Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
SoA content
From the standard, I am not able to gauge whether the above fields are mandatory.
Answer: The justification for inclusions is needed because the reason for applying a control will help understand how to evaluate its effectiveness. For example, if the reason is because results of risk assessment, them we have to check which risks are being treated by the control to ensure all of them are being handled properly. On the other hand, if the reason is because of a legal or contractual requirement, we need to identify if this requirement is being properly fulfilled
You can find the requirements for filling the SoA in the clause 6.1.3 d) of ISO 27001.
This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding the Statement of Applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 Annex A checklist
Answer: Yes. I suggest you to take a look at the free demo of our Internal Audit Checklist at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/
This document provides a list of questions in order to help perform an internal audit against ISO 27001, so you can verify compliance with standard's requirements and applicable controls.
These materials will also help you regarding ISO 27001 Annex A controls verification:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Operational planning and control documentation
Answer: Yes, according ISO 27001, you have to document operational planning and control, but the extent of what will be documented is up to what the organization decides as sufficient to ensure the processes are being performed as planned. In our experience, some controls require more detailed documentation than others, but in general there is no need for a 'manual' to centralized them all.
These articles will provide you further explanation about mandatory and most common documents and which consider to decide what to write:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
These materials will also help you regarding documentation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 and PCI-DSS certifications
To become an ISO 27001 certified professional you can go either for ISO 27001 Lead Auditor Course or ISO 27001 Lead Implementer Course. In the market there are many accredited providers (certifications from these organizations are world wide recognized) you can choose regarding price, location and payment conditions.
Regarding PCI-DSS, there are many certification programs supported by PCI Security Standards Council, with different certification requirements. I suggest you to take a look at the PCI site (https://www.pcisecuritystandards.org/assessors_and_solutions/become_qualified) so you can identify which certifications are better for you and which requirements you have to fulfil
These articles will provide you further explanation about ISO 27001 certifications for persons:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Checking information on significant residual risks
Answer: The records you should look for regarding acceptance of the residual information security risks are the information security risk treatment plan approval (regarding clause 6.1.3.f) and the records of management reviews (clause 9.3.e).
From the risk treatment plan you will know who are the risk owners and this will be your reference to check if each one of them approved the risk treatment plan and was informed about the results of management reviews.
For more information, see: Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
2 - Explain how to utilize opportunities to promote the implement of the risk reduction methods and procedures?
Answer: In general, you can justify that by implementing risk reduction methods and procedures an organization can take advantage of opportunities more easily. For example, opportunities to reduce cost are by reducing in surance related costs and costs of incidents, and both can be achieved by implementing risk reduction methods and procedures.
Another example of opportunity is to win new customers, by offering improved information security as a feature.
For more information, see: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
3 - Explain how to record the risk reduction methods and procedures in the appropriate information systems?
Answer: According ISO 27001, the mandatory records and documents an organization has to keep to evidence the performing of risk assessment and risk treatment processes are:
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
This article will provide you further explanation about ISO 27001 documented information:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
These materials will also help you regarding your questions:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Quality Objectives and Quality Policy
Hi Juanito,
Having the objectives, policy, vision and mission signed by the General Manager can be sufficient from the perspective of the standard, unless you defined in some of your documents that additional signatures are necessary -
Templates and ISO 27018 requirements
Answer: In the List of Documents file that came with the toolkit you bought you will find the relationship between the templates and the standards clauses and controls. Specifically for the control the control A.18.1.1 s you mentioned, the templates are "Procedure for Identification of Requirements" and "Appendix – List of Legal, Regulatory, Contractual and Other Requirements"
Regarding templates for Annex A.4.2, first of all we need to apologize because there is a type error on the "The What is EU GDPR and how can ISO 27001 help?" white paper. The correct control reference is A.4.1, and this one is part of the ISO 27018 standard, which is covered by our ISO 27001 & ISO 27017 & ISO 27018 Cloud Toolkit (https://advisera.com/27001academy/iso-27001-iso-27017-iso-27018-cloud-documentation-toolkit/ ). In this toolkit this control is covered by the template "Appendix – Security Requirements Specification" -
Lead Auditor and Lead Implementer Certifications
Answer: It depends of your professional goals. If you aim to work on implementing ISO 27001 in organizations, then you should go for ISO 27001 LI. On the other hand, if you want to work as an auditor, then you should go for ISO 27001 LA.
These articles will provide you further explanation about Lead Implementer and Lead Auditor:
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/ -
Is research & development part of Design & development?
Answer:
You are correct, research & development would fall under the design and development requirements. These requirements are applicable any time your company designs and develops a product or service that is intended for satisfying customer needs. For more information see this article from 9001Academy: https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/ -
Internal audit
Answer: As an ISMS implementer, such situation should be avoided, otherwise you could have problems at the certification audit. The best course of action is that the internal auditor should be a different person from the implementer, because according ISO 27001, you must ensure objectivity and the impartiality of the audit process, so you should not audit your own activities as information security manager, including ISO 27001 implementation.
This article will provide you further explanation about Internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
This material will also help you regarding Internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/