Search results

ISO 27001 / Conformio questions

1. Can I as the Project Manager of the ISO 27001 also conduct the Internal Audit? Or should this be done by someone who is not as involved in the project implementation?

The project manager is involved in most of the activities related to the implementation of the ISO 27001, and since one requirement to be observed for an auditor is impartiality (an auditor cannot audit his own work), this person will not be able to perform the auditor role.

The best course of action would be to train an employee to perform internal auditor or hire an external auditor.

These articles will provide you with further explanation about internal audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
• Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

2. When should the first Management review be conducted? At the end when we have all of the documents, or while we are implementing the policies and procedures? I am asking this because there are some items that have first occurrence set as one month after the start of the project so now I am afraid that I was supposed to do this from the beginning.

ISO 27001 does not prescribe when the first management review needs to be performed, so organizations can schedule it as they see fit.

For a certification implementation project, you can consider smaller management reviews during the project, and the first official management review once the implementation is over.

For further information, see:

• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

Process vs Procedure

Thank you!

Addressing Annex A clauses

Please note that the toolkit you bought has all mandatory documents required by the standard and the most commonly used ones. They are all you need to address the clauses and Annex A of the standard. No additional document is required.

Included in the toolkit there is a List of documents file that will show you which clauses and controls of the standard are covered by each document.

Writing a single big document is not recommended because it will become too complex to read and maintain.

For further information, see:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

These materials will also help you regarding the implementation of ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Statement of applicability A.9.1.2 (Access to networks and network services)

When a risk is similar to several assets, you can create a single asset to represent them all and associate the risk to it, as you suggested.

For example, you do not need to record an organization's notebooks as individual assets (you can add an asset called "notebook"), but if they have specific purposes with different risk levels you can use specific assets like "notebook", "development notebook", and "finance notebook". The same concept applies to IT assets.  

For further information, see:

• Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Control of Suppliers (Contractors)

Please note that is not our policy to provide recommendations about specific solutions or technologies to manage endpoints or the environments they access, so we can advise only about rules you should consider when evaluating such items.

Considering that, rules you should consider for those laptops/computers are access control for the accessed environment, use of protected channels to access the environment (e.g., use of VPN), use of encrypted drives, antivirus and updated OS and other required software (as you suggested), and use of backup.

About fit for purpose, provided these adopted controls decrease identified relevant risks to acceptable levels, and fulfill applicable legal requirements this would be acceptable for ISO 27001 certification purposes.

For example, specific information security or privacy laws and regulations (e.g., EU GDPR, HIPAA, etc.), and security clauses in contracts with clients (e.g., contractual clauses requiring the use of specific cryptography for storage devices).

Please note that, to enforce the application of such controls, you need to have signed contracts with these contractors, where such contracts will have information security clauses related to the controls you want the contractors to follow.

For further information, see:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

SaaS provider

To ISO 27001, customers should be considered as interested parts, i.e., someone that can affect, or be affected, by information security, not assets.

For further information, see:
- Who are interested parties, and how can you identify them according to ISO 27001 and ISO 22301? https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
- Asset List for ISO 27001 Risk Assessment https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/
- How is ISO 27001 applicable for Software-as-a-Service companies? https://info.advisera.com/27001academy/free-download/how-is-iso-27001-applicable-for-software-as-a-service-saas-companies

ISO 27001 Certification Data

(1) How many Months of Data/Records of implementation is needed for the ISO27001 Certification, 

Answer:  Please note that ISO 27001 does not require a minimum period of data/records (i.e., a minimum period of the ISMS operation before the certification), however, some certification bodies do have such requirements, and some don't. Therefore, you should speak to the certification body you have chosen and see what criteria they have.  

This article may also help you: 
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

(2) What is the usual Timeline for the ISO27001 Certification from preparations, training, Stage1, Stage 2 Certification.

Answer: Please note that “preparations and training” means the implementation and operation of the Information Security Management Systems. For small and midsize organizations the implementation time frame can vary from 3 to 18 months, depending upon the size and complexity of the ISMS scope.

For further information, see:
- Time, effort, and roles needed to implement ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#effort

Regarding the certification audit, the total days to complete a certification audit (i.e., stages 1 and 2) will depend on the defined ISMS scope (e.g., number of locations, number of employees, etc.), so without detailed information, we cannot provide a precise answer for your case.

For small companies the Stage 1 and Stage 2 audits will usually take ca 5 days. These two audits can take place 2 weeks to 2 months apart.

ISO 27001 Staff Security Awareness

Your scenario is not enough to be compliant with the standard, because it is not clear that you identified the necessary competencies for awareness and training (i.e., which topics you need to cover, which in general are based on perceived risks, turnover rate, or legal requirements), and while you captured evidence of provision, it is not clear that effectiveness of the actions taken is evaluated (e.g., by means of a test at the end of each session).  

ISO 27001 does not prescribe the frequency of training, so organizations can define it according to their needs.

The standard also does not prescribe ways of delivering training and awareness, so organizations can define them according to their needs.

For further information, see:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness and training:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

ISO 27001 measurement and Monitoring

Does the auditee incorrect response to the auditor question impact the internal audit?

 An incorrect response by the auditee may lead the internal auditor to raise a nonconformity.

Based on the responses of other auditees, and other audit techniques, like document review, field observation, an experienced internal auditor can identify if the situation is based on auditee nervousness, lack of needed knowledge, or a real failure in following policies and procedures (the last two would be considered situations for raising a nonconformity).

Does the internal audit planning will be same for small, mid and large organization?

Most probably not, because the audit planning needs to take into account the size and complexity of the audit scope.

For further information, see:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/