Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Documents and records


    Answer: Basically documents refer to information used to plan or define activities, while records are used as evidence of activities done or results achieved. Considering your examples, we have:

    Scope: document that defines where the ISMS is applicable.

    Information Security policy: document that defines the main rules about information security.

    Risk assessment: If you refer to Risk Assessment Methodology, it is a document that defines how to perform a risk assessment. On the other hand, if you refer to Risk Assessment Report, it is a record that evidences the results of an risk assessment.

    Training, monitoring and measurement, internal audit: for all these you must be more specific, because if you are referring to a procedure or a policy, you are talking about a document, but if you refer, f or example, to a training attendance list, monitoring or internal audit report, you are referring to a record.

    This article will provide you further explanation about records in ISO 27001:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

    These materials will also help you regarding documents and records in ISO 27001:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Toolkit content


    - 7.1 prior to employment, 7.2 During employment, and 7.3 termination and change of employment
    - 8.1 responsibility for assets and 8.3 media handling
    - 12.1. 1 Operational procedures and responsibilities, 12.1.3 Capacity Management, 12.2.1 controls against malware, and 12.4.1 event logging

    my current priority is work on on operations securities.

    Answer: ISO 27001 does not require each control in Annex A to be implemented, only those deemed necessary as result or risk assessments, legal requirements or organizational decision. To see the required documents by the standard, and the most common documents implemented to support an ISMS, please see this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    Our toolkits focus on small and mid-size companies, and that's the reason we do not write documents to cover each control - for thos e companies this large number of documents would result in an overkill for many of them. Instead of that a single template may cover multiple controls.

    To answer your question, controls from section A.7.1 are covered by documents Confidentiality Statement (control A.7.1.2 ), Statement of Acceptance of ISMS Documents (control A.7.1.2), Supplier Security Policy (controls A.7.1.1 and A.7.1.2), and Appendix – Security Clauses for Suppliers and Partners (control A.7.1.2 ).

    In the root folder of the toolkit you'll find a document called "List of Documents" which will explain which control is covered by which document.

  • ISO 27001 Presentation to Top Management


    Answer: Yes. Using the link displayed below you can access a free presentation covering:

    - The reasons for implementation
    - The purpose of the project
    - What milestones to set throughout the project
    - Which resources are required
    - The deliverables expected from the project

    Project proposal for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-implementation-powerpoint

    This article will provide you further explanation about benefits of ISO 27001 implementation:
    - Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

    These materials will also help you regarding benefits of ISO 27001 implementation:
    - ISO 27001 benefits: How to obtain management support [free webinar] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/

  • CISM and ISACA


    Answer: We are focused on ISO management standards and related material, but we have some articles regarding how these materials can help implementation and operation of an ISMS - ISO 27001 based:
    - How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/
    - How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/

  • Integrating ISO management systems


    Answer: All ISO management systems published after 2012 have the same general structure, and this make integrating them a lot of easier. In the integration process you should consider two phases:

    1 - Integration of the common parts of ISO management systems, e.g., control of documents, internal audit, training, management review, etc. These have basically all the same requirements, requiring only minor adjustments to refer to all systems covered

    2 - Integration of the specific parts of each system (basically sections 6 and 8 of each standard). Regarding ISO 27001, this means including in the organizational process the activities related to information security risk assessment and treatment processes.

    This article will provide you further explanation about integrating ISO management systems:
    - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

    These materials will also help you reg arding integrating ISO management systems:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free webinar – ISO 27001 implementation: How to make it easier using ISO 9001 https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/

  • Documentation for internal audit


    Answer:

    Besides Internal Audit Program, which is mandatory document, there are also internal audit checklist and internal audit plan that are not mandatory but can be very useful during the audit.

    Internal audit checklist should be prepared based on the documentation audit, prior to the main audit and it contains items or requirements of the standard to be checked during the audit. For more information, see: ISO 9001 Audit Checklist https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/

    Internal audit plan represents a schedule of the specific internal audit. In this document, you should define what processes will be audited, what people will be interviewed and so on, with detailed timing for each process and each interview. Besides providing a structure to your audit, it also provides information to the relevant people so the y can make themselves available for your audit. For more information, see: Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/

  • Methodology for calculating risk


    Answer: Since we are targeting smaller companies, we are using the simplest risk assessment methodology: impact is assessed with the scale Low-Medium-High (0, 1 and 2), and the likelihood is assessed using the same scale. The risk is calculated by adding those two values together.

    Of course, in the document called "Risk assessment and treatment methodology" you will find a detailed description of this methodology.

    This article will also help you: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

  • Information security in project management


    Answer: Unfortunately we do not have a template covering Information Security in Project Management, but there are many similarities with implementing an ISMS that you can use to drive the implementation of this control:

    1 - You have to define information security objectives and include them in the project objectives, the same way you define information security objectives for an ISMS aligned with organization's objectives, the only difference is that these objectives are restri cted to the scope of the project.

    2 - You have to perform at the beginning, and periodically, information risk assessments in the project, like you would do it with other business processes, to identify necessary controls

    3 - You have to ensure that information security practices are part of all phases of the project (e.g., from the issue of the project charter to project closing).

    In short, you can think the inclusion of information security in project management as if you are going to implement a small ISMS that will fit the projects needs and be proportional to the project's lifetime and budget.

    Regarding your question related to different entry points for new projects, I would recommend you to define a project management policy, establishing rules for project approval and the need to include information security as part of the project activities.

    This article will provide you further explanation about Information security in project management:
    - How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/

  • Clause 5.1 i)


    Answer:

    Requirements of this clause are really hard to audit and to demonstrate compliance with. The best way to meet these requirements is for top management to assign roles, responsibilities and authorities within the EMS (Environmental Management System). People can only demonstrate leadership if they are authorized to make decisions.

    For more information about leadership, see: How to demonstrate leadership according to ISO 14001:2015 https://advisera.com/14001academy/blog/2015/10/05/how-to-demonstrate-leadership-according-to-iso-140012015/

  • ISO 9001 in accounting


    Answer:

    ISO 9001 has requirements only for the processes that affect directly quality of the products and services and customer satisfaction. Therefore, the standard doesn't have any requirements regarding the accounting and it is often left out form the scope of the QMS (Quality Management System) because it makes no difference.

    You can develop procedures for accounting in order to ensure that the processes are carried out as planned and make it part of QMS.

    For more information about the scope of the QMS, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
Page 930-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +