Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

Questions about ISO 27001

  Quote
Guest
Guest user Created:   Oct 17, 2022 Last commented:   Oct 18, 2022

Questions about ISO 27001

1- How to do a gap analysis of the status of my management system against compliance with the ISMS requirements ISO 27001:2013

2- List of documents required to comply with ISMS ISO 27001.

3. How to develop an ISMS ISO 27001 communications program to interested parties, what should this program contain?

4. How to develop an ISMS ISO 27001 awareness program for stakeholders, what should this program contain?

5. How to develop a Management review procedure program

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 18, 2022

1- How to do a gap analysis of the status of my management system against compliance with the ISMS requirements ISO 27001:2013

To perform a gap analysis of your ISMS against ISO 27001, please access our free tool: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

This is a simple question-and-answer list that allows you to visualize which specific elements of an ISMS you’ve already implemented, and what you still need to do.

2- List of documents required to comply with ISMS ISO 27001.

Included in your toolkit you have a list of documents that shows you which are the mandatory documents to be compliant with ISO 27001.

3. How to develop an ISMS ISO 27001 communications program to interested parties, what should this program contain?

Please note that ISO 27001:2013 requires you to define a communication process, although there is no requirement that a communication program needs to be developed or documented.

Considering that, communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes and interested parties. So, having a centralized communication program would overhead people responsible for communication with activities that may not be a part of their attributions. That’s the reason there isn’t a specific template for a communication program.

The main documents in the toolkit that define how communication needs to be done (which could be considered as part of a communication program) are:

  • the Information Security Policy, located in folder 4 General Policies
  • the Training and Awareness plan, located in folder 9 Training and Awareness
  • the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
  • the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

4. How to develop an ISMS ISO 27001 awareness program for stakeholders, what should this program contain?

For information security these are some security practices you should consider (without more information about your context is not possible to suggest additional alternatives):

These articles will provide you with further explanation about security practices:

You can use the Training and Awareness Plan template, located in folder 9 Training and awareness, to document the activities to be performed.

5. How to develop a Management review procedure program

Please note that ISO 27001 does not require a procedure for Management Review to be documented, so to be compliant with the standard you can just use the Management Review minutes template located in folder 11 Management review.

In case your doubt is about review periodicity, the minimum is to perform a management review once a year, or more often if any major change happens that can influence information security (e.g., there is a new client who has very particular requests regarding the confidentiality or availability of your systems). However, it could be done more often (e.g., quarterly) if the management wants to be more involved in operational issues.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 17, 2022

Oct 18, 2022