Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 interpretation of A.8.2.1
Answer:
I'm not sure if I understood your question correctly, but ISO 27001 allows you to classify your information in any aspect you see fit for your company. Most companies classify their information in terms of confidentiality (i.e. how secret it is), and some companies classify their information in terms of availability (i.e. how quickly they need to get it).
See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
ISO requirements for changing passwords
Answer:
Actually, ISO 27001 (nor ISO 27002) do not prescribe the frequency of changing the passwords - what ISO 27001 is saying is that you have to assess the risks related to access to your systems, and then based on the potential incidents decide what frequency would be appropriate.
Read more about this concept here: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
In which step of ISO implementation to write documents
Answer: The ISO 27001 documentation is written in almost all steps of the implementation - these articles will help you:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
Further, this free online training explains all the implementation steps: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Addressing clause 8.4 .3 d)
Answer:
The clause 8.4.3 d) requires organization to communicate to external providers its requirements for the external provider's interaction with the organization. This includes way of communication, way the product or service will be delivered by the provider, etc. This requirements are usually documented in contract or verbally between the organization and the external provider since documented information for this requirement is not mandatory.
For more information, see: How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/ -
Management in ISO 27001 / ISO 22301
Answer:
I am sorry but I am not sure what you mean. Anyway, with ISO 27001 you can manage the information security, and with ISO 22301 you can manage the business continuity. So, if your question is about how to manage the information security, basically you can implement ISO 27001, and this article can help you to do it “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding how to manage the business continuity, you can implement ISO 22301, and this article can help you “17 steps for implementing ISO 22301” : https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
Furthermore, if you need more information about what is ISO 27001 and ISO 22301, these resources can help you :
“What is ISO 27001?” : https://advisera.com/27001academy/what-is-iso-27001/
“What is ISO 22301?” : https://advisera.com/27001academy/what-is-iso-22301/
Finally, these materials will help you to learn more about the management in ISO 27001 and ISO 22301:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Risk analysis for a pharmaceutical company
Answer:
I am not sure if your requirement is about information security risks, because you can also have financial risks, environmental risks, etc. ISO 31000 can help you to develop your own methodology for all risks (information security, financial, etc). So this methodology, aligned with ISO 31000 can be interesting for you “Risk Assessment and Risk Treatment Methodology” : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
And this article can be also interesting for you “ISO 31000 and ISO 27001 - How are they related?” : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
This article can be also interesting for you if you want to write your own methodology according to ISO 27001 “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Finally, these materials will help you to know more about the risk management methodology:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Get the certification
Answer:
Basically our recommendation is that you need to implement controls for major risks, and accept all the other risks that are not treated with controls. So, if you have major risks related to some of these 40 controls, you need to implement them (or accept risks) to avoid problems during the certification audit.
Furthermore you need to perform all steps related to the implementation of the standard (development of mandatory documents, the management review, the internal audit, corrective actions, etc). After this, you should get the certification after the treatment of the final findings of the final report.
This article can be intere sting for you “Becoming ISO 27001 certified - How to prepare for certification audit” : https://advisera.com/27001academy/iso-27001-certification/
And also this one “How to get certified against ISO 27001?” : https://advisera.com/27001academy/blog/2010/02/15/how-to-get-certified-against-iso-27001
And also this one “Infographic: The brain of an ISO auditor - What to expect at a certification audit” : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
Finally, these materials will help you to know more about the certification of ISO 27001:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
IT experience
The more certificates you have, and the more useful knowledge you have, the higher chances is that you'll find a job.
How to get experience - this heavily depends on the market where you work. -
From which country should the certification body be?
Answer: You should select a certification body from your country that has the license (i.e. the accreditation) to work in your country. There are several factors you should take into account when selecting a certification body, please read this article: How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/