Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 and PCI-DSS certifications
To become an ISO 27001 certified professional you can go either for ISO 27001 Lead Auditor Course or ISO 27001 Lead Implementer Course. In the market there are many accredited providers (certifications from these organizations are world wide recognized) you can choose regarding price, location and payment conditions.
Regarding PCI-DSS, there are many certification programs supported by PCI Security Standards Council, with different certification requirements. I suggest you to take a look at the PCI site (https://www.pcisecuritystandards.org/assessors_and_solutions/become_qualified) so you can identify which certifications are better for you and which requirements you have to fulfil
These articles will provide you further explanation about ISO 27001 certifications for persons:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Checking information on significant residual risks
Answer: The records you should look for regarding acceptance of the residual information security risks are the information security risk treatment plan approval (regarding clause 6.1.3.f) and the records of management reviews (clause 9.3.e).
From the risk treatment plan you will know who are the risk owners and this will be your reference to check if each one of them approved the risk treatment plan and was informed about the results of management reviews.
For more information, see: Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
2 - Explain how to utilize opportunities to promote the implement of the risk reduction methods and procedures?
Answer: In general, you can justify that by implementing risk reduction methods and procedures an organization can take advantage of opportunities more easily. For example, opportunities to reduce cost are by reducing in surance related costs and costs of incidents, and both can be achieved by implementing risk reduction methods and procedures.
Another example of opportunity is to win new customers, by offering improved information security as a feature.
For more information, see: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
3 - Explain how to record the risk reduction methods and procedures in the appropriate information systems?
Answer: According ISO 27001, the mandatory records and documents an organization has to keep to evidence the performing of risk assessment and risk treatment processes are:
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
This article will provide you further explanation about ISO 27001 documented information:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
These materials will also help you regarding your questions:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Quality Objectives and Quality Policy
Hi Juanito,
Having the objectives, policy, vision and mission signed by the General Manager can be sufficient from the perspective of the standard, unless you defined in some of your documents that additional signatures are necessary -
Templates and ISO 27018 requirements
Answer: In the List of Documents file that came with the toolkit you bought you will find the relationship between the templates and the standards clauses and controls. Specifically for the control the control A.18.1.1 s you mentioned, the templates are "Procedure for Identification of Requirements" and "Appendix – List of Legal, Regulatory, Contractual and Other Requirements"
Regarding templates for Annex A.4.2, first of all we need to apologize because there is a type error on the "The What is EU GDPR and how can ISO 27001 help?" white paper. The correct control reference is A.4.1, and this one is part of the ISO 27018 standard, which is covered by our ISO 27001 & ISO 27017 & ISO 27018 Cloud Toolkit (https://advisera.com/27001academy/iso-27001-iso-27017-iso-27018-cloud-documentation-toolkit/ ). In this toolkit this control is covered by the template "Appendix – Security Requirements Specification" -
Lead Auditor and Lead Implementer Certifications
Answer: It depends of your professional goals. If you aim to work on implementing ISO 27001 in organizations, then you should go for ISO 27001 LI. On the other hand, if you want to work as an auditor, then you should go for ISO 27001 LA.
These articles will provide you further explanation about Lead Implementer and Lead Auditor:
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/ -
Is research & development part of Design & development?
Answer:
You are correct, research & development would fall under the design and development requirements. These requirements are applicable any time your company designs and develops a product or service that is intended for satisfying customer needs. For more information see this article from 9001Academy: https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/ -
Internal audit
Answer: As an ISMS implementer, such situation should be avoided, otherwise you could have problems at the certification audit. The best course of action is that the internal auditor should be a different person from the implementer, because according ISO 27001, you must ensure objectivity and the impartiality of the audit process, so you should not audit your own activities as information security manager, including ISO 27001 implementation.
This article will provide you further explanation about Internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
This material will also help you regarding Internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
BCP Test
Please guide me what to do in this situation. Pleas note that scope of this project was the entire organization .
Answer: Fortunately, you have many approaches you can consider for performing BCP tests, which varies considering effort, resource allocation, and required confidence on tests results:
Desk check – checking the plans by means of auditing, validation, and verification techniques
Plan walk-through – checking the plans by means of team interaction
Functional testing – testing all interrelated plans for selected activities (including supplier procedures) with real resources in a controlled (announced) exercise.
Full testing – all activities are relocated from the original site to the alternative site (announced or unannounced)
Since you are doing this for the first time, I suggest you to start with Desk check and prepare a plan defining when other tests can be performed. This way you can ensure a gradual increase in tests effort, while all people involved will gain confidence in the plan and in their skills to perform it, and at the same time you can provide the required corrective and preventive actions.
This article will provide you further explanation about BCP tests:
- How to perform business continuity exercising and testing according to ISO 22301: https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/ -
Communication procedure for ISO 22301
Answer: Communication is activity that is performed by many processes in business continuity according ISO 22301, with different purposes, so you should consider not to have a centralized communication procedure to not to overhead people responsible for communication with activities that may not be a part of their attributions.
Instead of that, I suggest you to consider specific communication procedures for the following: Incident Response Plan, Incident Log, and Key Contacts. For each one of these you can find a template in the following links:
- Appendix – Incident Response Plan https://advisera.com/27001academy/documentation/incident-response-plan/
- Appendix – Incident Log https://advisera.com/27001academy/documentation/incident-log/
- Appendix – Key Contacts https://advisera.com/27001academy/documentation/key-contacts/
This article will provide you further explanation about communication in ISO 22301:
- Enabling communication during disruptive incidents according to ISO 22301 https://advisera.com/27001academy/blog/2016/12/19/enabling-communication-during-disruptive-incidents-according-to-iso-22301/
This material will also help you regarding communication in ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Equipment Maintenance in ISO 27001
Answer: According ISO 27001 control A.11.2.4, Equipment should be properly maintained to ensure its continued availability and integrity. ISO 27002, the standard that provides guidelines for implementation of ISO 27001 Annex A controls, presents some recommendations like:
- Observation of suppliers recommendations regarding maintenance intervals and usage specifications
- Maintenance activities performed only by authorized and competent personnel
- Assurance that equipment that went through maintenance is fit for resuming operation.
This article will provide you further explanation about Equipment Maintenance:
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
These materials will also help you regarding Equipment Maintenance:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ rols-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/