Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Delay in implementing the controls

    Yes, it is acceptable, but you need to have a really good reason - shifting the dates without any justification will bring you trouble with the certification auditor.

  • How to treat suppliers that are ISO 27001 certified


    Answer: The fact that they are ISO 27001 certified doesn't change their status towards you - so yes, you have to treat them as suppliers. To understand the details on how to handle suppliers, please read this article: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    My second question is that as we are a new and small company we do not have any IT department so we (personally) managed our IT equipment, will this cause us problems in our certification?

    Answer: No, your size and the fact that you are managing your IT equ ipment won't cause any problems at the certification, as long as you comply with your policies and procedures.

    Is it better to have a dedicated IT department or have someone who manages our IT?

    Answer: I'm not sure if I understood your question correctly - if you meant whether it is better to have your own IT department or to outsource the IT function, this is primarily a business issue (what is more profitable) and a skill issue (does your IT equipment require some special skills that might not be easy to find in the market).

    Or can we just put encryption / passwords / administration rights to particular systems to get round this??

    Answer: Managing security is not only about encryption, passwords and administration rights - the best thing for you would be to go through this free online training to learn all that is important for security management: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • How to treat an ISMS document that is due for review

    Thank you so much for this answer. It is exactly what I was looking for. In my case, I will record it by listing all the docs due for review in our ticket management system and simply comment next to each one. In the case of docs not requiring change, I will just say "Reviewed but no changes were necessary. It will however be reviewed again next year 201x".

  • Asset value


    Answer:
    There is no universal way to calculate the asset value, but a common way is to select the high value from the 3 parameters (in your case 5), or another way is to sum the 3 parameters (so in this case you can have the value 15). If you want to know my opinion, for my is more easy is you select the high value (5).

    Anyway, for the risk management, it is not mandatory to use the asset value, so if you want an easy way you can use simply the impact value.

    This article can help you “How to assess consequences and likelihood in ISO 27001 risk analysis” : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    And also this article “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

    And also our online course, because we give more inform ation about the evaluation of assets “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Documenting the information security objectives


    Answer:

    ISO 27001 is pretty flexible when it comes to documenting your security objectives - you can write them in your Information Security Policy, in the Statement of Applicability, or in some separate document.

    When using our ISO 27001 Documentation Toolkit, you can document the general ISMS objectives in the Information Security Policy, and specific objectives for controls (or groups of controls) in the Statement of Applicability.

    This article will also help you: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

    In this free online training you'll find detailed guidance on setting the objectives: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Focus the ISMS scope


    Answer:
    I am sorry but I am not sure what do you mean, but you can define the scope of the ISMS limiting it to only the IT department. Another way, is to define the scope for the whole organization, and generally it is our recommendation. For more information about the definition of the scope, please read this article “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    If you limit the ISMS scope to your IT department only, you will have to treat the other departments in your company as third parties, and this is why creating such a scope is difficult.

    This article can be also interesting for you “Problems with defining the scope in ISO 27001” : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    And our online course can be also interesting for you because we give more infor mation about how to define the ISMS scope “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Contents of Internal audit program

    In case you are planning a single audit to cover all the ISMS scope at once, these references you defined are sufficient.

    In case you are planning to perform multiple audits to cover small parts of the scope each time (e.g., IT processes audit, HR processes, etc.), then you need to be more specific about which criteria you will use. For example, in the case of auditing HR processes, most probably controls from section A.14 System acquisition, development and maintenance won’t be part of your checklist, while controls from section A.7 Human resource security will take more space in your checklist.

    This article will provide you a further explanation about building an audit checklist:

    These materials will also help you regarding building the audit program:

  • Clarifications reg GAP Analysis.

    ISO 27001 does not require you to perform the Gap Analysis prior to the start of the project; you should perform a kind of shortened version of Gap Analysis while writing your Statement of Applicability.

    These materials will help you:
    - article ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
    - article The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
    - free ISO 27001 Gap Analysis Tool: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

  • Audit Doubt

    I'm not sure if I understood your question correctly, but the certification auditor will check your whole ISMS - all your documents, records, activities, etc.

    It doesn't matter that you have checked all of these during the internal audit - the certification auditor will check everything all over again; he will review your internal audit process as well.

    See also these materials:
    - article Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
    - free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • Documents Clarification

    The best would be if you register for this free online training: ISO 27001 Foundations Course - there you will find all the answers https://advisera.com/training/iso-27001-foundations-course/
Page 986-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +