Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk owners vs asset owners.
Thank you so much. Could you please advise the two methods the company can use to determine its level of legal compliance. Thank you. -
Standards in ISO 27001 series
Answer: As you pointed, ISO 27001 has recommended control objectives and controls for all areas you mentioned, and in terms of an ISO certified management system it is enough to be in compliance with only ISO 27001. The other standards you mentioned provide additional information and details about how to implement controls described in ISO 27001 Annex A, but they are not required for certification. Think of them as useful tools to improve your controls.
These materials will also help you regarding general guidelines for ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secu re-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Schedule for testing controls under ISO 27001
Answer: Specific guidance for control testing is difficult to provide since each organization context and risks are unique, but you can use some of the criteria applied to planning internal audits to help define a proper test schedule, like:
- Criticality of the assets under protection of the control: the more critical the asset, the more frequent should be controls testing.
- Frequency of changes: the more frequent changes in assets or in the environment where the asset operates, the more frequent should be controls testing.
- Results of previous test: previous tests pointing corrections or improvement to be made, should be considered to reduce interval between tests.
It is important to note that testing of controls should not be confused with internal audit; in smaller companies, internal audit is usually performed once a year by people independent of the audited process, while testing generally is performed by people involved in the process.
Regarding documentation, unfortunately we do not have a template that covers controls testing, but I suggest you to take a look at the following templates, since I believe that with some adaptations you can make them more general and use them to help you testing a wider range of controls :
- Annual Internal Audit Program https://advisera.com/27001academy/documentation/annual-internal-audit-program/
- Exercising and Testing Plan https://advisera.com/27001academy/documentation/exercising-and-testing-plan/
- Form – Exercising and Testing Report https://advisera.com/27001academy/documentation/form-exercising-and-testing-report/
This article will provide you further explanation about scheduling controls testing:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
These materials will also help you regarding scheduling controls testing:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 related certifications
Answer: ISO 27001 makes use of process approach and PDCA cycle concepts to help organizations protect their information and those from other interested parties under their responsibility. In terms of benefits, ISO 27001 can help identifying and prioritizing information security risk according business objectives, optimizing resources allocation and reducing costs of incidents.
These articles will provide you further explanation about ISO 27001 certification:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Has the PDCA Cycle been removed from the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/
This article will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding ISO 27001 related certification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free webinar ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
Requirements identification
Answer: Some techniques you may use to identify needs and expectations that are base for ISMS's requirements are:
- documentation review, covering documents like the strategic plan, policies, procedures, contracts, and laws, among others
- interviews with top management, process owners, key users, clients and suppliers representatives.
The use of checklists also can help you not forget relevant topics and optimize your time and effort.
This article will provide you further explanation about requirements identification:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Scope definition
Can you advise on this, please?
Answer: The approach considered by certification bodies is that a proper scope statement can be defined based on processes, organizational units, or physical locations, not in the format of the information medium. Therefore, your scope statement cannot limit information to be protected to electronic data only.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Timescale in risk treatment plan
Answer: Yes, the time you need to complete for each of these activities, and the sequences and dependencies that exist between them, will provide you the information about the total time required for risk treatment completion.
In the video tutorials that came with your toolkit, you will see information on how to fill out all the data about the risk treatment plan.