Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Including business process description and scoping in the ISO project
Any major ISO management standard (ISO 27001, ISO 9001, ISO 14001, etc.) requires to document the scope of the implementation; also ISO standards require you to document particular processes that are relevant - for example, ISO 27001 requires incident management to be documented. Therefore, you should define the scope and describe the relevant processes as part of your ISO implementation. These articles will help you: - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ - List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/blog/2015/10/20/list-of-mandatory-documents-required-by-iso-90012015/ - List of mandatory documents required by ISO 14001:2015 https://advisera.com/14001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-140012015/ - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ This book will also help you regarding writing the documentation: - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Filling SOA for ISO 27001, 27017 and 27018
Answer: Together with the toolkits you bought you also have access to a video tutorial that can help you fill the Statement of Applicability. The procedure is the same for considering the specific controls of ISO 27017 and ISO 27018.
You can find these tutorials in Conformio, it the menu "Repository", in folder "Video tutorials" - see what you need to click here: https://www.screencast.com/t/T5rLxMgc3UJz - these tutorials are quite useful because they will show you how to fill out the real data in the documents, what elements of the documents are mandatory and which are not, etc. -
Certification requirements
(What do I need so that my company can be ISO certified?)
Answer: For earning an ISO management system certification, your organization must define, implement, operate, control and improve a management system that is compliant with the requirements of the desired standard, and go through a certification process under an accredited certification body.
These articles will provide you further explanation about certification process:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
These materials will also help you regarding certification process:
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Integrating management systems
Answer: I'm assuming you are referring to ISO management systems. Considering that, since 2012, all ISO management systems are being developed according the same structure:
1- Scope
2 - Normative references
3 -Terms and definitions
4 - Context of the organization
5 - Leadership
6 - Planning
7 - Support
8 - Operation
9 - Performance evaluation
10 - Improvement
This makes easier to integrate them, because in clauses 4, 5, 7, 9, and 10, the texts of the standards are almost the same, and the specifics of each standard are concentrated on clauses 6 and 8.
These articles will provide you further explanation about Integrating management systems:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
These materials will also help you regarding Integrating management systems:
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
Control application
Answer: To identify if a control is needed for the scope of an organization you need:
- to perform a risk assessment to identify if there are unacceptable risks related to the scope that can be mitigated by the control you are considering;
- to evaluate if legal requirements, such as laws, industry regulations, or contracts, demands the application of the control.
- to consult top management decisions regarding which controls should be applied regardless the results of risk assessments and legal requirements.
If after that you identify no reason to apply the control you can consider it out of your ISMS scope.
2 - How to use ISO 27000 series on small/medium small companies, where the it function is 1-10 people!?
Answer: ISO 27001 was designed to be implemented by organizations of any size, but small companies need to take care they do not write too many documents (the standard itself only require few of them).
These articles will provide you further explanation abou t ISO 27001 implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- The 3 key challenges of ISO 27001 implementation for SMEs https://advisera.com/27001academy/blog/2017/04/17/the-3-key-challenges-of-iso-27001-implementation-for-smes/
These materials will also help you regarding risk assessment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001: An overview of the ISMS implementation process [free webinar] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/ -
Management systems benefits
Answer: I'd say the best way is by examples. In general, the benefits of management systems are related to:
- Enhanced competitive edge
- Reduction on losses due to security incidents
- Reduction on fines due to legal or contractual non conformity
- Improvement of internal organization
So, the point is to identify for each organization examples that can be related to their context, so it will be easier for the employees and management to figure out the benefits on adopting a management system culture.
To help you build a presentation, I'd suggest you to take a look at this free downloadable presentation: Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/ -implementation/
- How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/
These materials will also help you regarding ISO 27001 benefits:
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Updating expert knowledge
Answer: The shortest method is following the best recommended sites regarding the ISO standard you work on, as well as top experts in the field. Often they publish some articles, videos and podcast that you can use to stay up to date with the most recent news about the standard. I recommend you to see our Academies blogs and subscribe to those that interest you:
- 9001Academy: https://advisera.com/9001academy/blog/
- 27001Academy: https://advisera.com/27001academy/blog/
- 14001Academy: https://advisera.com/14001academy/blog/
- 13485Academy: https://advisera.com/13485academy/blog/
- 9100Academy: https://advisera.com/9100academy/blog/
- 16949Academy: https://advisera.com/16949academy/blog/
- 18001Academy: https://advisera.com/18001academy/blog/
- 20000Academy: https://advisera.com/20000academy/blog/ -
Privacy controls
ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit at this link: W/…/cloud-documentation-toolkit
Would this be part of the 27001 toolkit? -
Documentation elaboration
Answer: First of all, you have to carefully study the standards requirements, as well as other requirements defined by the organization (e.g., laws, industry regulations, contracts, etc.) to identify what is being demanded. A common mistake when writing policies and procedures is including things that are not required, because people think this way the documentation will look better. You have to avoid this.
Some other tips I can tell you are:
- ensure the documentation will be understandable by their intended readers
- try to keep the quantity of documents at a minimum, but also do not create few documents with dozens of pages (in both ways the documentation will quickly be abandoned)
- make use of templates to ensure people can find the same type of information in the same section of every document.
These articles will provide you further explanation about documentation elaboration:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/d gebase/seven-steps-for-implementing-policies-and-procedures/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
Although these articles focus on ISO 27001, you can apply the same concepts to ISO 22301 documentation.
These materials will also help you regarding documentation elaboration:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
ISO 27001 tools
Answer: It's our policy not to make recommendations about specific tools, but what I can say to you is that not all controls are fit for using tools, because some of them require human interpretation of the results.
However, for tasks like documentation version control or measurement gathering the use of tools are quite recommended.
This article will provide you further explanation about ISO 27001 tools:
- When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/