Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
List of legal requirements
Answer: For reference about laws and regulations, I suggest you to take a look at this material: Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
I also suggest you to take a look at the free download of our List of Legal, Regulatory, Contractual and Other Requirements at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
This template can help you organize your requirements.
This article will provide you further explanation about requirements identification:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ -
Cyber Essentials
Answer: Your decision will depend mostly on your organization's objectives and you current security level. Cyber essentials is more focused on controls implementation to enhance cyber security, while ISO 27001 is a management system standard focused on the implementation, maintenance and improvement of information security in all environments an information is handled (e.g., information systems, paper based information, etc.). Cyber essential will be quicker to implement, but ISO 27001 can provide you better results in the long term.
Consider performing a security diagnosis first. If your current situation is considered acceptable regarding your objectives, the best course of action may be implementing ISO 27001 first, using cyber essential during the implementation control phase of ISO 27001 implementation. If your situation is considered not acceptable you may go for cyber essentials first and after that start the ISO 27001 implementation.
This articles will provide you further explanation about ISO 27001:
- What is ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Certification requirements
Answer: No. If the department has not yet undergone a certification audit and has been considered in compliance with the requirements of the standard, it can not be declared that it is certified. This article will provide you further explanation about certification process: - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/ These materials will also help you regarding certification process: - Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-eng lish-guide/ - ISO 27001/ISO 22301: The certification process [free webinar] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
SA 8000 and ISO 9001 and OHSAS 18001
Am from Human resource Background. Currently Am working as HR & compliance Executive. How would ISO 9001 would help my carrier as social compliance auditor.Suggest some good certificate body from India to do ISO 9001 Allso. -
Toolkit content
- A.5 Information security policies
- A.18 Compliance
I do not see an assessment tool for ISO27K. Is there any reason for this omission? Are not included as part of the toolkit?
Answer:
1) The controls from section A.5 Information security policies are covered in many policies provided in the toolkit (e.g., Information security policy, Access control policy, Acceptable use policy, Backup policy, etc.).
2) The controls from section A.18 Compliance are covered in the following documents: Procedure for Identification of Requirements, and List of Legal, Regulatory, Contractual and Other Requirements - you'll find them in folder 02 "Procedure for identification of requirements"
3) ISO 27001 does not require the usage of a tool for doing the risk assessment, so we are offering the Excel sheets for performing this task - in our experience, this is much easier for smaller companies for which our toolkit is designed. You'll find those sheets in the folder 0 5 "Risk assessment and risk treatment methodology"
By the way, you can find the information about which controls and requirements are covered by each document in the file List of documents that you'll find in the root folder of the toolkit. -
Nonconformities and corrective actions
In my previous employment and experience, we usually initiate only a CAR for audit findings. To me, it seems like redundancy.
Do you see a reason for initiating a NCR? Is it a requirement?
Answer:
Results of the certification audit can be minor and major nonconformities and recommendations. In case of nonconformities, you will need to document them as per clause 10.2.2 regardless of who identified the nonconformity. Then you evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, and that is corrective action.
This might seem as a redundancy but, it provides traceability and also enables the organ ization to file more information on the nonconformity, then the ones stated in certification audit report.
For more information, see: How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/ -
Information security career
Answer: With the increase in the number of incidents involving information leakage, impacting both final users and big organizations, and in the number and rigidity of legislation, the need for information security professionals is also increasing, both on technical and management aspects. I suggest you to look at this report for an overview: The State of Cyber Security Professional Careers https://www.esg-global.com/hubfs/issa/ESG-ISSA-Research-Report-State-of-Cybersecurity-Professional-Careers-Oct-2016.pdf
Concerning learning, there is no such thing as "right path", it is more like the path most adequate for you. ISO management systems themselves recognize this (in terms of competencies, they consider as sources either education, training or experience). So, you can go for formal academic knowledge, attending information related courses and training, or develop your skills through daily activities. Here in Advisera you can find articles, white papers a nd online courses that can give you a start point.
Take a look at these links to access our knowledge base, white papers and courses:
- https://advisera.com/27001academy/knowledgebase/
- https://advisera.com/27001academy/free-downloads/
- https://advisera.com/training/
These articles will provide you further explanation about information security profession:
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/ -
Information security policies
Answer: Yes, but not in the way your are thinking. The toolkit has several commonly used policies covering different aspects of information security, like Access control policy, Acceptable use policy, Back policy, etc. You can consult the "List of Documents" file that comes with your toolkit to find them. Once you have identified the policies you need you can decide if you will use them as separated documents, or merging them in a single "Information security police", as it seems as your idea.
This article will provide you further explanation about implementing policies:
- One Information Se curity Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/ -
Documenting process to motivate employees
Answer:
This clause is addition to the awareness requirements of ISO 9001:2015 and besides quality objectives achievement, it mentioned continual improvement and promoting technical innovations. You can document this as a part o your procedure for competence and awareness or you can have a separate procedure that will describe how your company will achieve this. -
Planning the QMS and clause 6.1.1
Answer:
The planning is very important part of the QMS (Quality Management System) and PDCA cycle. Planning should be conducted on regular basis if there are no changes to the QMS or at any time when some changes are made to the QMS. For example, during the management review you can make plans for necessary resources for processes, training needs, etc and identification of risks and opportunities is also a part of the planning phase.
For more information, see: Plan-Do-Check-Act in the ISO 9001 Standard https://advisera.com/9001academy/knowledgebase/plan-do-check-act-in-the-iso-9001-standard/