Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Advisera services


    Answer: We can offer you many lines of assistance with the planning regarding ISO 27001:
    - Through our Learning Center (https://advisera.com/27001academy/what-is-iso-27001) and Free download Area (https://advisera.com/27001academy/free-downloads) you can access for free our articles, white papers and webinars which cover many topics related to planning
    - Through our Expert Advice Community you can ask specific questions to our experts and get an answer in one business day
    - Buy buying one of our Implementation Toolkits (https://advisera.com/27001academy/pricing), besides the templates, you can schedule meetings with one of our experts to talk about difficulties or doubts you are facing, as well as submit documents for review (the numb er of meetings and documents for review will vary according to the toolkit you buy)
    - You can attend our online courses (https://advisera.com/training/) to obtain knowledge about specific topics like internal audit.

  • Professional certifications

    Each one of these certifications has a different target group and purpose, so there is no specific order to pursue them (there is no need to pursue all of them at all):
    - CISA (Certified Information Systems Auditor) aims for those who audit, control, monitor and assess an organization’s information technology and business systems.
    - CISM (Certified Information Security Manager) is suitable for individuals who design, build and manage enterprise information security programs (e.g., information security managers)
    - CRISC (Certified in Risk and Information Systems Control) is for IT professionals that seek a career as liaison between IT risk management and enterprise risk management.
    - CGEIT (Certified in the Governance of Enterprise IT) is the best option for professionals who work on enterprise IT governance.

    For more information, please consult this link: https://www.isaca.org/CERTIFICATION/Pages/default.aspx

  • Sales audit


    Answer: The following are general steps you should go through for an internal audit, with comments regarding specificities about sales process:
    - Know the processes: perform a documentation review of the ISMS and sales processes so you can become acquainted with them and identify earlier if there are non conformities or opportunities for improvement in the documentation regarding the standard
    - Prepare a checklist: while performing the documentation review, create a list of things you should look for during the process audit. For example, if the documentation mention a certain policy or record, create items in your checklist to look for that record and to ask the people about their understanding about the mentioned policy. Another critical source is the Statement of Applicability (SoA) and the Risk Treatment Plan. You should look for them to identify which risks and controls are implemen ted for the sales procedure, and use this information to verify if the controls are implemented properly.
    - Take notes (a lot of them): do not trust only your memory (you certainly will forget something), so take notes of people you talk to, records you saw and situations you observed. All this will help you write you audit report.
    - Write non-conformities that will help: once identified, you should make sure a non conformity is written in a way people from sales department can understand them, or else they will become only another source of problems. So be sure your non conformity statement includes the situation that was observed, the reference to the procedure, standard clause or any other requirement that was not fulfilled, and the evidence you used to confirm the non conformity (e.g., the absence of a record, a review minute, etc.).

    Regarding specifically the sales department, you should consider the security of customer's information and the fulfilment of contractual clauses.

    This article will provide you further explanation about internal audit:
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    These materials will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Control table and risk assessment and treatment


    Answer: I'm assuming that for control table you are referring to a data structure that directs a program flow according to the values and relations it contains. Considering that, in a risk assessment you should identify risks that could compromise the information in the control table, which could lead the program to flow in an unexpected or unauthorized manner. Examples are unverified changes, malicious codes, etc.

    In the risk treatment you should consider options to minimize such risks, like including data input and data output validation, adoption of a formal change process, etc.

    This article will provide you further explanation about risk assessment and treatment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding risk assessment and treatment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com /books/iso-27001-risk-management-in-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • ISO 17021 Control of Documented Information

    Even though the CB is not ISO 9001 certified, are there any similar requirements under ISO 17021:2015 or any other standard that CBs should comply with?

    Answer:

    Standard ISO IEC 17021-1 Conformity assessment -- Requirements for bodies providing audit and certification of management systems -- Part 1: Requirements defines requirements for document and record control for certification bodies. These requirements look more like ISO 9001:2008 requirements for document and record control than the requirements of ISO 9001:2015. Requirements of clause 7.5.2 a) form ISO 9001:2015 have analogue requirements in clause 10.2.3 e) of ISO 17021-1 that says that documents should be "legible and readily identifi able", and this practically means that the same requirements for identification of documents exist in both ISO 9001 and ISO 17021-1.

  • Objectivity vs Impartiality


    Answer:

    Objectivity is sticking to the facts, being guided by the evidence and considering an event will be closer to the truth the more supporting evidence it has. This is important when gathering evidences during the audit.

    Meanwhile, impartiality is not taking sides, to give up making value judgments and treat as equivalent different versions of an event, believing the truth is in the middle. This is important when making decisions based on the evidence you've acquired during the audit. For example, if you are conducting the audit and making the report or conclusions based on evidence in a way that purposely benefits or mitigates responsibility of certain people for certain audit findings (e.g. nonconformities).

    For more information, see: ISO 9001 internal auditor training: Is it for me? https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/

  • ISO27002 Clause 12.1.1

    Or does the topic mean something else of documents for IT positions?

    Answer: The control A.12.1.1 (Documented operating procedures) is related to documentation of operational activities like computer start-up and close-down, backup, equipment maintenance, media handling, etc.

    To identify which documents are related to an IT System's Engineer role you should document, you need to verify in the IT System's Engineer job description which activities he performs are related to information processing and communication facilities and, considering the results of risk assessment, legal requirements, decisions of top management and operational needs, which procedures should be documented.

    Some examples of documents related to this controls are "Backup policy", "IT operational procedures", "Network management", and "Systems monitoring".

    These articles will provide you further explanat ion about writing policies and procedures:
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
    - How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

    These materials will also help you regarding writing policies and procedures:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Becoming a consultant


    Answer: Yes, it is possible to get a job as an ISO 27001 consultant without a certificate, because in most countries there are no formal qualifications required to become a consultant, but you should note that, besides experience some certifications can really improve your chances to get a job.

    This article will provide you further explanation about becoming a consultant:
    - How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/

    This material will also help you regarding becoming a consultant:
    - Webinar: How to become an ISO 27001 / BS 25999-2 consultant https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/

  • Annex A Controls


    Answer: ISO standard's content is defined by technical committees that can be different for each standard. For example, for ISO 27001 the technical committee is the ISO/IEC joint technical committee JTC 1, while for ISO 22301 the technical committee is the ISO/TC 292 Security and resilience. These committees work with different contexts and point of views that may result in situations like this one you mentioned, where the ISO 27001 committee decided this standard should have a set of controls attached while the ISO 22301 committee did not see reason for such details to be attached (in fact, guidance for ISO 22301 is available on ISO 22313 - https://www.iso.org/standard/50050.html).
Page 876-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +