Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documenting context of the organization
Answer:
ISO 9001 has no explicit requirements regarding documented information on the context or the interested parties. However, it requires organization to monitor information over these topics and most effective way of meeting these requirements is to at minimum make a List of interested parties and their requirements.
Documenting context of the organization is not recommendable approach, but many companies choose to document the procedure that defines how the context is defined, what elements are considered, who was involved, etc. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/ -
ISMS performance evaluation
Answer: We intentionally didn't develop a special document in the toolkit for the measurement results because in most cases companies already have some system of reporting their results – e.g. they use automatic reporting from their systems (e.g. fault logs from their servers), they use their regular reports (e.g. in the reports about monthly performance they include also the security results), or in some cases they have a Balanced Scorecard system in place where they simply add the security measurement.
If you have none of these, a simple report with stated objectives, date of measurement and the measurement results will be enough – you have to decide whether this report will be sent only to the mid-level management, or to the top management during the Management review.
Considering these, the re are two documents in the documentation toolkit that will be helpful regarding the measurement and monitoring:
- In the top-level Information Security Policy, in the section 4.1 you need to specify the responsibilities for measurement and monitoring.
- Risk Treatment Plan – in the column “Method for evaluation of results” you need to specify how you will evaluate whether the implementation plan of the controls has been complied with, while in the column “Status” you need to specify whether particular control is implemented or not, which you can use for monitoring the implementation plan.
By the way, to perform the measurement first you need to develop a set of measurable objectives, and you can use our Statement of Applicability template to document the objectives for your controls (or groups of controls), and you can document the top-level objectives in your Information security policy.
These articles will also help you:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
Also, in the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment. -
Risk assessment and risk registers
Answer: For a general view of risk assessment process I suggest you to take a look at the following articles:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Regarding documentation, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/ -
Information security standards
Answer: To find all sec standards related to ISO you should consult ISO Online Browsing Platform at https://www.iso.org/obp/ui/
But you can also see this article where we complied the most related standards to information security:
- Information security & business continuity standards https://advisera.com/27001academy/knowledgebase/information-security-business-continuity-standards/ -
ISMS implementer and auditor
Answer: First thing is that ISMS is not a certification, it is a system to protect information (ISMS stands for Information Security Management System). Considering this, currently we have two types of certifications regarding an ISMS: certification of an organization's ISMS, based on the requirements of ISO 27001 standard, and certification of persons who work with an ISMS as a lead auditor or lead implementer, but only the former issues a internationally recognized certification, based on courses accredited by institutions like IRCA or RABQSA. You can find detailed information about certifications for organizations and persons here: ISO 27001 certification for persons vs. organizations https://advisera.com/27001academy/iso-27001-certification/ .
In terms of competences to be successful in an ISO 27001 lead auditor or lead implementer course, more important than the years of experience is the understanding of the link between information security, technology, and business processes (e.g., someone can pass years of a professional life seeing only one aspect of IT while other professional in a couple of years can cover aspects from network infrastructure to business intelligence).
This article will provide you further explanation about ISMS implementer:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
These materials will also help you regarding ISMS implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Mapping between ISO 27001 and ISO 27002
Answer: ISO 27002 shows in details recommendations and best practices for the implementation of the controls described in ISO 27001 Annex A, and its numbering sequence is the same as from the ISO 27001 Annex A (e.g., recommendations for Annex A section A.5 are on ISO 27002 section 5 and so on). So no additional mapping is required.
This article will provide you further explanation about ISO 27001 and 27002:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
These materials will also help you regarding ISO 27001 and 27002:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 project
Answer: The answer to this question depends fundamentally of the type of your business and the needs and expectations of you interested parties. For example, a research and development company will have different critical information assets than a bank. In this case I suggest you first identify which requirements your information security management system needs to fulfil, because those requirements will tell you which are the most critical assets you should focus on.
See this article for more information: How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
2 - Is it true that: the more controls in the Statement of Applicability are applicable, the easier it is to get certified? Or are just all mandatory controls enough? (I know it depends on the risk assessment table, but still)
Answer: The truth is just the oppo site, the less controls you need, the easier is to get certified, because you will have less work to do implementing and managing them. And there is no such thing as "mandatory controls" required by the standard. Documents from Annex A are mandatory only if there are risks which would require their implementation, and this decision is up to the organization. Basically, the justifications in a Statement of Applicability for implementing controls refers to (1) risks, (2) requirements of interested parties and (3) other logic considered by your organization.
See more information about Statement of Applicability here: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
3 - Any other parts of the project we should put extra focus on?
Answer: Definitely awareness and training should be on your list, because if people in the organization do not adopt the information security culture, you can have the best procedures and technical controls and still the organization's information won't be safe.
This article will provide you further explanation about awareness and training:
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
These materials will also help you regarding implementation of ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Mapping from ISO28001 to ISO27002
Answer: ISO 28001 deals with supplier security covering more aspects than ISO 27k series, which covers most Information and Communication Technologies issues. You can map ISO 28001 practices to ISO 27002 controls from section A.15 - Supplier relationships, but I suggest you to take a look at ISO 27036 ( Information security for supplier relationships), which has more detailed information regarding information security with suppliers. You can find this standard on this link: https://www.iso.org/obp/ui/#iso:std:iso-iec:27036:-1:ed-1:v1:en
Regarding the ISO 28001 Annexes, documents from Annex A and B (security assessment and treatment) can be mapped to sections 6.1 (Actions to address risks and opportunities), 8 (Operation), 9 (Performance evaluation) and 10 (Improvement) from ISO 27001.
Unfortunately we do not have a direct mapping document available.
This article will pro vide you further explanation about supplier security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Benefits of certified auditor
- This is a great domain to be aware of in terms of cyber security
- It is able to develop specific communication skills so to identify risks in a company
- It is establishing a CIA mindset whenever positioning a specific technology
I wonder what else can be justified so the management to support the certification process and related costs
Answer: All benefits you mentioned are related to the auditor itself. To get the buy in from management to support the certification process and related costs, you should explain to them that a certified auditor is more capable to identify both non conformities and opportunities for improvement (which are much better) during internal audits, and that knowledge makes it easier to talk with the certi fication auditor, avoiding misunderstandings and getting useful tips to improve the information security management system.
These articles will provide you further explanation about benefits of a certified auditor:
- ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
- How to approach an auditor in a certification audit https://advisera.com/articles/how-to-approach-an-auditor-in-a-certification-audit/
- Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
These materials will also help you regarding audits and auditors:
- Book ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/