Questions about ISO 27001
1- How to do a gap analysis of the status of my management system against compliance with the ISMS requirements ISO 27001:2013
2- List of documents required to comply with ISMS ISO 27001.
3. How to develop an ISMS ISO 27001 communications program to interested parties, what should this program contain?
4. How to develop an ISMS ISO 27001 awareness program for stakeholders, what should this program contain?
5. How to develop a Management review procedure program
Assign topic to the user
1- How to do a gap analysis of the status of my management system against compliance with the ISMS requirements ISO 27001:2013
To perform a gap analysis of your ISMS against ISO 27001, please access our free tool: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
This is a simple question-and-answer list that allows you to visualize which specific elements of an ISMS you’ve already implemented, and what you still need to do.
2- List of documents required to comply with ISMS ISO 27001.
Included in your toolkit you have a list of documents that shows you which are the mandatory documents to be compliant with ISO 27001.
3. How to develop an ISMS ISO 27001 communications program to interested parties, what should this program contain?
Please note that ISO 27001:2013 requires you to define a communication process, although there is no requirement that a communication program needs to be developed or documented.
Considering that, communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes and interested parties. So, having a centralized communication program would overhead people responsible for communication with activities that may not be a part of their attributions. That’s the reason there isn’t a specific template for a communication program.
The main documents in the toolkit that define how communication needs to be done (which could be considered as part of a communication program) are:
- the Information Security Policy, located in folder 4 General Policies
- the Training and Awareness plan, located in folder 9 Training and Awareness
- the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
- the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity
4. How to develop an ISMS ISO 27001 awareness program for stakeholders, what should this program contain?
For information security these are some security practices you should consider (without more information about your context is not possible to suggest additional alternatives):
- Authentication
- Network connection
- Access to the device
- Physical security
- Data encryption
- Backup
- Software installation and patching
- Basic security “hygiene”
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.
These articles will provide you with further explanation about security practices:
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
You can use the Training and Awareness Plan template, located in folder 9 Training and awareness, to document the activities to be performed.
5. How to develop a Management review procedure program
Please note that ISO 27001 does not require a procedure for Management Review to be documented, so to be compliant with the standard you can just use the Management Review minutes template located in folder 11 Management review.
In case your doubt is about review periodicity, the minimum is to perform a management review once a year, or more often if any major change happens that can influence information security (e.g., there is a new client who has very particular requests regarding the confidentiality or availability of your systems). However, it could be done more often (e.g., quarterly) if the management wants to be more involved in operational issues.
For further information, see:
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
Comment as guest or Sign in
Oct 18, 2022