Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Becoming an auditor
Answer: Yes, your previous experience will count in your formation as an auditor. Your competencies in IT will help you understand the auditee scenario, define what you should look for as evidence and define proper non conformities statements and recommendations for improvement.
To start you journey to become an information security auditor you should attend an ISO 27001 lead auditor course, so you can understand the concepts of ISO 27001 management system and the processes and techniques involved in an audit. After being approved in the course you need to accumulate audit hours, first as an observer, and after that as an audit team member, so you can gain understanding and experience in practical audits. After sufficient auditing hours, and good evaluations from your team lea der, you can achieve the status of auditor and after that lead auditor.
This article will provide you further explanation about becoming an auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
These materials will also help you regarding auditing:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Compliance list
Many thanks. -
Information security implementation
Answer: Considering the situation you presented, it seems you need a quick action to fix some issues as soon as possible and a longer term plan to maintain the results. Also considering you mentioned a limited staff, maybe hiring a cyber expert for the quick action would be the best option, even considering the higher costs of a consultant, because in this case delaying the fixes let you vulnerable for much more time. And you could ask the consultant to use as reference the practices of cyber essentials.
For the longer term plan, the implementati on of ISO 27001 can help you manage the implemented security, and for that you have three implementation alternatives: hiring a consultant (maybe the same you hired for the quick fix), implementing on your own, or implementing on your own with expert support. Each alternatives have their pros and cons, and I suggest you to take a look at this white paper to identify which alternative is best for you: Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
Regardless the way you choose, when ISO 27001 is implemented properly, you won't focus too much on documentation - rather, you'll focus on changing the way your employees are using the technology, and therefore decrease the number of security incidents. Here's an article that will help you: ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
This article will provide you further explanation about information security implementation:
- 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
These materials will also help you regarding information security implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Formulating questions during internal audit
It means to audit your company against ISO 9001:2015 requirements to determine to what level your company is compliant with the standard. -
Providing evidence for clauses without mandatory documents
Answer:
The fact that there are no mandatory documents doesn't mean that documenting them is forbidden. Actually, some requirements are much easier to meet f there is some records of the actions taken. In case when there are no records or documents, the auditor will have to put additional effort to determine whether the requirements are met and it is usually done through interviews and observing activities.
When it comes to internal and external issues, the auditor will have to speak with the top management and other relevant roles to determine whether the organization have considered and defined context of the organization.
In case of interested parties and their needs and expectations, it is really hard to meet the requirements without any reco rd although there are no requirements for documenting this clause.For example, there must be contracts where needs and expectations of interested parties (e.g. customers, subcontractors, etc) are stated, or laws and regulations relevant to the organization business.
For risks and opportunities, if they are not documented, there must be some written trace of the actions taken, so it is up to the auditor to find them.
For more information, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ -
Auditores internos
Debes asegurarte de que los auditores internos están cualificados y tienen la experiencia necesaria para llevar a cabo el trabajo adecuadamente. Es muy importante que los auditores internos ganen las competencias necesarias para llevar a cabo una buena auditoria interna para que tanto los resultados como las acciones correctivas encontradas ayuden a mejorar el SGC, y por supuesto para pasar con éxito la auditoria de certificación.
Si tus auditores internos no poseen estas competencias relacionadas con la nueva versión del estándar, entonces deberían de adquirirlas.
Es posible tomar este curso de auditor interno en ISO 14001:2015 a través de nuestra we, para más información vea: https://advisera.com/es/formacion/curso-de-auditor-interno-iso-14001/ -
List of legal requirements
Answer: For reference about laws and regulations, I suggest you to take a look at this material: Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
I also suggest you to take a look at the free download of our List of Legal, Regulatory, Contractual and Other Requirements at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
This template can help you organize your requirements.
This article will provide you further explanation about requirements identification:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ -
Cyber Essentials
Answer: Your decision will depend mostly on your organization's objectives and you current security level. Cyber essentials is more focused on controls implementation to enhance cyber security, while ISO 27001 is a management system standard focused on the implementation, maintenance and improvement of information security in all environments an information is handled (e.g., information systems, paper based information, etc.). Cyber essential will be quicker to implement, but ISO 27001 can provide you better results in the long term.
Consider performing a security diagnosis first. If your current situation is considered acceptable regarding your objectives, the best course of action may be implementing ISO 27001 first, using cyber essential during the implementation control phase of ISO 27001 implementation. If your situation is considered not acceptable you may go for cyber essentials first and after that start the ISO 27001 implementation.
This articles will provide you further explanation about ISO 27001:
- What is ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Certification requirements
Answer: No. If the department has not yet undergone a certification audit and has been considered in compliance with the requirements of the standard, it can not be declared that it is certified. This article will provide you further explanation about certification process: - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/ These materials will also help you regarding certification process: - Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-eng lish-guide/ - ISO 27001/ISO 22301: The certification process [free webinar] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
SA 8000 and ISO 9001 and OHSAS 18001
Am from Human resource Background. Currently Am working as HR & compliance Executive. How would ISO 9001 would help my carrier as social compliance auditor.Suggest some good certificate body from India to do ISO 9001 Allso.