Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Controls applicability
P.S. we did a risk assessment for the IT-Services delivered and Chose the controls from A.15 for rist mitigation.
Answer: Even if your organization's IT operations are outsourced, some controls from section A.12 might still be applicable to it, like A.12.1.2 (change management), A.12.1.3 (Capacity Management) , and A.12.7.1 (Information systems audit controls), so you have to perform an evaluation first to verify this situation before consider all controls as "not applicable". For those t hat are totally under the provider control you can state them as "not applicable", providing as justification the IT operation is outsourced.
Regarding stating a control as "applicable" referring it to the ISMS of another organization, you cannot do that because you do not have control over provider's ISMS (at most you are an interested party - customer - that is considered in that ISMS context). For situations like that you can state controls from section A.15 as "applicable" to your ISMS, to ensure that the provider will take as much care of IT security as if you were performing the IT operations yourself. For example, if in your IT operations you would use backup practices, you have to ensure the service agreement also define that the provider also has I to use backup practices.
This article will provide you further explanation about suppliers and controls applicability:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
These materials will also help you regarding supplies and controls applicability:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Implementation alternatives
Answer: The first thing you should consider is the duration of your ISO 27001 implementation project and the deadline for EU GDPR compliance. If your project can be concluded before the deadline maybe it is better to start with ISO 27001 because, as you said, it can deliver an environment which satisfies GDPR and other requirements your organization may have for the ISMS.
If your project cannot be finished before the deadline, you should consider if a reduction in the certification scope, e.g. to cover only the part of the original scope that would be related to EU GDPR, can allow you to meet the deadline, and if post poning the implementation of the remaining scope is acceptable (since the management part of the system will be already implemented you will have less activities to perform).
If none of these alternatives are acceptable, then you should consider going first for EU GDPR compliance, and after that make arrangements in the ISO 27001 implementation project to include those controls in the system.
This articles will provide you further explanation about ISO 27001 projects:
- ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
These materials will also help you regarding ISO 27001 projects:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- Seven key problems to avoid in ISO 27001 implementation [free webinar] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/ -
Temporary change process controls
Answer:
The organization needs to identify, document and maintain the alternate methods for process control and get approval from the customer for these controls. The list of alternate process control methods should be referenced in a control plan.
The standard requires documenting procedure for managing the use of alternate controls and this can be part of your production procedure, and standard work instructions are required for each alternate control. -
ISO 31000 and ISO 27001
Answer: Yes, but as means to provide a common basis to align the information security risk management with other types of risk management in a company (e.g., quality risks, environmental risks, etc.). ISO 31000 by itself is not enough to comply with ISO 27001 because risk management requirements in ISO 27001 are much more detailed than in ISO 31000.
This article will provide you further explanation about Risk Management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
These materials will also help you regarding Risk Management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Business Continuity Lifecycle document
Answer: According ISO 22301, there is no requirement demanding such specific document, so unless defined by your organization, a law or another legal requirement, like a contract, you do not need to have it in your management system.
The business continuity life cycle is covered from standard's clauses 8.2 to 8.5, so, considering the list of documents that comes with your toolkit, you can share the following documents (of course the auditor can ask about the records related to these documents too):
Business Impact Analysis Methodology
Business Continuity Strategy
Business Continuity Plan
Incident Response Plan
Disaster Recovery Plan
Exercising and Testing Plan
BCMS Maintenance and Review Plan
This article will provide you further explanation about Mandatory documen ts for ISO 22301:
- Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/ -
Becoming an auditor
Answer: Yes, your previous experience will count in your formation as an auditor. Your competencies in IT will help you understand the auditee scenario, define what you should look for as evidence and define proper non conformities statements and recommendations for improvement.
To start you journey to become an information security auditor you should attend an ISO 27001 lead auditor course, so you can understand the concepts of ISO 27001 management system and the processes and techniques involved in an audit. After being approved in the course you need to accumulate audit hours, first as an observer, and after that as an audit team member, so you can gain understanding and experience in practical audits. After sufficient auditing hours, and good evaluations from your team lea der, you can achieve the status of auditor and after that lead auditor.
This article will provide you further explanation about becoming an auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
These materials will also help you regarding auditing:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Compliance list
Many thanks. -
Information security implementation
Answer: Considering the situation you presented, it seems you need a quick action to fix some issues as soon as possible and a longer term plan to maintain the results. Also considering you mentioned a limited staff, maybe hiring a cyber expert for the quick action would be the best option, even considering the higher costs of a consultant, because in this case delaying the fixes let you vulnerable for much more time. And you could ask the consultant to use as reference the practices of cyber essentials.
For the longer term plan, the implementati on of ISO 27001 can help you manage the implemented security, and for that you have three implementation alternatives: hiring a consultant (maybe the same you hired for the quick fix), implementing on your own, or implementing on your own with expert support. Each alternatives have their pros and cons, and I suggest you to take a look at this white paper to identify which alternative is best for you: Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
Regardless the way you choose, when ISO 27001 is implemented properly, you won't focus too much on documentation - rather, you'll focus on changing the way your employees are using the technology, and therefore decrease the number of security incidents. Here's an article that will help you: ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
This article will provide you further explanation about information security implementation:
- 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
These materials will also help you regarding information security implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Formulating questions during internal audit
It means to audit your company against ISO 9001:2015 requirements to determine to what level your company is compliant with the standard. -
Providing evidence for clauses without mandatory documents
Answer:
The fact that there are no mandatory documents doesn't mean that documenting them is forbidden. Actually, some requirements are much easier to meet f there is some records of the actions taken. In case when there are no records or documents, the auditor will have to put additional effort to determine whether the requirements are met and it is usually done through interviews and observing activities.
When it comes to internal and external issues, the auditor will have to speak with the top management and other relevant roles to determine whether the organization have considered and defined context of the organization.
In case of interested parties and their needs and expectations, it is really hard to meet the requirements without any reco rd although there are no requirements for documenting this clause.For example, there must be contracts where needs and expectations of interested parties (e.g. customers, subcontractors, etc) are stated, or laws and regulations relevant to the organization business.
For risks and opportunities, if they are not documented, there must be some written trace of the actions taken, so it is up to the auditor to find them.
For more information, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/