Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Contents of the Risk assessment report
Answer:
ISO 27001 doesn't specify the contents of the Risk assessment report, it only says that the results of the risk assessment and risk treatment process need to be documented - this means that whatever you have done during this process needs to be written down.
Typically it includes all the risks that were identified, risk owners, their impact and likelihood, level of risk, risks that are not acceptable, and treatment options for each unacceptable risk. The risk appetite (i.e. acceptable level of risk) should be specified in the Risk assessment methodology, but yes - you can mention it in the Risk assessment report as well. -
Risk assessment for ICS or SCADA?
Answer:
From my point of view, NIST 800-82 is a security guide for the Industrial Control Systems (ICS) and SCADA systems, but this standard does not define how to perform a risk assessment.
ISO 27005 is a code of best practices that can help you to develop your own methodology for the risk assessment & treatment, but remember that is focused in information security, and is very global, but from my point of view you can use ISO 27005 using also the list of threats/vulnerabilities of NIST 800-82 (which are specific focused to ICS and SCADA systems) and on this way you can develop your own methodology (with NIST 800-82 and ISO 27005).
Anyway, with this article you can also develop your own methodology “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/, although it doest not include threats/vulnerabilities related to ICS and/or SCADA, but you can use NIST 800-82 for this.
Finally, our online course can be also interesting for you because we give more information about the risk assessment & treatment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Risks in many site offices
Answer:
If you have many site offices, you can have a separate sheet for each office, I mean, you can identify and assess risks for each office independently. For this identification you can read this article “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Regarding your second question, if you want to know a typical folder structure, you can download our toolkit and you will see a basic structure, although you can define the structure that you want. Here you can download our toolkit clicking on “DOWNLOAD FREE TO OLKIT DEMO” “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Finally, our online course can be interesting for you because we give more information about the risk assessment & treatment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Context of the organisation and design and development
Answer:
In order to meet requirements regarding context of the organization you need to identify all internal and external issues that can affect ability of your company to deliver quality product and achieve customer satisfaction.
Internal issues, or internal context includes organizational culture, organizational structure, communication channels in the company, competence of employees, condition of the equipment and facilities, etc. Basically anything that can have effect on your business performance and comes from within the organization.
External context includes relevant legislation, conditions on the market, competition, suppliers, customer requirements, etc.
In order to meet requirements regarding the context you do not need to document every single detail but it is better if you have some procedure or record about it in order to facilitate demonstration of compliance to the requirements to certification body. For more information, see How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
Design and development is one of the clauses that can be excluded form the scope of QMS if it is not applicable to the type of business that company performs. You only need to document justification for the exclusion. If you do perform a design and development process you need to address all the requirements from this clause. For more information, see: The ISO 9001 Design Process Explained https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/ -
Requirements for an internal auditor position?
Answer:
There is no specifics requirements needed for an internal auditor position, although obviously you need experience and a good knowledge about the standard to audit it.
This article can be interesting for you “Qualifications for an ISO 27001 Internal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
And also this one: “How to become ISO 27001 Lead Auditor” : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
And also our online can help you to become internal auditor “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Auditing the ISMS
Answer:
If you want to perform an internal audit on an ISMS, you can start reviewing documents and after you can develop a checklist to know what are the main things that the auditor will check, so this article can be interesting for you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Anyway, basically the checklist includes all the requirements of ISO 27001 that need to be implemented, so the internal auditor will check in these requirements are properly implemented.
Regarding the process, it can be composed by these steps:
1.- Document review
2.- Create the checklist
3.- Panning the main audit
4.- Performing the main audit
5.- Reporting
6.- Follow-up
By the way, we have a toolkit specific focused on the internal audit, so maybe can be useful for you “ISO 27001 / ISO 22 301 Internal Audit Toolkit” : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/ (you can download a free version of the toolkit clicking on “DOWNLOAD FREE TOOLKIT DEMO”)
And here you can also see a free version of our checklist for the internal auditor clicking on “Free demo” tab “Internal Audit Checklist” : https://advisera.com/27001academy/documentation/internal-audit-checklist/
Finally, our online course can be interesting for you, because we give more information about the internal audit, and furthermore you can learn how to perform an internal audit “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 27001 vs NIST, CIS and Common Criteria
Answer:
The main difference between ISO 27001 and other standards (like the NIST series, CIS Critical Controls) is that after the implementation of the standard, you can certify it by a third party, which give warranty that you are compliant with an international standard. You cannot certify in the same way NIST series and/or CIS Critical Controls. Regarding Common Criteria, it is also an ISO standard (ISO 15408), although ISO 27001 is related to the certification of companies, while Common Criteria (ISO 15408) is related to the certification of products.
Regarding the advantages, to be certified on ISO 27001 means that you have a certificate signed by a certification body, and this entity audit your company every year to check if your company is compliant with the standard, which can help your business to im prove your business continually.
Regarding limitations, from my point of view, ISO 27001 is only a standard that defines requirements (says you what you need to do), but does not say you how to do it, so generally you need another standards or best practices (ISO 27002, ISO 27799, etc) for the implementation of ISO 27001.
The decision should be made depending the needs of the business, I mean, if the business need a certificate signed by an third party to show to their customers that they are compliant with an international standard related to information security, the best standard is ISO 27001. If not, the company should decide the best standard depending on their needs and the benefits of each standard.
If you want to learn information about ISO 27001, our online course can be useful for you “ISO ” : https://advisera.com/training/iso-27001-foundations-course/ -
Implementing 2015 revision by using old documents
Answer:
You might implement any version of the standard you want and use existing documents from your company. The only difference is that you need to revise those documents to make sure they are aligned with the requirements of the new version. I assume that you will be using procedures for document and record control, HR, internal audit, corrective actions, etc. All these documents should be revised and slightly changed just to meet requirements of the new standard but it will save you a lot of time since the changes are minor in these areas.
For more information, see: How to make the transition fro m ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/ -
Internal audit and financial report
Answer:
It is not very common to bind financial report with internal audit report because they are quite different and are not related to each other. It wouldn't be a nonconformity to file both these reports at once but it doesn't provide any additional value.
Audit criteria represents requirements to which the system is being audited. For example, if you are conducting ISO 9001 internal audit, the audit criteria would be ISO 9001, or if you are auditing compliance to legal and other requirements, the criteria would be the legal requirements.
For more information, see Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/ -
What to include in Information security policy?
Answer:
ISO 27001 does not require you to include product and services, nor partnerships, supply chains and interested parties in your Information security policy. According to ISO 27001, this policy is a top-level document without many details - see this article: Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
Typically, you should include info rmation about your products and services in your ISMS Scope document, see this article: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
And the information about interested parties and their requirements should go to a separate list, learn about it here: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
You could include all this information in the Information security policy, but this would be very impractical.
This free online course will also be of great help to you: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/