Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Asset based or process based?
Answer:
I am not sure if I have understood your question, but in the new ISO 27001:2013 it is not established that the risk assessment needs to be based on assets or process, we are free to select the best methodology for the organization, although our recommendation is to use the risk assessment asset based, because generally this approach is easier.
Maybe this article about how to write your own methodology can be interesting for you “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
This article can be also interesting for you “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
And this article can be also interesting “What has changed in risk assessment in ISO 27001:2013 ” : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
And our online course can be also interesting for you because we give more detailed information about the risk assessment & treatment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
ISO 9001-2015 and AS 9110 B
Answer:
The AS 9110 B had its last revision in 2012 and it includes ISO 9001:2008 quality management system requirements and specifies additional aviation maintenance industry requirements, so it is not, by default, compliant with ISO 9001:2015.
There is no other reason for having two separate certificates, unless there is a customer requirements or by some other interested party. -
Nonconformity in expended scope of QMS
Answer:
The certification audit is conducted according to previously defined scope and criteria. If the nonconformity was identified within the new scope, the auditor can not change the audit scope after the audit and issue you the certificate. The only way to get the certificate is to resolve the nonconformity and notify your CB.
For more information, see:
- How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/ -
How to calculate confidentiality, integrity and availability values of people
Answer:
I will give you an easy example (considering a scale of values from 0 to 2, being 2 the greater):
Asset: system administrator
Threat 1: Unavailability of the person (related to the availability); vulnerability: no replacement for the position of this person.
Consequences (based on the lack of availability of this person) = 1
Likelihood = 1
Risk = 1 + 1 = 2
Threat 2: Frequent errors (related to the integrity); vulnerability: lack of training.
Consequences (based on the lack of integrity of this person) = 1
Likelihood = 2
Risk = 1 + 2 = 3
Threat 3: Illegal processing of data (related to the confidentiality); vulnerability: lack of monitoring mechanisms.
Consequences (based on the lack of confidentiality of this person) = 2
Likelihood = 0
Risk = 2 + 0 = 2 -
People "asset" for risk assessment
Answer:
I am sorry but in the ISO 27001:2013 it is not necessary to identify confidentiality, integrity and availability requirements of “people” assets for risk assessment, because the term “assets” is not used in the new ISO 27001:2013 (you can develop your own methodology for the risk management, I mean, it is not mandatory to have a methodology based on assets).
Anyway, if you have a methodology asset based, you need to identify threats/vulnerabilities related to each asset, so in the case of assets of type people, a threat can be unavailability of a person, and a vulnerability can be no replacement for the position of this person (which can be considered a potential loss of availability), other threat can be frequent errors, and a vulnerability can be lack of training (which can be considered a potential loss of integrity and availability), and other threat can be illegal processing of data, and a vulnerability can be lack of monitoring mechanisms (which can be considered a potential loss of confidentiality).
For more information about this, please read this article “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
And our online course can be also interesting for you because we also give information about the risk assessment, including the asset inventory “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
ISO 9001 transition and integration with ISO 27001
Let me explain our situation:
- we are 600 employees company, specialized in Digital Certification;
- the 9001:2008 was got 2009 and 2011 all company and last Dec we got 27001 at our Datacenter (with Academy´s kit assistance);
- now we began migrating 9001:2008 to 2015 version integrating with 27001 expansion to all company;
We are working with both ISOs integrated; to get 27001 we used some 9001 docs customizing and integrating them.
Once we have 2008 certification, we will be working in 6 months cycles, preparing all 9001 docs, internal audits, etc and the next recertification - February 2018 we will change it. Meanwhile, every November we have 27001 maintenance and every one we will be expanding the scope, finishing at Nov 18.
This is a huge and challenge project!
Be sure I will be keeping in touch with you; some questions will be drop soon.
Now you know something about our project and you have some hints to help me, please, let me know.
Answer:
The project upon you is a great challenge indeed. But, since you already implemented ISO 27001:2013 the ISO 9001 transition will go much smoother. The reason for that is ISO 9001:2015 and ISO 27001:2013 have the same structure and lot of the processes can be merged together, from determining context of the organization and document control to resource management, internal audit, management review and nonconformities and corrective actions.
The first step is to identify all common requirements of the both standards and see which of your ISO 27001 documents can be used to address requirements of ISO 9001:2015, this will definitely cut your effort in half. Second step is to determine to what extent your existing ISO 9001 procedures meet new requirements and plan and implement the changes.
The important thing is to distribute responsibilities for the transition across the entire company and include relevant people in implementation of the changes, the greater involvement of other people will highly contribute to the success of the project. I'm sure that you will manage to implement the changes and make the transition in three to six months. For more information, see: How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/ -
Include ISMS documents in the inventory asset?
Answer:
I am not sure what you mean, but documents, procedures, guides, etc are files in PDF, Word, Excel, and other formats (including documents in paper and other forms) which are information asset type, so yes, you can include them in your inventory of assets. For more information about the inventory of assets, please read this article “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
If your question is about if each document needs to be listed separately in the inventory of assets, from my point of view is better if you have a single asset for all documents of the ISMS, because threats/vulnerabilities and risks are the same for all these documents.
By the way, in our online course you can also find more information about the inventory of assets “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Primeros pasos para iniciar proyecto ISO 27001
1. Nombrar el comité
2. Crear la política de seguridad
3. Hacer el risk assessment.
4. Definir el Alcance de ISO
Ahí me confundo porque no se cual tarea va primero y cual después y no se las funciones del comité, me queda la duda si el comité es que el define el alcance y lo aprueba.
Por favor si ayuda para poder definir como vender el proyecto en el empresa.
Respuesta:
Lo primero que necesitas es obtener el apoyo de la dirección, y después también es importante ver la implementación como un proyecto. Este artículo te proporciona información sobre los pasos que necesitas para implementar la ISO 27001 en tu organización “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Con respecto a tu pregunta relativa al comité, este sólo era obligatorio en la versi ón antigua del estándar (ISO 27001:2005), pero en la versión actual (ISO 27001:2013) sólo es una buena práctica, en cualquier caso, el alcance debe ser aprobado por la alta dirección.
Con respecto a tu última pregunta, necesitas mostrar los beneficios de la implementación del proyecto a la alta dirección, los cuales principalmente son 4: cumplimiento, posicionamiento en el mercado, reducción de gastos y ordenación del negocio. Para más información sobre esto, por favor lee el siguiente artículo “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/ -
More than one risk owner for one risk?
Answer:
It is not common, I mean, generally a risk has an unique risk owner, because the risk owner is a person or entity with the accountability and authority to manage a risk, and commonly it is for an unique person or entity. For example, the risk owner of a server generally is the head of the IT department. For more information about the risk owner, please read this article “Risk owners vs. Asset owners in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
And our online course can be also interesting for you because we also talk about the risk owners “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Is mandatory to implement all 114 controls?
Answer:
It is not mandatory to implement all 114 controls of Annex A of ISO 27001:2013, you only need to implement those that you need to reduce risks identified during the risk assessment (or those that are related to law, contractual requirements, etc.). In the SOA you need to include the list of controls that apply to your business (in the same order that you can see them in the standard).
Regarding the justification for the auditor, you simply need to show to the auditor that you apply and implement only those controls that you need to reduce risks (or those that are related to law, contractual requirements, etc .)
For more information about the SOA, please read this article “The importance of Statement of Applicability for ISO 27001” : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
And this course can give you more information about the connection between risks and controls "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Finally in our course you can also find more information about the SOA “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/