Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
IT audit
Answer: First of all you must define an audit methodology, and after that identify the audit scope (e.g., process, assets, locations, etc.) and which references you'll be using to perform the audit (e.g., ITIL, ISO 27001, etc.). With these information you can built a proper audit plan.
I suggest you to take a look at this free online course to get a better view of the audit process: ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
2. Can I use the knowledge of ISO 27001 to conduct one?
Answer: Yes. Many of the ISO 27001 requirements and controls are perfectly applicable to audit IT environments.
3. Must the company be certified?
Answer: This will depend upon the requirements of the audit client (the person or organization that demands the audit). You should verify this with the organization.
4. Which certification body do we use in case the client wan ts to be certified?
Answer: This is a decision of the organization that wants to be certified, because there are many variable to be considered that will impact not only operations but future strategic decisions.
This article will provide you further explanation about certification bodies:
- How to choose a certification body https://advisera.com/27001academy/knowledgebase/how-to-choose-a-certification-body
These materials will also help you regarding IT audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Stage 1 of the certification audit
Answer:
During the stage 1 of the certification audit the auditor will examine your documentation and this will help him to develop the stage 2 of the certification audit which is also called a main audit. The stage 1 audit can be done on location of your company or the auditor can conduct it in his office, this stage in the audit is performed both during certification an surveillance audit.
The main purpose of the stage 1 audit is to show whether your documentation is compliant with the standard and what areas of your QMS require special attention during the main audit. After the stage 1 audit you will receive a report and you will have to resolve nonconformities (if they exist) prior to the main audit.
For more information, see: How to prepare your company for the ISO 9001 certification audit https://advisera.com/9001academy/blog/2016/05/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/ -
Document Controller and Management Representative
Answer:
Document controller can be a management representative. The standard does not prescribe required qualifications of the MR, but it is reasonable to expect that the MR is familiar with requirements of the standard. The MR responsibilities include coordinating the QMS, defining internal audit program, reporting to the top management, etc.
For more information about responsibilities of the MR, see: Additional Responsibilities of Quality Management Representatives https://advisera.com/9001academy/blog/2014/05/27/additional-responsibilities-quality-management-representatives/ -
Datacenter audit
I would assume that as an audit company, you would have done a lot of work certifying data centers. Hence there will be materials or journals around check list or things to look out for in ensuring that a data center is fit for purpose. I am currently reading Dejan’s book on cyber security. Hope this is a useful hint into what I am hoping get from you?
Answer: We are a company focused on providing ISO standards related resources so organizations can be compliant with those standards and seek out certification if they desire, but we do no not provide audit services.
Regarding material for audit or review of data center environment, I suggest you take a look at the free demo of our Internal Audit Checklist at https://advisera.com/27001academy/documentation/internal-audit-checklist/
This checklist can provide you information on what to conside r for a data center according ISO 27001.
As an external resource I suggest you to consult the standard TIA 942, revision A (2014), that specifies the minimum requirements for telecommunications infrastructure of data centers and computer rooms. For additional information you can take a look at https://en.wikipedia.org/wiki/TIA-942
The link to buy this document is https://global.ihs.com/doc_detail.cfm?&csf=TIA&item_s_key=00414811&item_key_date=860905&input_doc_number=TIA%2D942&input_doc_title=
This article will provide you further explanation about ISO 27001 and datacenters:
- ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ -
Risk assessment questionnaire
Answer: No. Although many questions are common, each questionnaire should also contain questions regarding the specific business process under assessment, and elaborating a single questionnaire to try to cover all possible questions is unpractical. When you do an interview you adjust your questions "on the fly", depending on the interviewee answers and your own perception. Questionnaires are useful when you need to gather specific information. When you do not have a focus to work on it is better to use interviews.
Our ISO 27001 toolkits work with the asset-threath-vulnerability approach, using a risk assess ment sheet which needs to be filled out, together with a video tutorial which explains how this is done, so in this case the use of a questionnaire is not really applicable with risk assessment. You can take a look at the free demo of the our Risk Assessment Table at this link https://advisera.com/27001academy/documentation/risk-assessment-table/
This article will provide you further explanation about risk assessment methods based on interviews, checklists and other tools:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Scope definition
Answer: Yes, you may have problems with this approach. Information needs change more dynamically than other common aspects used for scope definition (business units, processes and business locations), and you may ending up with more administrative effort to manage this kind of scope.
Besides that, you also may have processes working with both information that are inside and outside the scope, and this requires more effort than simply considering all the information included in the scope.
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Example of assets
Answer: For a manufacture company, information assets you may consider would be product specifications, production lines configuration parameters, production reports, clients list, production plans, etc. The main idea is that you think about which kind of information can have an impact on your production if it was disclosed, changed without authorization or lost.
This article will provide you further explanation about how you can identify information assets:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding identification of information assets:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure -simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Segregation of responsibilities
Answer: When there is a single person responsible for both, networks and applications, there is an increased risk that a malicious or unintentional misconfiguration leaves information exposed to unauthorized people.
For example, application servers sharing the same network with workstations makes infrastructure administration easier, but increases the risks of unauthorized access. Another example is an administrator that opens a service port in a server, and by configuring a network path, uses it for remotely access a server, when organizational policy prohibits that.
By segregating network and applications responsibilities it is more difficult for a single person to make such a mistake or intentional violation of access rights.
These articles will provide you further explanation about job segregation:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera .com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/
These materials will also help you regarding job segregation:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Risk treatment options
Answer: Risk reduction is an option where you take action to reduce the probability of an incident to occur (for example, by installing antivirus software you minimize chances of a computer to be infected) and/or the impact of an incident if it happens (e.g., by using backup, if by any reason you lose a file, the backup can be restored and recover part or all the information).
Risk sharing is an option when you decide either to transfer the operational management of the risk to a third party, or buy an insurance to minimize financial losses if an incident occurs. You should note that in case of risk sharing the final responsibility for the risk still remains with the organization.
This article will provide you further explanation about risk treatment options:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
These materials will also help you regarding risk treatment options:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Risk assessment and PIA for EU GDPR
Answer: The main purpose of Privacy Impact Assessments (PIA's) for EU GDPR is the identification of risks to the privacy rights of individuals when processing their personal data, so proper measures can be taken to properly protect them. In this context, risk assessments based on standards like ISO 31000, and most specifically ISO 27005, fits perfectly for this purpose. In fact, by simply implementing ISO 27001, complemented by ISO 27018, you will cover most of situations related to privacy risks.
This article will provide you further explanation about privacy and risk assessment:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
- Catalogue of th reats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/ (in this list you will find most threats and vulnerabilities that are applicable to PIA)