Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Information labelling
Answer: ISO 27001 clauses do not require from an organization to include address information in documentation, so this decision is up to the organization itself, if it considers relevant to the business, it is demanded by law or contractual clauses, or as a result of a risk assessment.
This article will provide you further explanation about information labeling:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
This material will also help you regarding information labeling:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
ISO 27018
Answer: For more information about ISO 27018, I suggest you to take a look at this article:
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
We also have a toolkit which covers the specific recommendations of ISO 27018. You can take a look at a free demo of this toolkit to get more information at this link: https://advisera.com/27001academy/iso-27001-iso-27017-iso-27018-cloud-documentation-toolkit/
You just need to scroll down the screen a little to find the free demo tab. -
Customer requirements review
Answer:
Depending on the type of product or service you are providing to your customer you can get information on customer requirements in different ways. Sometimes, you can send your customer questionnaire or some other record that will provide you with sufficient information on customer requirements so you can decide whether you can meet these requirements or not. Or you can have a conversation with your customer and record its requirements by yourself.
Here you can find a free preview of our Customer Requirement Review Checklist https://advisera.com/9001academy/documentation/customer-requirement-review-checklist/ -
Quality Management Metrix
Answer:
The purpose of implementation of metrics in quality management system is to determine performance of the QMS. In order to achieve that, you need to define KPIs (Key Performance Indicators) for every process. KPIs should be defined in a way that provides you with information whether the process is delivering the expected outcome or some improvements are needed for the process.
For more information, see: How to define Key Performance Indicators for a QMS based on ISO 9001 https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/ -
Context of organization for 27001
Answer: You can understand context of organization as any internal or external factor that can affect the ISMS. As examples of external factors (something that is outside the organization's control) we can mention new technologies, competitors, and laws. As examples of internal factors (something the organization can control or have influence over) are organization's own resources and knowledge, its culture, and its employees competences. Understanding the context is essential to identify where the ISMS can be applied, its strengths and limitations.
This article will provide you further explanation about Context of organization for 27001:
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
These materials will also help you regarding Context of organization for 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 2700 1 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Mandatory documents
1 - The format of the entire 27001 Standard. Do you have a sample format of what would need be presented to the external auditor please, ie. all the documents please?
Answer: Unfortunately, we cannot provide you the ISO 27001 standard itself because it is protected with intellectual property rights - you can purchase it directly from the ISO website: https://www.iso.org/standard/54534.html You can download this free white paper from our website which provides some deeper insight into the standard: Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
If your question was about policies and procedures that need to be produced as part of ISO 27001 implementation, you can find them in this ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
2 - Do you have a sample Documents List where all the ISO 27001 documents are listed and numbered?
Answer: In article you wil l find explanation about all ISO 27001 mandatory documents, as well as the most common practices adopted by organizations: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
But you should also note that the results of a risk assessment and treatment may demand additional documentation. Please, see this article for more information: 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
These materials will also help you regarding mandatory documents:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Auditor selection
Answer:In case of certification bodies, you can use this article as reference: How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
For the selection of an auditor or consultant to help you with ISO 27001 certification I suggest you to take a look a this material: List of questions to ask your ISO 27001/ISO 22301 consultant https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-iso-22301-consultant
This list of questions cover areas like knowledge of industry, use of methodologies and payment conditions you can use to evaluate potential candidates.
This material will also help you regarding selection of auditors and certification bodies:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Book recommendation
Answer: If you are referring to our ISO 27001 foundation course, there is no need to buy additional material to take the exam. The information presented in the course will be sufficient to take the exam. But if you are considering another exam, or still consider acquiring more information before taking our exam, I suggest you to take a look at our book Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
This book contains an easy to follow structure for you to comprehend the ISO 27001 standard and implement it in an organization. -
Obsolete equipment disposal
Answer: The most common difficulties regarding the proper disposal of obsolete equipment are:
1) make people aware of the importance of proper equipment disposal;
2) the need for space and access controls to store the equipment before they undergo the information sanitization procedures;
3) the control of information to ensure that no sensitive data is lost because users forgot to retrieve them from the equipment before sending them for disposal;
4) the disposal of equipment under BYOD terms.
This article will provide you further explanation about equipment and media disposal:
- Secure equipment and media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2015/12/07/secure-equipmentand-media-disposal-according-to-iso-27001/
These materials will also help you regarding equipment and media disposal:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Ow n https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Audit report finding
Could you please let me know what type of document I should deliver to auditors? whether it is checklist which compare ISO27001 control with our policy or any other type of document?
Answer: I will assume that even though your organization is not ISO 27001 certified it considers relevant to follow its practices. Considering this, since ISO 27001 was updated on 2013, and organizational practices are based on 2005 version, your organization should present:
1) a management decision considering if it is still relevant to be aligned to ISO 27001 practices after the standard's update (this can be part of management review content)
2) if management has decided to maintain alignment, you also should provide a gap analysis between the organization's practices and the 2013 version o f ISO 27001, the management decision about how to proceed considering the gap analysis findings (e.g., what practices to update, what to keep and what to discontinue), and the action plans regarding the changes deemed relevant.
These articles will provide you further explanation about handling this audit finding:
- How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
- Infographic: New ISO 27001 2013 revision – What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/
These materials will also help you regarding handling audit findings:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- Free ISO 27001 Gap Analysis Tool https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/