Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Defining the scope


    Answer:
    From my point of view, if you have a client requiring the ISO 27001 implementation and certification, it is better if you talk with your client and agree with him your ISMS scope (to avoid problems).

    Anyway, if you are giving a service to your client, and you need all systems of the data center for this service, maybe the best option would be to include in the scope all systems (I suppose that these systems are managed by your company).

    This article can be interesting for you “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    And our online course can be also interesting for you because we give more information about the ISMS scope “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • To be compliant, what is the minimum to be done?


    Answer:

    Basically, there is no difference between "being compliant with the standard" and "being ready for the certification" - so the point is you have to implement:
    1) all the mandatory documents
    2) all the non-mandatory documents you consider necessary for your company
    3) make sure all of your employees comply with all this documentation

    In our ISO 27001 Documentation Toolkit you'll find a document called "List of documents" which specifies all the documents that are mandatory, and all the documents that are optional. When you follow the steps in the toolkit, you will be able to conclude which non-mandatory documents will be necessary for you.

    It is also recommendable to go through this free online course because it will explain you how the whole standard works: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Validity of an ISO 27001 Certification to an organization

    With most training providers, when you get the ISO 27001 Lead Auditor certificate, there is no validity period of this certificate; however, some training providers/accreditation bodies might ask of you to maintain the certificate, this is something you need to check with the training provider.

    See also these materials:
    - article Accreditation vs. certification vs. registration in the ISO world https://advisera.com/blog/2016/02/29/accreditation-vs-certification-vs-registration-in-the-iso-world/
    - article How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
    - webinar ISO 27001 Lead Auditor Course preparation training https://advisera.com/training/iso-27001-lead-auditor-course/

  • Deviations and exceptions in the Information security policy


    Answer:

    First of all, the recommendations from ISO 27002 are not mandatory, so you do not have to write everything that is written in this standard; on the other hand ISO 27001 does not require you to define deviations and exceptions. See also this article: ISO 27001 vs ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

    ISO 27002 is not quite clear on what does it mean by deviations and exceptions; generally, deviations could mean that you have to set a process of responding to nonconformities that will occur - e.g. what to do if someone is not complying with policies and procedures. Exceptions could mean defining the situations in which the regular rules are not applicable - e.g. in case of a disruptive incident (for instance, large earthquake), the physical acces s controls will not be applied.

    See also this article: What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/

    This online course will help you learn about writing information security policies and procedures: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Shortest time necessary before applying for ISO 27001 certification


    Answer:

    This timing is different from one certification body to another - some certification bodies allow you to go for the certification after you finish the internal audit, management review, and close most of your corrective actions; other require a 3 months period of ISMS operation before you can start the certification process.

    So the point is - you should ask for quotes from couple of certification bodies, and ask them to specify their requirements.

    These articles will help you:
    - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
    - Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/27001academy/blog/2015/06/22/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
    - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

  • Referring to the Business continuity policy from the ISMS documentation


    Answer:

    Business continuity is required in the Annex A of ISO 27001, section A.17 - so if you select those business continuity controls as applicable in your Statement of Applicability, then yes - you should refer to your Business continuity policy in your ISMS documentation.

    If the ISO 27001 certification auditor sees that you have implemented business continuity in a proper way, he will certainly look at that fact in a positive way - he will assess your business continuity documentation, and how you performed your exercising and testing, but he probably won't go any deeper.

    These articles will help you:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
    - How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
    - Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

  • Exmple of risks and opportunities


    Answer:

    First, it is good to clarify where to look for risks and opportunities in environmental management system. According to ISO 14001, the organization needs to consider the relationship a particular risk or opportunity has to:
    - the organization’s important environmental issues (its “context”)
    - the organization’s EMS requirements, including its compliance obligations
    - the defined scope of the organization’s environmental management system

    For example, the organization might be at risk a of non complying with contractual obligation regarding environmental protection, therefore it must take action to ensure that the contractual obligation will be meet. Opportunity can be some governmental funding of green energy or energy preservation, so the organization must take actions to apply for those funding.

    For more information, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/

  • How to address first three clauses of ISO 9001


    Answer:

    First three clauses of ISO 9001 do not contain any requirements regarding quality management system, so organization doesn't have to do anything to address those clauses.

  • Any controls for BCMS like ISMS?


    Answer:
    No I am sorry, a BCMS is not composed by security controls as an ISMS. Remember that ISO 27002 is a code of best practices with 114 security controls that you can use together with ISO 27001 to implement an ISMS. For BCMS you can use ISO 22313 together ISO 22301 to implement a BCMS, but ISO 22313 is not composed by controls, is composed by guidelines to implement the standard.

    Anyway, you can also use control from ISO 27002 to mitigate most of business continuity risks, although this is not mentioned in ISO 22301.

    This article can be interesting for you “ISO 22301 vs. ISO 22313” : https://advisera.com/27001academy/blog/2013/05/21/iso-22301-vs-iso-22313/

    And also this one “ISO 27001 vs. ISO 27002” : https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

    And this book can be also interesting for you "Becoming Resilient: The Defini tive Guide to ISO 22301 Implementation" : https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Who owns the risk?

    In the "Existing controls" column you should list all the controls that are currently implemented related to the risk - sometimes the asset itself will be the control, like in case of a firewall.

    However, if the asset is managed by an entity that is not part of the scope, then likely this asset is also not going to be included in the ISMS scope.

    This article will also help you: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    Sure, we can organize a call, please contact me via email.
Page 991-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +