Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27003
Answer: ISO 27003 refers to aspects needed for successful design and implementation of an Information Security Management System, but it is not a mandatory requirement for ISO 27001 implementation. You can think of it as a supporting tool, which will help you to better plan your implementation project, but you should consider these points:
1) ISO 27003 is very difficult to read - definitely not for beginners
2) Last version of ISO 27003 was published in 2010, i.e. before ISO 27001:2013 was published - therefore, it is not cover the changes of the current ISO 27001:2013
This article will provide you further explanation about ISO 27001 implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How to address main concerns with ISO 27001 implementation https://advisera.com/27001academy/blog/2013/10/22/how-to-address-main-concerns-with-iso-27001-implementation/
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free webinar - ISO 27001: An overview of the ISMS implementation process https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Verification audit
Answer: Rules for the certification audits for all ISO standards are the same: there needs to be at least one surveillance audit every 12 months. Verification audits are used only if you failed the Stage 2 audit, and the auditor needs to check whether you have closed a major nonconformity.
The 12 month period should start with the date of the completion of the last audit, but it would be best if you check this information with a certification body.
See also these articles:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
- Major vs. minor nonconformities in the certific ation audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- ISO 27001 Certification: What’s next after receiving the audit report? https://advisera.com/27001academy/blog/2015/05/18/iso-27001-certification-whats-next-after-receiving-the-audit-report/
This book also explains a lot about the process: Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
ISO 9001:2015 guidance for transition
Answer:
The best way to start with the transition is to get familiar with requirements of the ISO 9001:2015. I suggest you to take a look at our free ISO 9001:2015 Foundation online course https://advisera.com/training/iso-9001-foundations-course/
The next step is to conduct gap analysis to determine to what level your company is already compliant with the standard and what needs to be done to achieve full compliance. Here you can find our free ISO 9001:2015 GAP Analysis tool https://advisera.com/9001academy/iso-9001-gap-analysis-tool/ When you determine the gaps, you can develop project plan and distribute responsibilities for developing new documents and updating the old ones, as well as updating the processes to meet the requirements of the standard. Here is one whitepaper that can be helpful to you ISO 9001:2015 benefits of early transition https://info.advisera.com/9001academy/free-download/iso-90012015-benefits-of-early-transition -
ISO 27001 business case template
Answer: Generally speaking, an ISO 27001 business case would cover these four benefits: assured compliance, enhanced marketing edge, decreased expenses, and improved organizational structure. You can see more detailed information in this article: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/ .
In our free material you can find these two templates that present a general framework to organize the information needed to present a business case:
- Project proposal for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-implementation-powerpoint
- Project proposal for ISO 27001 / ISO 22301 implementation https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-iso-22301-implementation-msword
Additionally, the book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own (https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/) presents 10 case studies in chapter 14 that also can help you build your own.
This materials will also help you regarding ISO 27001 business case template:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Free webinar ISO 27001 benefits: How to obtain management support https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Free webinar ISO 27001 benefits: How to obtain management support https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
Risk owners vs asset owners.
Thank you so much. Could you please advise the two methods the company can use to determine its level of legal compliance. Thank you. -
Standards in ISO 27001 series
Answer: As you pointed, ISO 27001 has recommended control objectives and controls for all areas you mentioned, and in terms of an ISO certified management system it is enough to be in compliance with only ISO 27001. The other standards you mentioned provide additional information and details about how to implement controls described in ISO 27001 Annex A, but they are not required for certification. Think of them as useful tools to improve your controls.
These materials will also help you regarding general guidelines for ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secu re-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Schedule for testing controls under ISO 27001
Answer: Specific guidance for control testing is difficult to provide since each organization context and risks are unique, but you can use some of the criteria applied to planning internal audits to help define a proper test schedule, like:
- Criticality of the assets under protection of the control: the more critical the asset, the more frequent should be controls testing.
- Frequency of changes: the more frequent changes in assets or in the environment where the asset operates, the more frequent should be controls testing.
- Results of previous test: previous tests pointing corrections or improvement to be made, should be considered to reduce interval between tests.
It is important to note that testing of controls should not be confused with internal audit; in smaller companies, internal audit is usually performed once a year by people independent of the audited process, while testing generally is performed by people involved in the process.
Regarding documentation, unfortunately we do not have a template that covers controls testing, but I suggest you to take a look at the following templates, since I believe that with some adaptations you can make them more general and use them to help you testing a wider range of controls :
- Annual Internal Audit Program https://advisera.com/27001academy/documentation/annual-internal-audit-program/
- Exercising and Testing Plan https://advisera.com/27001academy/documentation/exercising-and-testing-plan/
- Form – Exercising and Testing Report https://advisera.com/27001academy/documentation/form-exercising-and-testing-report/
This article will provide you further explanation about scheduling controls testing:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
These materials will also help you regarding scheduling controls testing:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/