Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Cabling security
Answer:
If I have understood your question well, you want to implement the control 11.2.3 cabling security through documenting and demonstrating the physical access controls that are in place, and from my point of view it is enough, although it can be better if you perform periodical physical inspections to review if everything is according to the documented procedures (this review will be also performed by auditors).
By the way, this case study related to data centers can be interesting for you “ISO 27001 Case study for data centers: An interview with Goran Djorerki” : https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/
And of course, our online course can be also very interesting for you because we give more information about the security controls of the standard and about the implementation of ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Where to start with ISO 9001 implementation
Answer:
First step is to conduct gap analysis to determine to what extent your company is already compliant with ISO 9001, once you determine what needs to be done to achieve full compliance, you should create project plan for the implementation (Here you can find free Project Plan for ISO 9001 implementation https://advisera.com/9001academy/free-downloads//).
Next step is to create all necessary documentation and implement changes in existing processes and establish new ones. Then you need to conduct internal audit and management review to ensure your QMS (Quality Management System) is compliant with the standard.
Finally, you can hire certification body to conduct certification audit and issue you the certificate.
For more information, see:
- ISO 9001 Implementation Diagram https://advisera.com/9001academy/free-downloads//
- Checklist of ISO 9 001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/ -
Data Center - ISO 20000 certification
Answer:
You can certify only one part of your organization, like you mentioned ITSM group. That will be your scope.
This article will help you regarding scope definition: "How to define the scope of the SMS in ISO 20000" https://advisera.com/20000academy/blog/2015/06/02/how-to-define-the-scope-of-the-sms-in-iso-20000/
Data Center has to fulfill all requirements of the ISO 20000 (if that would be your scope). ISO 20000 does not set any particular requirements towards any part of the organization. -
Maturity models
Answer:
I am sorry but there are no evaluation ranges or range of application for ISO 27001, you can comply or not comply with ISO 27001, but not by ranges.
Anyway, you can use maturity models for the implementation of security controls, but the security controls really are from ISO 27002, not from ISO 27001 (although you can see the security control of ISO 27002 in the Annex A of ISO 27001).
This article can be interesting for you “Achieving continual improvement through the use of maturity models” : https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/
And also our course can be also very interesting for you because we give more information about the implementation of ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Previous and current ISO 27001 and the risk management
Answer:
I am sorry but I am not sure if I have understood your question 100%, but if your question is related to combine concepts between the current version of the ISO 27001:2013, and previous versions (I suppose that when you say “BSI”, you mean BS 7799, which is the origin of ISO 27001), obviously if you want to certify ISO 27001:2013, you need to comply with the requirements of the current version of the standard, although you can use some concepts from previous version (for example and asset based risk management), but again, the important is to comply with the requirements of ISO 27001:2013.
By the way, you can develop your own methodology for the risk management, so this article can be very useful for you “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
And our online course can be also interesting for you because we give more information about the risk management and the implementation of the ISMS “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
The CISO
Answer:
Regarding the definition of roles and responsibilities, there are some common roles that are established in companies with ISO 27001, the most common is the CISO. This article can be useful for you “What is the job of Chief Information Security Officer (CISO) in ISO 27001?” : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Regarding the clause A.7.1.2 Terms and conditions of employment, simply each employee must have an agreement with the organization where all conditions are established. This agreement can also include information about the roles and responsibilities related to the ISMS (for example can be good for the agreement of the CISO).
Regarding the clause A.13.2.4 Confidentiality or non-disclosure agreements, it is only necessary for information transfer (you need to establish an agreement with the other party for the information transfer, including terms rel ated to the information security), and it can be applicable to external parties or employees, but it is not directly related to the definition of roles and responsibilities.
Finally, our course can be also interesting for you because we give more information about roles and responsibilities “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Corrective actions
Answer:
Regarding the first question, yes, it is necessary, because in accordance with the point 10.1 you need to eliminate the causes of a nonconformity, so if a nonconformity has been detected during an internal audit, you need to define corrective actions, and in the corrective actions you need to identify the causes of the nonconformity.
Regarding the second question, KPIs are not mandatory in ISO 27001:2013, so there is no clause directly related to KPIs in ISO 27001:2013, although in accordance with the clause 9.1 you need to establish a way to measure the ISMS, and a KPI can help you (but it is not only the unique way). This article can be interesting for you “How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
And our online course can be also interesting for you, because we give more information about the measurement of an ISMS “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
IT audits and CISO
Answer:
I am not sure if I have understood 100% your question, but the CISO (Chief Information Security Officer) generally performs activities related to the implementation and maintenance of the ISO 27001 standard, and these activities should be reviewed during the ISO 27001 internal audit.
But if your question is about IT audits (ethical hacking, penetration testing, etc), from my point of view it is not necessary to review the work of the CISO, you simply need to review the configuration of systems, open ports, services running, etc.
This article can be interesting for you “What is the job of Chief Information Security Office (CISO) in ISO 27001?” : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Finally, our online course can be also interesting for you because we giv e more information about the internal audit “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Threats and vulnerabilities list
Answer:
Our list of threats/vulnerabilities is a complete list of most common threats/vulnerabilities that covers most relevant aspects, so you can use this list for your risk management methodology. Here is our list of threats/vulnerabilities “Catalogue of threats & vulnerabilities” : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
By the way, if you want to develop your own methodology, this article can be also interesting for you “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Finally, our online course can be also very interesting for you because we give more information about the risk management “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Identifying risks
Answer:
When identifying risks you need first to think about the scope of risk identification. In terms of ISO 9001:2015, you need to consider risks and opportunities related to ability of the organization to achieve its objectives. This includes risk emerging from internal and external context of the organization. For more information, see: The Role of Risk Assessment in the QMS https://advisera.com/9001academy/blog/2014/01/07/role-risk-assessment-qms/
Risk management include systematic approach to risk control. This includes defined process of risk identification, evaluation, treatment and reassessment. For more information, see: Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/