Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Optimising ISMS management effort
Answer: Considering the number of documents you could advise him to review the need for them considering:
- standard mandatory requirements (I'm assuming his ISMS is ISO 27001 certified, if not please disregard this)
- contracts, statutory and other legal requirements
- results of risk assessments
- organization own decisions to adopt them (generally this are the main cause of too much documentation)
If a document is not supported by neither of these reasons, your client can consider to exclude it from his ISMS. The documentation review could also consider reducing the number of documents by merging related information into fewer documents (e.g., backup and log guidelines could be merged into IT operational procedures).
As for the question of too heavy information security policies and procedures, you could advise him to define high l evel guidelines to be followed by all organizational units and let them define implementation details according their local requirements (the "plan globally, implement locally" approach). This way there are much more chance the security effort will be compatible to the risks they face.
These articles will provide you further explanation about optimising ISMS management:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/
These materials will also help you regarding ISMS management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Business Continuity Plan in ISO 27001
Answer: You need to include Business Continuity Plan as an information security control considering ISO 27001 certification only if one of these situations apply:
- There is a law, contract or other legal requirement demanding you to have a business continuity plan for information security
- The Business Continuity Plan for information security is considered as a control to address risks identified as unacceptable in your risk assessments
- Your organization decides to implement Business Continuity Plan for information security as a best practice
If none of these situations happen your organization does not need to implement Business Continuity Plan for information security. In our experience, I could say to you that approximately 90% of the companies are including this control in ISO 27001 implementation.
If your organization decides to select this control, you should use the "Disaster Recovery Plan" from the toolkit to be compliant with ISO 27001.
In the video tutorials that came with your toolkit, you will see information about risk assessment, risk treatment and how identify applicable controls. -
ISO 27001 and ISO 9001 and information security
Answer: No. While ISO 27001 focus is indeed information security, ISO 9001 purpose is quality management (if you note, nowhere in ISO 9001 the word "security" is mentioned). Regarding the aspects covered, they are similar in some aspects (e.g., document and record control, internal audit, management review, etc.) but completely different in others (e.g., only ISO 27001 covers information security risk assessment while only ISO 9001 covers product and service provision).
These articles will provide you further explanation about how to work with ISO 27001 and ISO 9001 together:
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
This material will also help you regarding how to ISO 27001 and ISO 9001 together:
- Free webi nar ISO 27001 implementation: How to make it easier using ISO 9001 https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
Missed aspect
Thank you ! -
Preparing for ISO 9001:2015 external audit
Answer:
In order to pass external audit, you need to conform to requirements of ISO 9001:2015. This means that you need to have all mandatory documents and to conduct all activities required by the standard, from evaluation of suppliers and measuring customer satisfaction to internal audit and management review. Here is one article that can help you with preparing for certification audit: How to prepare your company for the ISO 9001 certification audit https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/ -
Does internal auditor need to have a certificate?
Answer: You will need a certificate that you have passed the internal auditor course if:
1) Your company goes for ISO certification - in that case the certification auditor will ask the internal auditor to prove his knowledge of the standard, and prove his skills for internal auditing.
2) If your company is required by legislation to have certified internal auditor.
3) If you want to prove to your management that you are prepared for this job.
If these three points do not apply to you, then it is not necessary to have a certificate for internal auditor. -
Risk treatment plan and SoA
Answer: Sure, in the video tutorials that came with your toolkit, there is one about how to write ISO 27001 statement of applicability that will provide you help on how to fill out all the data.
2 - Also please clarify: Only the risk with impact number above 2 gets carried forward to the next level? E.g if we start off from the Risk assessment table and we have a risk with impact 2 and another with impact 4, this means the risk with impact 2 stays on this sheet whereas the one with impact 4 is taken to the Risk treatment sheet. Well on Risk treatment sheet we ascertain control (s) for it and re ascertain the level after controls and if the impact now becomes 2 so we will conclude the effort here and also mention it on the SoA only. And if the level becomes 3 or remains 4 even we will take it further to SoA then mention it on Residual risk and plan for its treatment on Risk Treatment plan? Is that so
Answer: Considering that your limit value for acceptable risks is 2, all the risks which the calculation of impact and probability results are above 2 should be taken to the risk treatment plan, not only those with impact value above 2.
Said that, after you define the applicable controls and re ascertain the risk value, you should mention all the results obtained in the risk treatment plan in the SoA, even those that still remains above the value 2.
For the cases that are above your acceptable risk limit, justifications could be that you accept the risk as it is (the "accept" option is a valid one for risk treatment if you decide to apply no controls), or that the costs and effort to apply additional controls wouldn't be worth (in the case the applicable controls do not reduce the risk value to acceptable limits).
This article will provide you further explanation about risk treatment plan:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/ -
Segregation of duties
Answer: If the number of persons in your organization does not allow you to split responsibilities and duties, you should consider the implementation of other controls that work as deterrent to bad behaviour or allow you to detect such situations. As examples I can list video cameras, management supervision, job rotation and systems logs.
This article will provide you further explanation about segregation of duties:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/ -
Filling SoA
Answer: Sure, in the video tutorials that came with your toolkit, you will see for each of the documents, including SoA, how to fill out all the data.