Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 Consultant effort
1 -Would you be expected to be on site for the full 5 months? I would think this is very restrictive with regards to taking on more clients
Answer: It will depend upon your role in the implementation. Will you be responsible for elaborating and implementing policies and procedures, or will you provide support and orientation to your client team?
If your situation is the first one, you will probably have to be on site once or twice a week throughout the 5-month period.
If your role falls in the second scenario you probably will have to be on site only a few times to verify on-site implementations and orient the implementation team. But be aware that at the beginning of the project you will spent a lot of time on site to get things running.
2 - If you don’t have to be on site for the full 5 months, on average, how many days would you be expected to be on site? Of course, I understand that this would be dependent on scope and possibly work req uired as part of the risk treatment plan , but I am hoping you could give guidance from experience.
Answer: Since the project duration is only 5 months, I would recommend you to be on site from 2 or 3 days every 15 days. During this time you can verify the implemented controls, suggest and plan adjustment, prepare the team for the next phase, and most important of all, talk personally with management to report the project progress and get their feelings about the project.
3 - If you do not have to be on site for the full 5 months, do you/have you taken on more than one implementation at once? If so, how do you manage your time? (do you use a tool (e.g. MS Project), an assistant, or possibly a simple timetable)
Answer: The quantity of projects you can manage at same time will depend upon your need to be on site and the distance between sites. As a personal rule, I try to keep from 2 to 4 simultaneous projects where there is a need to be on site, so that in perfect conditions I can dedicate at least one day a week for each of them. If you work remotely this quantity may be greater. And regarding remote work, I suggest you take a look at our online ISO Tool, Conformio https://advisera.com/conformio/ , which can help you manage your projects.
These articles will provide you further explanation about consultant effort:
- 3 phases of delivering an ISO 27001/ISO 22301 consulting job https://advisera.com/27001academy/blog/2015/09/28/3-phases-of-delivering-an-iso-27001iso-22301-consulting-job/
- How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
Additionally, I suggest you take a look at our Consultant toolkit https://advisera.com/27001academy/consultants/ . As part of the templates you can use to manage your consultation projects and stakeholder you are eligible to get continuous support from us throughout your implementation consultancies.
These materials will also help you regarding consultant effort:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Sample results of risk assessment
Answer: You can find examples on how to fill out the data into the Risk assessment sheet in these materials:
- book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ - you'll see there couple of examples of risk assessment results
- ISO 27001 Risk Assessment Toolkit https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/ - as part of the toolkit you'll get access to video tutorials that will show you how to fill out real risk assessment data -
ISO 22301 as part of information security audit
Answer: When you implement ISO 27001, it is not mandatory to implement ISO 22301 as well - consequently, during the ISO 27001 internal audit or certification audit it is not necessary to audit BCMS according to ISO 22301. However, if you implemented only ISO 27001, the auditor will have to review the business continuity implementation according to ISO 27001 controls in Annex A.17 (these controls have much smaller requirements than ISO 22301).
If you have decided to implement both ISO 27001 and ISO 22301 (which I think is a very good thing to do), then internal audit/certification audit can be performed at the same time for both of these systems - this is called "integrated audit".
These materials will also help you:
- article How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementa tion-of-business-continuity-in-iso-27001/
- webinar ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/es/webinar/iso-27001-iso-22301-why-is-it-better-to-implement-them-together-free-webinar-on-demand/
- book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
ISO 27001 project schedule development
Answer: Yes. In a general manner, to determine the time needed for each step individually you need to:
1 - Identify which result you have to deliver (e.g., information security policy)
2 - Identify which tasks required to produce that result (e.g., interview top management, elaborate a policy draft, submit draft for evaluation, update draft if needed, approve final version, etc.)
3 - Identify how much time you need to perform each task
4 - Identify the sequence in which the tasks should be executed
After the sequencing you only have to sum the times of the most long sequence to know how much time you will spent for achieve that result. Of course this is a great simplification of the method, but for small and medium implementations it works well.
When you consider all the steps as a whole, you can roughly consider that the steps before the risk management will take you ca 10% of the time, risk assessment ca 30% of the time, implementation of controls ca 50% of the time, and final activities (internal audit, management review, corrective actions) ca 10% of the time.
I recommend you to look at our Project checklist for ISO 27001 implementation (https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation), which can give you some ideas about tasks required in a ISO 27001 implementation project.
To get an estimated duration of the whole project you can use our Duration calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
These materials will also help you regarding ISO 27001 schedule development:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Objective evidence of conformity
Answer:
There is no one kind of evidence that can be universal for every requirement. in some cases the objective evidence can be a report or a record, in other cases the readings from the monitoring or measuring equipment and even reports from the third independent party.
For more information about evidencing requirements, see: Monitoring and Measurement: The basis for evidence-based decisions https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/ -
Software development: product or a service?
Answeer:
Software development is considered as a production but it can go either ways. For example, if they develop the software by themselves and selling it to their customers as a product, than it is considered as production. In case when the software developing organization is only coducting the programming while idea for the software, the code and the software it self are a property of the customer, the sowtfare company is only providing service of programming. Although it is important to define whther the company is delivering product or a service, it doesn't change muc h since the same requirements of the standard need to be meet.
Here is one article that discusses products and services and might be interesting to you: Understanding Product & Service Provision in ISO 9001 https://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/ -
ISO 27001 implementation phases
(I used the calculator and got: Estimated number of months required for implementation: 10 - However, we would like to know from your experience how much time is estimated for each phase and so we can put together the project plan and give an estimated date to top management.)
Answer: Considering the 10 month period you estimated, a good estimation of phases duration are:
Months 1-2: Project planning and elaboration of basic management system documentation (e.g., ISMS scope, information security policy, procedure for documentation control, procedure for internal audit, procedure for risk assessment and treatment, etc.)
Month 2-3: Carrying out the risk assessment and risk treatment plan elaboration
Month 4: Information security policies and procedures elaboration
Months 5-8 : Implementation, operation and evaluation of policies and procedures ( at this point some corrective actions may be required)
Month 9: Internal audit and management review
Month 10: Treatment of internal audit nonconformities and management review decisions
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Operation controls beyond the company's power
Answer:
ISO 14001 states that you need to apply controls to the level possible so in case that you mentioned you can print instruction for the product disposal so your customers can dispose it properly. You can state users manual as an operational control for this life-cycle stage.
For more information about life-cycle perspective, see: How does product life cycle influence environmental aspects according to ISO 14001:2015? https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/ -
ISO 27001 transition period
Answer: Since ISO 27001:2005 was withdrawn on October 1st, 2015, any certifications against this version of the standard are no longer valid from that date forward. So, unfortunately, your certification is no valid any more.
This article will provide you further explanation about transition to ISO 27001 2013:
- How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
These materials will also help you regarding transition to ISO 27001 2013:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Auditor formation
1 - Being a non technical person, is it possible for a person to become an ISO 27001/2013 auditor?
Answer: Yes. ISO 27001 main focus is management practices (e.g., planning, performance evaluation, etc.), so it does not require deeper technical knowledge to perform an audit, only knowledge of basic concepts (e.g., identification, authentication and authorization for access controls).
2 - Any prior experience is required in order to become an auditor?
Answer: To become an internal auditor no prior experience is required, but if you desire to become a lead auditor it's a good thing to have some previous experience in auditing, and if y ou aim to become a certification auditor, definitely you will have to demonstrate audit experience.
3 - Where to start from?
Answer: You can start with an internal auditor course to know the basics of performing an ISO 27001 audit, or go right to an lead auditor course if you want to go deeper and know about planning audit programs and plans.
These materials will also help you regarding auditor formation:
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
This article will provide you further explanation about auditor formation:
- ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/