Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
IRCA auditor
Just as a background: We (our team of 3) have just finished the ISO 27001 (ISMS), 5 days training course and also we have cleared the written examination.
However, as the trainer explained to us on the final day, that for us to be IRCA certified Lead Auditors, we need to pay a certain royalty fee to IRCA, also, we need to gain some experience as observers/auditors in a certain time frame. So, could you please explain the process further?
Answer: IRCA's fees vary from country to country. To have precise information regarding you country you can find it here: https://www.quality.org/content/irca-fees
Regarding audit experience, you must have at least 20 days of auditing, including at least 15 on site (this generally covers 3 or four certifications audit). For more information, see: https://www.quality.org/article/auditor -
Organizational context
Please specify on which type of context organisation has its own controls and on which not?
Answer: For different contexts you can consider banks, hospitals and internet providers. All of them have specific business requirements to drive information security. Banks need to protect account holders financial data, hospitals need to protect patient's health data, and internet providers must protect users data flow. All of them must protect confidentiality, integrity and availability, but for different information, and in different degrees, so they will require different controls set and security levels.
For example, the acceptable delay in providing information for a internet user can be completely different from a hospital patient, leading to a different set of controls.
Regarding responsibility for controls, organizations that run its own IT infrastructure owns much more controls than those which outsource them, for example, by adopting a Software as a Service Solution.
These articles will provide you further explanation about Organizational context:
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding Organizational context:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Non Disclosure Agreement
Answer: Most frequently, the duration used for NDAs is 2, 3, and 5 years, but you can define a different period based on a risk assessment (a NDA can even last forever), and you do not have to define one single period for all your information. But you have to notice that the longer is the period, the greater is the cost involved.
This article will provide you further explanation about handling classified information:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
These materials will al so help you regarding handling classified information:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Cryptography verification
Answer: Cryptographic controls can be tested during information system development or operation. During development, you can ensure testing by applying controls from section A.14 (14.2.8 - System security testing and 14.2.9 - System acceptance testing), and for regular testing in operation, controls A.14.2.3 - Technical review of applications after operating platform changes and A.18.2.3 - Technical compliance review are good choices.
This article will provide you further explanation about security testing:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
These materials will also help you regarding security tes ting:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
BCP content
Disaster declaration procedure: this content focuses on criteria to be evaluated so a disaster situation can be identified and properly communicated.
Emergency notification procedure: this content focuses on the means and activities required to alert people about an emergency situation. This content differs from disaster declaration because it considers faster and local responses (e.g., a building evacuation), while disaster declaration involves incidents of greater scale.
Incident response procedure: this content focuses on how to react initially to an incident in order to reduce the damage
Recovery procedure: this material focuses on activities required to bring back operations back to agreed service levels, regardless if it is on original site or not.
2 - What other procedure are contained in the BCM plan other than the above?
Answer: You can also find as BCP content:
a - the communication plan, covering activities to ens ure information flow for organization's employees, and emergency services, as well as which information should be communicated to the media.
b - specific procedures for critical assets, like servers, information systems and key personnel.
3 - Should the BCM plan be one big book containing the above or should each be written separately?
Answer: Since BCPs cover multiple issues, in operational terms you should keep multiples BCPs, each one of them as small as possible, with only the necessary information for each team that will use them(e.g., systems recovery team, facilities disaster recovery team, emergency teams, etc.). In management terms, you can also keep one or two copies with all the BCPs, so you can use it to keep track of all plans, which will make their review easier.
This article will provide you further explanation about documenting a BCP:
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
- How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
These materials will also help you regarding :
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
ISO 27000 series quotations in academic work
(I am doing a TCC (Course Completion Work) on Information Security Policy in the course of Information Systems and would like to know if I can quote texts from the ISOs of the 27000 family as direct and indirect quotations in the TCC, even without actually buying any standard.)
Answer: Para ter acesso ao conteúdo das normas você não precisa necessariamente comprá-las. Você pode acessá-las através de uma biblioteca ou outra fonte autorizada (ex.: norma adquirida pela empresa onde você trabalha).
Caso você tenha tido acesso ao conteúdo das normas de forma autorizada você pode fazer uso de citações diretas. Caso contrário, você deve fazer uso somente de citações indiretas, referenciando a autores que você leu de forma autorizada que incluem estas normas em suas próprias bibliografias.
(To access the content of the standards you do not necessarily have to buy them. You can access them through a library or other authorized source (eg, standard acquired by the company where you work).
If you have had access to the content of the standards in an authorized manner you can make use of direct quotes. Otherwise, you should only use indirect quotes, referencing authors that you read in an authorized manner that included these standards in their own bibliography.) -
ISO 9001 nonconformities during IATF 16949 internal audit
Thank you in advance and wish you a nice day,
Answer:
IATF 16949 includes all requirements of ISO 9001:2015, so if you find nonconformity regarding ISO 9001 requirements, that nonconformity can be raised during IATF 16949 internal audit. -
Internal auditor competence in IATF 16949
Answer:
Requirements for internal auditor in IATF 16949 have been increased compared to the previous version of the standard. The standard now directly refer to ISO 19011 regarding competences of the internal auditor, the rest of the requirements regarding internal auditor competence are located in clause 7.2.3. There is a explicit requirement for internal auditor training to be provided by the competent trainer and the records about trainer's competency need to be retained.
If the internal auditors meet requirements of the standard in terms of competency, no further certification is necessary, unless it is explicitly required by the company's customer. -
Management representative and ISO 9001:2015
No, you do not need MR in new version of the standard -
ISO 27001 study material
I don’t have the official ISO 27001 requirements with all the clauses and annex A. I also don’t have the best practices ISO 27002.
Since I not only plan to perform internal audits (maybe later external audits) but also consult clients in the implementation of ISO27001, I want to learn more about the details in ISO27001 and ISO27002.
1 - Are there any online implementation courses you can recommend ?
Answer: You can learn about the details of ISO 27001 and the implementation steps in our ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/, and if you want more thorough training on the implementation, then I would recommend the ISO 27001 Lead Implementer Course - unfortunately, we do not offer such a course.
This article will provide you further explanation about ISO 27001 implementer course:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like
This material will also help you regarding ISO 27001 study material:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
2 - Where should I buy the official requirements of ISO27001 and ISO27002 ? Here: www.iso.org ?
Regarding the acquisition of the standards, the ISO site is exactly where you have to go. Here are the links for the standards:
- ISO 27001 https://www.iso.org/standard/54534.html
- ISO 27002 https://www.iso.org/standard/54533.html
Since you are considering offer consultant services, I suggest you take a look at our consultants toolkits at this link: https://advisera.com/27001academy/consultants/
These materials can help you develop policies, procedures, and plans, as well manage project tasks and interested parties.
These material will provide you further explanation about becoming a consultant:
- How to become an ISO 27001 / BS 25999-2 consultant [free webinar on demand] https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
- How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/