation:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Becoming an ISO 27001 expert


    I am in consulting area, mainly for ISMS and BCP.

    My background, in brief, is as below:
    1) I hold Bachelor of Technology degree in Computer Science and Engineering(in India).
    2) I have around 27 years of experience in IT, mainly in software development, project management, delivery management of software and Pre-Sales.
    3) I am also PMP(Project Management Professional) & CISA(Certified Information Systems Auditor) certified.
    4) I have also got certification for implementing ISMS(ISO 27001).

    My objectives are following, in near term:

    1) Become expert in Audit of ISMS(ISO 27001)
    2) Become expert in implementation of ISMS.
    3) Become expert in BCP(ISO 22301).

    How should I approach to gain more knowledge and become expert so that I can do consultancy in these areas very well/successfully?

    I am planning to buy your book " Secure & Simple" for implementing ISMS.

    Answer: Regarding ISO 27001 audit, you should consider attend a ISO 27001 Lead Auditor course and get the Lead Auditor certification, and after that search for opportunities to perform audits.

    Considering you already have a certification for implementing ISO 27001, you should practice your skills, either by conducting small scopes implementation at first, and then going for bigger or more complex ones, or by participating in a team for a big implementation scope.

    For BCP based on ISO 22301, you should consider the lead auditor and lead implementer courses. For improving your skills, search for opportunities to perform audits and implementations must be considered.

    These articles will provide you further explanation about becoming an ISO consultant:
    - How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
    - How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/

    These materials will also help you regarding becoming an ISO consultant:
    - How to become an ISO 27001 / BS 25999-2 consultant [free webinar on demand] https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    - ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/

  • Suspicions about false certificates


    Answer:

    ISO 9001 doesn’t mention what to do when you suspect that someone is using a falsified certificate. If you have suspicions you can start by taking note of the Certification Body (an organization cannot self-grant a certificate). Then, look for the name of the Accreditation Body and check to see if it is a member of the International Accreditation Forum (IAF). If there is no stamp from an Accreditation Body on the certificate then you should be suspicious as to whether the Certification Body is competent to audit.

    ISO maintains a page where you can report your suspicions: https://www.iso.org/complaints.html

  • ITIL Foundation certificate


    Answer:
    ITIL Foundation certificate can be achieved by passing certification exam. For Foundation level classroom training is not necessary. That means that you can make certification exam trough web proctoring. However, in that case you must study whole material by yourselves. However, classroom training provides faster learning track and includes (almost always) certification exam opportunity. Also, there are plenty online trainings and some of them include or provide certification exam.
    Since 01.01.2018 Peoplecert is the only exam provider, so please check there for web-proctored exam or training providers.
    These articles can help you understand certification path:
    "ITIL Certification Path – list of all available ITIL trainings, exams and certificates" https://advisera.com/20000academy/knowledgebase/itil-certification-path-list-of-all-available-itil-trainings/
    "H ow personal certificates can help your company’s IT Service Management" https://advisera.com/20000academy/blog/2017/04/18/how-personal-certificates-can-help-your-companys-it-service-management/

  • About the risk-based approach


    Answer:

    Please, consider first ISO 9000:2015 definition of risk: “effect of uncertainty on an expected result”. Because from this definition I always start by the expected results of an organization, and they can be at a general level (for example, the organization’s budget for this year – what can contribute to not achieving it?) or at departmental or process lev el (for example, launching of new products this first semester - what can contribute to not achieving it?). I would work with both approaches that you mention, but considering that a more mature management system should have already built in several mechanisms to handle your second approach, that means that more emphasis could be made on the first one.

    The following material will provide you information about the risk-based approach:

    ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
    ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
    free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Business continuity on ISO 27001 implementation

    Because in the statement of applicability it includes business continuity under A.17. Would I just find all of A.17 to be not applicable? We have a disaster recovery plan already. And from ISO we have the incident management procedure. We also have an RCA (root cause analysis) on incidents we have had in the past and the actions we took. Also, I cannot seem to find the Business Continuity procedure in comformio. Which business continuity document is mandatory if found applicable in the SOA?

    Answer: There is no need to implement business continuity according ISO 22301 if you are doing only ISO 27001. The Information security aspects of business continuity management referred in the statement of applicability under section A.17, if such controls are deemed as necessary to your ISMS implementation, can be fulfilled by the disaster recovery plan included in your toolkit.

    This article will provide you further explanation about business conti nuity and ISO 27001:
    - How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
Page 814-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +