Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Management systems benefits
Answer: I'd say the best way is by examples. In general, the benefits of management systems are related to:
- Enhanced competitive edge
- Reduction on losses due to security incidents
- Reduction on fines due to legal or contractual non conformity
- Improvement of internal organization
So, the point is to identify for each organization examples that can be related to their context, so it will be easier for the employees and management to figure out the benefits on adopting a management system culture.
To help you build a presentation, I'd suggest you to take a look at this free downloadable presentation: Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/ -implementation/
- How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/
These materials will also help you regarding ISO 27001 benefits:
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Updating expert knowledge
Answer: The shortest method is following the best recommended sites regarding the ISO standard you work on, as well as top experts in the field. Often they publish some articles, videos and podcast that you can use to stay up to date with the most recent news about the standard. I recommend you to see our Academies blogs and subscribe to those that interest you:
- 9001Academy: https://advisera.com/9001academy/blog/
- 27001Academy: https://advisera.com/27001academy/blog/
- 14001Academy: https://advisera.com/14001academy/blog/
- 13485Academy: https://advisera.com/13485academy/blog/
- 9100Academy: https://advisera.com/9100academy/blog/
- 16949Academy: https://advisera.com/16949academy/blog/
- 18001Academy: https://advisera.com/18001academy/blog/
- 20000Academy: https://advisera.com/20000academy/blog/ -
Privacy controls
ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit at this link: W/…/cloud-documentation-toolkit
Would this be part of the 27001 toolkit? -
Documentation elaboration
Answer: First of all, you have to carefully study the standards requirements, as well as other requirements defined by the organization (e.g., laws, industry regulations, contracts, etc.) to identify what is being demanded. A common mistake when writing policies and procedures is including things that are not required, because people think this way the documentation will look better. You have to avoid this.
Some other tips I can tell you are:
- ensure the documentation will be understandable by their intended readers
- try to keep the quantity of documents at a minimum, but also do not create few documents with dozens of pages (in both ways the documentation will quickly be abandoned)
- make use of templates to ensure people can find the same type of information in the same section of every document.
These articles will provide you further explanation about documentation elaboration:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/d gebase/seven-steps-for-implementing-policies-and-procedures/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
Although these articles focus on ISO 27001, you can apply the same concepts to ISO 22301 documentation.
These materials will also help you regarding documentation elaboration:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
ISO 27001 tools
Answer: It's our policy not to make recommendations about specific tools, but what I can say to you is that not all controls are fit for using tools, because some of them require human interpretation of the results.
However, for tasks like documentation version control or measurement gathering the use of tools are quite recommended.
This article will provide you further explanation about ISO 27001 tools:
- When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/ -
Scope definition
Answer: On pre-sale phase you should look for information like: type of business, number of employees, number of locations, number of departments, main business process, and if the organization has previous experience with ISO management systems. With this information you can have an overall idea of the business and make an estimative of effort and time required and values for your job.
For calculating the implementation duration I suggest you to take a look at our Free Calculator – Duration of ISO 27001/ISO 22301 Implementation at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https ://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
This material will also help you regarding scope definition:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/ -
ISO 27001 and ISO 20000
Answer: I'm assuming you are asking if ISO 27001 certified organizations also needs to certify on ISO 20000. Considering that, I can say to you that being ISO 27001 certified does not ensure you are compliant with all requirements of ISO 20000 (ISO 27001 covers information security, while ISO 20000 covers IT services), so if an organization decides, or is required, to operate an IT service management system, it will need to work with ISO 20000 also, but as I said before, the effort will be lesser, because some requirements are already covered by ISO 27001 certified system.
These articles will provide you further explanation about ISO 27001 and ISO 20000:
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
- Incidents in ISO 22301 vs. ISO 27001 vs. ISO 20000 vs. ISO 28003 https://advisera.com/27001academy/blog/2016/09/05/incidents-in-iso22301-vs-iso27001-vs-iso-20000-vs-iso28003/
This material will also help you regarding ISO 27001 and ISO 20000:
- How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/ -
Project precification
(Which reference in the sales topic is considered when defining the profit margin for services rendered. As a professional independent auditor consultant?)
Answer: This answer depend on many variables (e.g., competitors in the market, customer's negotiation power, local taxes and regulations, the consultant experience and specialization levels, etc.) and business strategy. -
Cost avoidance due to ISO ISMS
Answer: Yes, there is. For ISO 27001 one good reference is the Cost of Cyber Crime Report from Ponemon Institute (https://www.ponemon.org/library/2016-cost-of-cyber-crime-study-the-risk-of-business-innovation) (specifically see page 18 - Total cost of cyber crime for low versus high security profiles), but you have to be very careful when presenting these type of data to customers, because each organization has its unique context that can affect the risks to each one that are exposed and the impacts they may suffer, so basing on an opportunity to avoid costs in data from another organization can lead to wrong conclusions. You could say that these are only examples and that specif data about the client's organization must be evaluated to provide a more precise situation.
These articles will provide you further explanation regarding ISO 27001 costs:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/ -
SOA content fields
Thank you!