Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS scope for a cloud provider
My question is about defining the ISMS Scope. As a service provider, how do we set the scope for ISMS ?
Since we “hand control” of the servers to our customers and they have control over what data is uploaded and who can access it, I am struggling to see how that can be included in the scope.
Answer:
From my point of view, to set the scope for your ISMS, you can focus it on the information that you can manage: information about customers, financial information, information about providers, information about your employees, about your systems, etc. Maybe you have a CRM and/or an ERP, and you can also include it in your ISMS scope, because these applications have information. Keep in mind that ISO 27001 is about the protection o f information.
For more detail about the scope, please read this article “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
And our online course can be also interesting for you, because we give more information about the ISMS scope “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Mandatory documents
Answer:
In difference to the previous version of the standard, new ISO 9001 does not have six mandatory procedures and requirements for documents are now much liberal. The documents that will be mandatory to your company depends on the processes you have in your company and what clauses of the standard does not apply to your business. To find out more about mandatory documents, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
If you want to learn more about what clauses of the standard may be excluded, see: What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/ -
Training and awareness statements in the Information security policy
* [job title] is responsible for adopting and implementing the Training and Awareness Plan, which applies to all persons who have a role in information security management
* job title] will implement information security training and awareness programs for employees
Answer:
The first statement defines who is responsible for approving the Training and Awareness Plan, typically this would be CEO in smaller companies; the second statement defines who is responsible for the execution of this plan - in smaller companies this would usually be a person responsible for information security.
By the way, the Training and Awareness Plan is also included in the ISO 27001 toolkit.
This article might also help you: How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/ -
Alternative options for treating unacceptable risks
Answer: Basically, when treating the risks you have these 4 options: (1) reducing the risk by applying controls, (2) accepting the risk, (3) transferring the risk to third parties, and (4) avoiding the risk.
So you have already tried the option (1), and you can try also options (3) and (4) before you accept the risk. So perhaps you can get an insurance policy for your assets or transfer the risk to your supplier? Or you can stop doing the activity altogether?
See this article for more help: Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Monitoring and reporting for security metric?
Answer:
From my point of view, the monitoring for security metric, simply means that you are watching something related to the metric (devices, applications, values, etc) with the purpose of being aware of its state, but furthermore you need to do measurement, which means that you need to assign values to something based on predefined dimensions and unit. For example, if you have a security metric for the backups, you can monitor the software that perform the backups, and measure the information related to the backups (% of fail backups, % of success backups, etc).
The reporting simply means that you inform about the results of the security metric to other parties, for example, to the top management of the organization, or even to external parties.
For more information about the monitoring and measurement, please read this article “How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
Finally, our online course can be also interesting for you, because we give more information about the monitoring and measurement “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Head of Production as Management Representative
Answer:
There is no contradictions or collision with the requirements if head of production is a management representative. The standard only requires top management to assign one member of the management to be management representative and id doesn't give any further guidelines so the company may choose anyone within the members of the middle management. I think it is good to be a head of production because he understands the core processes and is directly in charge of the quality of products. For more information, see: Choosing the best person for the job of quality management representative https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/ -
What needs to be done for transition to the 2015 version
Note: Objective, Controls and KPIs are in place.
Answer:
In order to achieve full compliance with the new version of the standard, there must be some revisions practically in every segment of the EMS. Some changes are major, some minor but they all need to be implemented.
The biggest addition compared to the previous version of the standard is determining context of the organization, which requires organization to determine internal and external issues related to the EMS. For more information, see: Determining the context of the organization in ISO 14001 https://advisera.com/14001academy/blog/2015/09/07/determining-the-context-of-the-organization-in-iso-14001/
TO get a full overview of the differences between previous and new version of the standard, take a look at this ISO 14001:2015 vs. ISO 14001:2004 matrix https://advisera.com/14001academy/free-downloads/ -
Legislation Register
Answer:
The standard requires you to identify the legal and other requirements but it doesn't define how detailed the information need to be. It is completely up to organization how it will collect and document these information. And you don't need to copy index of the standard into your list since these requirements are addressed with your documents and processes.
For more information, see:
- How to identify and comply with legal requirements in OHSAS 18001 https://advisera.com/18001academy/blog/2015/06/24/how-to-identify-and-comply-with-legal-requirements-in-ohsas-18001/
Here you can find a free preview of our List of Legal and Other Requirements https://advisera.com/18001academy/documentation/list-of-legal-and-other-requirements/ -
Implementation of ISO 9001:2015 quality management system
Answer:
The best way to start with the implementation is to perform GAP analysis and determine to what extent your company already conforms to requirements of the standard and what needs to be done to achieve full compliance with the standard. Here you can find free ISO 9001 implementation diagram https://advisera.com/9001academy/free-downloads//
Next step would be to establish a project plan for the implementation. This step is not mandatory but it helps in estimation of time and resources needed for the implementation, and also it will prevent you from missing anything out. Here you can download a free version of our Project Plan for ISO 9001 implementation https://advisera.com/9001academy/free-downloads//
Once you implement all requirements of the standard, you need to conduct internal audit and management review to check whether all the requirements are met and than you are ready to hire certification body to conduct certification audit and issue your company the ISO 9001 certificate. For more information, see: Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/