Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Which policies to implement before the certification
Answer:
If your company wants to go for the ISO 27001 certification, the first thing you need to have are all the mandatory documents, you can see them here: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Next, once you perform the risk assessment you will define which controls you need, and then you have to decide which of these controls need to be documented. Finally, in the Risk treatment plan you need to decide which controls are to be implemented before the certification, and which will be implemented after.
In the certification audit, t he auditor will check if all the published documents are fully implemented.
So, to summarize: each document you write needs to be fully implemented; the only documents that you can leave for after the certification are those that are not mandatory.
These articles will also help you:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
Probably the best thing for your is to go through this free online course ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ - it will explain you all the details. -
Asset Inventory: 'Printer' - Justification!
That was helping the doubt! Thank you so much -
How essential is a 'Scope Diagram' in the Scope Document?
That cleared the query! Thank you @ajsegovia -
RARTP vs NCPA
Thanks for the help! It cleared the doubt :-) -
Risk assessment of vendor who is ISO 27001 certified
Answer:
When assessing the risk of third-party services you have to assess the ability of those vendors to protect confidentiality, integrity and availability of your data that they are handling. Of course, if they are ISO 27001 certified, this will mean that the risks are probably lower; however this is not the only criteria, you should also check out what does your agreement with them say, what is their reputation, what are other customers saying, check if they have some other certificates, etc. -
How to account for mobile devices that are not company owned
Answer: BYOD physical devices are typically excluded from the ISMS scope because you cannot control them completely, but you should include in the ISMS scope the company data on those devices - in that case, you simply list those data in your asset list and in your risk assessment.
This article might help you: How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
We have interfaces setup with our clients. W ould we consider those interfaces to be a separate asset, or would we only account for the data when it is stored in a database?
Answer: I'm not sure what do you mean by interfaces - if you refer to some devices or software, then you should include those assets in your asset list. In some cases you will view data separately from the devices - e.g. you will list a database separately from a physical server, in other cases you can view server as a both physical server and data on this server - you are free to do it any way you feel more appropriate. -
Milestones in the project plan
Answer:
Actually you can divide your project in 4 phases according to the Plan-Do-Check-Act cycle:
- Plan phase: documents from the ISO 27001 & ISO 22301 Premium Toolkit in folders 0 to 7
- Do phase: documents in folders 8 and 9
- Check phase: documents in folders 10 and 11
- Act phase: documents in folder 12 -
Problem in describing risks
Thank you, but it is written in italian language. I should translate it. -
Performing internal audit as a service
Answer:
The exam for our ISO 27001 Internal Auditor Course does not require an experience in a specific industry - the exam requires you to prove that you have learned the curriculum that was presented in the course.
I understand that your intention is to provide internal audit as a service to your clients, and the point is that you will be much more successful performing this internal audit in the industries where you have experience. On the other hand, for most industries there are no laws or regulations that would prevent you from performing an internal audit in those companies, so if you can convince those companies to use your services, you are free to use that opportunity. In some industries (like banking) there might be regulations which strictly regulate who can perform IT or information security audits.
By the way, you should not mention "third party" phrase in the context of an internal audit, because the phrase "third party audit" means the certification audit performed by certification bodies. -
Risk assessment for critical assets or confidential assets?
Answer:
I am not sure if I have understood your question 100%, but the risk assessment is not prepared for specific assets (critical or confidential) it is for all assets of your organization, and you can find various types of assets: hardware, software, people, etc.
This article can be interesting for you “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And also this one “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally, our online course can be also interesting for you because we give more information about assets “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/