Questions about ISO 27001 implementation
Hi team, I'm not sure if this is the right place. I purchased the ISO 270001 templates package and have a couple of questions:
1. I already read ISO 27001 standard but I've not purchased it yet. We're ready to purchase the document, but I see it also refers to ISO 27000, 27002, 27003, 27004, 27005 and 31000. Do we need to purchase all those documents to pursue certification?
2. We have defined the following objectives for the ISMS:
- Create a better market image which will let it acquire or retain security-conscious clients, at least 4 during next year
- Ensure service uptime of 99.95% throughout the year
- In case of disaster, data loss of a maximum of 24 hours, with time to recovery of 6 hours
- Conformity with data privacy and security regulations
- Reduce the damage caused by potential incidents
- Ensure the confidentiality of the customer data handled by the company
As you can see, some are measurable but some are not. Is there an obligation to make those measurable? What happens if the objectives are not achieved?
3. When preparing the Risk Assessment, some of the risks are under the domain of a supplier. For example, our servers are hosted on a data center and we have a supplier that sub-contracts and manages the servers. How is the appropriate way to document those risks? I'm guessing we still have to list the risks (for example a breach in a server) and then in the Risk Treatment table we'll specify those risks are transferred to a third party? Or should it be instead "selection of controls", regardless of who does it, and then we would draw a contract with the supplier to apply those controls?
4. Our company is fully remote, our employees and contractors work at home. I guess this is an important thing to mention because it affects how the risk analysis is made (for example, there is no "office" asset, which maybe the auditor would not understand). Where is the best place to document this?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. I already read ISO 27001 standard but I've not purchased it yet. We're ready to purchase the document, but I see it also refers to ISO 27000, 27002, 27003, 27004, 27005 and 31000. Do we need to purchase all those documents to pursue certification?
There is no need to purchase any additional standard for certification purposes (only ISO 27001 is sufficient). The comments included in the templates already cover the most common guidance provided by the mentioned standards.
2. We have defined the following objectives for the ISMS:
- Create a better market image which will let it acquire or retain security-conscious clients, at least 4 during next year
- Ensure service uptime of 99.95% throughout the year
- In case of disaster, data loss of a maximum of 24 hours, with time to recovery of 6 hours
- Conformity with data privacy and security regulations
- Reduce the damage caused by potential incidents
- Ensure the confidentiality of the customer data handled by the companyAs you can see, some are measurable but some are not. Is there an obligation to make those measurable? What happens if the objectives are not achieved?
ISO 27001 requires objectives to be measurable only if practicable (i.e., when the effort to perform the measurement is worthy).
If an objective is not achieved the organization must analyze the impacts of not achievement, the causes, and define adjustments if needed. This may occur at any time or during as part of the management review.
For further information, see:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
3. When preparing the Risk Assessment, some of the risks are under the domain of a supplier. For example, our servers are hosted on a data center and we have a supplier that sub-contracts and manages the servers. How is the appropriate way to document those risks? I'm guessing we still have to list the risks (for example a breach in a server) and then in the Risk Treatment table we'll specify those risks are transferred to a third party? Or should it be instead "selection of controls", regardless of who does it, and then we would draw a contract with the supplier to apply those controls?
The proper way to handle risks under the domain of a supplier is:
- list the risks in your risk assessment
- define for the relevant risks the treatment option "transfer risk"
- define in the set of controls to treat the risk at least one of the controls from section A.15 Supplier relationships, as needed
- define in contract with the supplier security clauses to enforce supplier to comply with the applicable controls
For further information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
4. Our company is fully remote, our employees and contractors work at home. I guess this is an important thing to mention because it affects how the risk analysis is made (for example, there is no "office" asset, which maybe the auditor would not understand). Where is the best place to document this?
First is important to note that at least one "office" must be identified for certification purposes (it can be the owner home or the office where he/she works).
Considering that, the information about the company being fully remote should be mentioned either in the ISMS scope and in the risk assessment.
This article will provide you a further explanation about the scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
This material will also help you regarding scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
Comment as guest or Sign in
Jul 20, 2020