Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
KPI and metrics
Answer:
Generally all KPI / metrics can be measured and reported directly on ISO 27001 or ISO 22301, although ISO 27001:2013 does not require you to use KPIs.
Some examples of metrics that are established to measure the effectiveness of security controls implemented are related to the backups, incidents, asset inventory, policy review, etc.
These articles can be interesting for you:
“How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
"ISO 27001 control objectives - Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
By the way, our online course can be interesting for you because we give more information about metrics “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Auditing a server
Answer:
The active directory of a server is related to the control A.9 Access control so you will need to review the security policy of the AD, from, as you know, you can establish the complexity of the password, length, etc,
The backups are related to the control A.12.3.1 Information backup, and you can review the frequency of backups, planning of the backups and restores, etc.
The change management is related to the control A.12.1.2 Change management, and basically you can review the systematic for the changes (request for change, approbation of the change, etc.) related to the server (updates, patches, installation of new software, etc.)
It is also important that you perform an internal audit primarily against the requirements from your own documentation.
By the way, this article can be interesting for you "How to make an Internal Audit checklist for ISO 27001 / ISO 22301" : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Finally, our online course can be also interesting for you because we give detailed information about how to perform the internal audit “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Multi location
Answer:
I am sorry but I am not sure what you mean, anyway, these terms are not directly related to ISO 27001, but you can perform a project of implementation of the standard, including in the scope different locations of the same company. So, basically all locations will have implemented the ISO 27001.
Our online course can be interesting for you because we give more information about the implementation of the ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Making the transition from 2005 to 2013 revision of ISO 27001
Answer: I assume your company is already certified against 2005 revision of ISO 27001, and now you want to certify against 2013 revision - yes, this needs to be done with a certification body.
See also:
- article How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
- webinar recording: What’s new in ISO 27001 2013 revision: How to make the transition from ISO 27001 2005 to 2013 revision https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/
What is the process of the reassessment with the assessing body, do they look at all the internal audit work during the assessment ?
Answer: Until now your 2005 certificate has expired because the transiti on period is over, so you have to go for the completely new certification against 2013 revision of ISO 27001. And yes, they will look at how you're done your internal audit, and they will check also all the other elements of your ISMS.
See also:
- article Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- article Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
If during the assessment there were some areas that needed addressing, then does the company get an opportunity to put a plan together to rectify and still maintain the certificate ?
Answer: Yes, if the certification body finds nonconformities, they will give you a deadline until which you'll have to resolve those problems.
See also:
- article Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/ -
Contents of the Risk assessment report
Answer:
ISO 27001 doesn't specify the contents of the Risk assessment report, it only says that the results of the risk assessment and risk treatment process need to be documented - this means that whatever you have done during this process needs to be written down.
Typically it includes all the risks that were identified, risk owners, their impact and likelihood, level of risk, risks that are not acceptable, and treatment options for each unacceptable risk. The risk appetite (i.e. acceptable level of risk) should be specified in the Risk assessment methodology, but yes - you can mention it in the Risk assessment report as well. -
Risk assessment for ICS or SCADA?
Answer:
From my point of view, NIST 800-82 is a security guide for the Industrial Control Systems (ICS) and SCADA systems, but this standard does not define how to perform a risk assessment.
ISO 27005 is a code of best practices that can help you to develop your own methodology for the risk assessment & treatment, but remember that is focused in information security, and is very global, but from my point of view you can use ISO 27005 using also the list of threats/vulnerabilities of NIST 800-82 (which are specific focused to ICS and SCADA systems) and on this way you can develop your own methodology (with NIST 800-82 and ISO 27005).
Anyway, with this article you can also develop your own methodology “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/, although it doest not include threats/vulnerabilities related to ICS and/or SCADA, but you can use NIST 800-82 for this.
Finally, our online course can be also interesting for you because we give more information about the risk assessment & treatment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Risks in many site offices
Answer:
If you have many site offices, you can have a separate sheet for each office, I mean, you can identify and assess risks for each office independently. For this identification you can read this article “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Regarding your second question, if you want to know a typical folder structure, you can download our toolkit and you will see a basic structure, although you can define the structure that you want. Here you can download our toolkit clicking on “DOWNLOAD FREE TO OLKIT DEMO” “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Finally, our online course can be interesting for you because we give more information about the risk assessment & treatment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Context of the organisation and design and development
Answer:
In order to meet requirements regarding context of the organization you need to identify all internal and external issues that can affect ability of your company to deliver quality product and achieve customer satisfaction.
Internal issues, or internal context includes organizational culture, organizational structure, communication channels in the company, competence of employees, condition of the equipment and facilities, etc. Basically anything that can have effect on your business performance and comes from within the organization.
External context includes relevant legislation, conditions on the market, competition, suppliers, customer requirements, etc.
In order to meet requirements regarding the context you do not need to document every single detail but it is better if you have some procedure or record about it in order to facilitate demonstration of compliance to the requirements to certification body. For more information, see How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
Design and development is one of the clauses that can be excluded form the scope of QMS if it is not applicable to the type of business that company performs. You only need to document justification for the exclusion. If you do perform a design and development process you need to address all the requirements from this clause. For more information, see: The ISO 9001 Design Process Explained https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/ -
Requirements for an internal auditor position?
Answer:
There is no specifics requirements needed for an internal auditor position, although obviously you need experience and a good knowledge about the standard to audit it.
This article can be interesting for you “Qualifications for an ISO 27001 Internal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
And also this one: “How to become ISO 27001 Lead Auditor” : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
And also our online can help you to become internal auditor “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Auditing the ISMS
Answer:
If you want to perform an internal audit on an ISMS, you can start reviewing documents and after you can develop a checklist to know what are the main things that the auditor will check, so this article can be interesting for you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Anyway, basically the checklist includes all the requirements of ISO 27001 that need to be implemented, so the internal auditor will check in these requirements are properly implemented.
Regarding the process, it can be composed by these steps:
1.- Document review
2.- Create the checklist
3.- Panning the main audit
4.- Performing the main audit
5.- Reporting
6.- Follow-up
By the way, we have a toolkit specific focused on the internal audit, so maybe can be useful for you “ISO 27001 / ISO 22 301 Internal Audit Toolkit” : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/ (you can download a free version of the toolkit clicking on “DOWNLOAD FREE TOOLKIT DEMO”)
And here you can also see a free version of our checklist for the internal auditor clicking on “Free demo” tab “Internal Audit Checklist” : https://advisera.com/27001academy/documentation/internal-audit-checklist/
Finally, our online course can be interesting for you, because we give more information about the internal audit, and furthermore you can learn how to perform an internal audit “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/