Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Statements for systems development
Answer: No. Since systems development processes are unique for each organization these parts need to be adapted by the organization itself in the Secure Development Procedure template, on sections 3.2 and 3.3.
This article will provide you further explanation about securing development environment and engineering principles:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
These materials will also help you regarding securing development environment and engineering principles:
- ISO 27001 Annex A Controls in Plain Engl ish https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Function separation Matrix
How did this person get on here? -
Statement of compliance
Do you have an executive attestation statement of compliance that they could use for now until the next ISO-27000 security audit occurs in August of this year? If they cannot provide an Executive Attestation at the very least, they may very well lose this client account.
Answer: Regarding ISO 27001, as an equivalent for an Executive Attestation Statement, you could recommend the use of the Statement of Applicability (you can see a free demo of this document at this link: https://advisera.com/27001academy/documentation/sta tement-of-applicability/ and see if it can fulfil his needs).
This article will provide you further explanation about the statement of applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding the statement of applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Having only one quality objective
Answer:
The standard doesn't prescribe ho many objectives organization needs to have so your QMS with only one objective will be compliant with the standard even without justification for having only one objective in the manual. Certification auditor will probably frown upon this approach but he cannot report this as a nonconformity, as long as you comply with requirements of the standard related to the objectives. For more information, see: How to Write Good Quality Objectives https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/ -
Risk assessment flowchart
Answer: At this moment we do not have this kind of flowchart for sale. This flowchart was created as a free material to help security practitioners understand and show the asset-threat-vulnerability risk assessment and treatment approach.
For help you modelling other assets, I suggest you take a look at the free demo of our Risk Assessment Toolkit at https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
This toolkit has all the documents you will need to identify the information for modelling a similar flowchart. Another source is the book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
IT audit
Answer: First of all you must define an audit methodology, and after that identify the audit scope (e.g., process, assets, locations, etc.) and which references you'll be using to perform the audit (e.g., ITIL, ISO 27001, etc.). With these information you can built a proper audit plan.
I suggest you to take a look at this free online course to get a better view of the audit process: ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
2. Can I use the knowledge of ISO 27001 to conduct one?
Answer: Yes. Many of the ISO 27001 requirements and controls are perfectly applicable to audit IT environments.
3. Must the company be certified?
Answer: This will depend upon the requirements of the audit client (the person or organization that demands the audit). You should verify this with the organization.
4. Which certification body do we use in case the client wan ts to be certified?
Answer: This is a decision of the organization that wants to be certified, because there are many variable to be considered that will impact not only operations but future strategic decisions.
This article will provide you further explanation about certification bodies:
- How to choose a certification body https://advisera.com/27001academy/knowledgebase/how-to-choose-a-certification-body
These materials will also help you regarding IT audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Stage 1 of the certification audit
Answer:
During the stage 1 of the certification audit the auditor will examine your documentation and this will help him to develop the stage 2 of the certification audit which is also called a main audit. The stage 1 audit can be done on location of your company or the auditor can conduct it in his office, this stage in the audit is performed both during certification an surveillance audit.
The main purpose of the stage 1 audit is to show whether your documentation is compliant with the standard and what areas of your QMS require special attention during the main audit. After the stage 1 audit you will receive a report and you will have to resolve nonconformities (if they exist) prior to the main audit.
For more information, see: How to prepare your company for the ISO 9001 certification audit https://advisera.com/9001academy/blog/2016/05/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/ -
Document Controller and Management Representative
Answer:
Document controller can be a management representative. The standard does not prescribe required qualifications of the MR, but it is reasonable to expect that the MR is familiar with requirements of the standard. The MR responsibilities include coordinating the QMS, defining internal audit program, reporting to the top management, etc.
For more information about responsibilities of the MR, see: Additional Responsibilities of Quality Management Representatives https://advisera.com/9001academy/blog/2014/05/27/additional-responsibilities-quality-management-representatives/ -
Datacenter audit
I would assume that as an audit company, you would have done a lot of work certifying data centers. Hence there will be materials or journals around check list or things to look out for in ensuring that a data center is fit for purpose. I am currently reading Dejan’s book on cyber security. Hope this is a useful hint into what I am hoping get from you?
Answer: We are a company focused on providing ISO standards related resources so organizations can be compliant with those standards and seek out certification if they desire, but we do no not provide audit services.
Regarding material for audit or review of data center environment, I suggest you take a look at the free demo of our Internal Audit Checklist at https://advisera.com/27001academy/documentation/internal-audit-checklist/
This checklist can provide you information on what to conside r for a data center according ISO 27001.
As an external resource I suggest you to consult the standard TIA 942, revision A (2014), that specifies the minimum requirements for telecommunications infrastructure of data centers and computer rooms. For additional information you can take a look at https://en.wikipedia.org/wiki/TIA-942
The link to buy this document is https://global.ihs.com/doc_detail.cfm?&csf=TIA&item_s_key=00414811&item_key_date=860905&input_doc_number=TIA%2D942&input_doc_title=
This article will provide you further explanation about ISO 27001 and datacenters:
- ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ -
Risk assessment questionnaire
Answer: No. Although many questions are common, each questionnaire should also contain questions regarding the specific business process under assessment, and elaborating a single questionnaire to try to cover all possible questions is unpractical. When you do an interview you adjust your questions "on the fly", depending on the interviewee answers and your own perception. Questionnaires are useful when you need to gather specific information. When you do not have a focus to work on it is better to use interviews.
Our ISO 27001 toolkits work with the asset-threath-vulnerability approach, using a risk assess ment sheet which needs to be filled out, together with a video tutorial which explains how this is done, so in this case the use of a questionnaire is not really applicable with risk assessment. You can take a look at the free demo of the our Risk Assessment Table at this link https://advisera.com/27001academy/documentation/risk-assessment-table/
This article will provide you further explanation about risk assessment methods based on interviews, checklists and other tools:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/