Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Becoming an ISO 27001 expert
I am in consulting area, mainly for ISMS and BCP.
My background, in brief, is as below:
1) I hold Bachelor of Technology degree in Computer Science and Engineering(in India).
2) I have around 27 years of experience in IT, mainly in software development, project management, delivery management of software and Pre-Sales.
3) I am also PMP(Project Management Professional) & CISA(Certified Information Systems Auditor) certified.
4) I have also got certification for implementing ISMS(ISO 27001).
My objectives are following, in near term:
1) Become expert in Audit of ISMS(ISO 27001)
2) Become expert in implementation of ISMS.
3) Become expert in BCP(ISO 22301).
How should I approach to gain more knowledge and become expert so that I can do consultancy in these areas very well/successfully?
I am planning to buy your book " Secure & Simple" for implementing ISMS.
Answer: Regarding ISO 27001 audit, you should consider attend a ISO 27001 Lead Auditor course and get the Lead Auditor certification, and after that search for opportunities to perform audits.
Considering you already have a certification for implementing ISO 27001, you should practice your skills, either by conducting small scopes implementation at first, and then going for bigger or more complex ones, or by participating in a team for a big implementation scope.
For BCP based on ISO 22301, you should consider the lead auditor and lead implementer courses. For improving your skills, search for opportunities to perform audits and implementations must be considered.
These articles will provide you further explanation about becoming an ISO consultant:
- How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
These materials will also help you regarding becoming an ISO consultant:
- How to become an ISO 27001 / BS 25999-2 consultant [free webinar on demand] https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Suspicions about false certificates
Answer:
ISO 9001 doesn’t mention what to do when you suspect that someone is using a falsified certificate. If you have suspicions you can start by taking note of the Certification Body (an organization cannot self-grant a certificate). Then, look for the name of the Accreditation Body and check to see if it is a member of the International Accreditation Forum (IAF). If there is no stamp from an Accreditation Body on the certificate then you should be suspicious as to whether the Certification Body is competent to audit.
ISO maintains a page where you can report your suspicions: https://www.iso.org/complaints.html -
ITIL Foundation certificate
Answer:
ITIL Foundation certificate can be achieved by passing certification exam. For Foundation level classroom training is not necessary. That means that you can make certification exam trough web proctoring. However, in that case you must study whole material by yourselves. However, classroom training provides faster learning track and includes (almost always) certification exam opportunity. Also, there are plenty online trainings and some of them include or provide certification exam.
Since 01.01.2018 Peoplecert is the only exam provider, so please check there for web-proctored exam or training providers.
These articles can help you understand certification path:
"ITIL Certification Path – list of all available ITIL trainings, exams and certificates" https://advisera.com/20000academy/knowledgebase/itil-certification-path-list-of-all-available-itil-trainings/
"H ow personal certificates can help your company’s IT Service Management" https://advisera.com/20000academy/blog/2017/04/18/how-personal-certificates-can-help-your-companys-it-service-management/ -
About the risk-based approach
Answer:
Please, consider first ISO 9000:2015 definition of risk: “effect of uncertainty on an expected result”. Because from this definition I always start by the expected results of an organization, and they can be at a general level (for example, the organization’s budget for this year – what can contribute to not achieving it?) or at departmental or process lev el (for example, launching of new products this first semester - what can contribute to not achieving it?). I would work with both approaches that you mention, but considering that a more mature management system should have already built in several mechanisms to handle your second approach, that means that more emphasis could be made on the first one.
The following material will provide you information about the risk-based approach:
ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Business continuity on ISO 27001 implementation
Because in the statement of applicability it includes business continuity under A.17. Would I just find all of A.17 to be not applicable? We have a disaster recovery plan already. And from ISO we have the incident management procedure. We also have an RCA (root cause analysis) on incidents we have had in the past and the actions we took. Also, I cannot seem to find the Business Continuity procedure in comformio. Which business continuity document is mandatory if found applicable in the SOA?
Answer: There is no need to implement business continuity according ISO 22301 if you are doing only ISO 27001. The Information security aspects of business continuity management referred in the statement of applicability under section A.17, if such controls are deemed as necessary to your ISMS implementation, can be fulfilled by the disaster recovery plan included in your toolkit.
This article will provide you further explanation about business conti nuity and ISO 27001:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/ -
Property belonging to customers or external providers
Answer:
If a customer provides some type of software that it is used for the preparation or execution of an order in the manufacturing process that is included in clause 8.5.3 of ISO 9001:2015. In the case of an external provider, that is included in the same clause if there is some previous agreement about obligations. You can buy an input for your manufacturing process and assume with the external provider that you will not share that input with other organizations. For example, you are a franchisee and receive software from your franchiser with some agreement about intellectual property and other obligations.
The following material will provide you information about the clause 8.5:
ISO 9001 – ISO 9001:2015 clause 8.5 Product realization – Practical examples for compliance - https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/ 0012015-clause-8-5-product-realization-practical-examples-for-compliance/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
-book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Data Subject Access Form
Answer:
The “Data Subject Access Form” https://advisera.com/eugdpracademy/documentation/data-subject-access-request-form/ can be used for all the rights of the data subject, it makes no sense to have a special form for all data subject rights otherwise you will end up with lots of document with similar content. So, my advice is to use the “Data Subject Access Form” for any instances where data subject makes a request.
The same is applicable for providing the response, you can use “Data Subject Disclosure Form” https://advisera.com/eugdpracademy/documentation/data-subject-disclosure-form/ for providing a response to all data subject`s requests.
Both template documents mentioned above can be found in folder 4 “Managing Data Subject Rights” in our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ -
Implementing ISO 27001
Can you provide some guidance?
XXXX is a tiny company - just me and my co-founder. However, I am finding that some of my larger prospects require ISO 27001 certification. So I want to move through this process ASAP. Unfortunately, due to budget constraints, I'm on my own.
How can I minimize the time required and get certified quickly, but also with quality?
Answer: The documents in your toolkit are placed in folders in the precise order and structure for your ISMS to be implemented, so to begin your implementation and avoid confusion you should follow this structure (e.g., first the procedure for document and record control, after that the procedure for identification of requirements, then the ISMS scope document, and so on...).
Regarding the number of documents, the "List of documents" file highlights the mandatory documents, so you should focus on them and keep the implementation of other templates at the minimum.
Included in your toolkit you have access to video tutorials that will show you how to fill out the documents.
Also included in your toolkit, you can schedule a meeting with one of our experts so he can help you orienting the best way to implement ISO 27001. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/
This article will provide you further explanation about ISO 27001 implementation:
- The 3 key challenges of ISO 27001 implementation for SMEs https://advisera.com/27001academy/blog/2017/04/17/the-3-key-challenges-of-iso-27001-implementation-for-smes/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
- ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/ -
Questions on internal audit
The standard does not define how often the internal audit should be performed, but usually the entire scope of the QMS (Quality Management System) is covered with internal audit within one year period.
How is the importance of processes shown in the audit programme? For example, choosing not to audit resource management during one audit cycle to focus on other parts of the standard?
Very common and easy way to demonstrate importance of certain processes is to audit them more than the other processes, for example, you can audit the manufacturing process twice a year and the rest of the processes only once a year.
Is there a preview of the ISO 13485 audit checklist for ISO 27001 internal audits also?
Here you can download free previews of:
- ISO 13485 Internal Audit Checklist https: //advisera.com/13485academy/documentation/internal-audit-checklist-iso-13485-2016/
- ISO 27001 Internal Audit Checklist https://advisera.com/27001academy/documentation/internal-audit-checklist/ -
Frequency of performing internal audit of ISMS
Answer: ISO 27001 is not prescriptive about a specific frequency to perform internal audits, but when defining it, the standard requires you to take in consideration the importance of the processes concerned and the results of previous audits (the more problematic or critical is the process, more frequent it should be audited, and vice versa). Additionally, if your organization is iso 27001 certified, the certification auditor will expect to see internal audit performed at least once a year, so you also should take this in consideration.
This article will provide you further explanation about planing audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
These materials will also help you regardi ng planing audits:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/