Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Auditing without documented audit procedure
Answer:
Unlike the previous version of the standard where procedure for internal audit was mandatory, new version does not require procedure to be documented but it requires evidences that the internal audit is conducted, and that is the Internal Audit Program and Internal Audit Report.
The fact that the documented procedure is not mandatory doesn't mean that it is forbidden to have one, if the company finds the documented procedure useful, it may keep it. Even in the previous version of the standard, there were only six mandatory documented procedures and yet every company had more than six.
For more information, see:
- New approach to document and record con trol in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
Document control
Answer:
I assume that the Document Controller is the role in your company responsible for document control process. The Document Controller need to have all the documents that will ensure that the document and record control are effective in the organization. There is no explicit list of those documents but if you take a look at the standard you will see what is included in the control of documents or documented information as they are called in the new version of the standard.
The standard requires organization to define process of creating, updating, distribution, retrial and use of documents as well as control of changes and retention and disposition. Having in mind all the requirements, the Document Controller should have the procedure for document control, list of all documents and records with their codes and version numbers and distribution lists for every documented procedure. This is the minimum to have effective document control, in some cases it can be useful to have forms of all the documents used in the company but it can be overwhelming, depending on the organization size and complexity.
For more information, see:
- New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Some Tips to make Document Control more useful for your QMS https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/ -
ISO 9001 risk assessment and FMEA
Answer:
The standard requires organization to identify and address risks and opportunities related to the ability of the organization to meet its objectives. This basically means that you need to examine context of your organization and determine what are the risks and opportunities related to your business and plan actions to address them.
There is no requirement to use some methodology or full scale risk management, it is enough to organize brainstorming session with all relevant roles in your company to discuss risks and opportunities both on the level of process and on the level of the entire organization, the SWOT analysis can be a useful tool for conducting this assessment. Also, record from this meting and the SWOT analysis can be an evidence that you apply risk-based thinking.
FMEA is one way to address the requirement but it can't address the entire requirement simply beca use the FMEA is focused on risks only and can't be used for identifying opportunities, the second problem is that the FMEA is good tool only for determining risks in production and design and development process and it is not so useful for other processes. At this moment we don't have FMEA tool available on our website but we are in the process of developing ISO 9001 Documentation Toolkit Premium that will have extensive risk and opportunities procedure that will include FMEA. -
Varias preguntas relacionadas con la implementación de la ISO 22301
Generalmente con el BCM tratas actividades y procesos críticos, y esto es lo correcto con respecto al estándar ISO 22301, aunque también puedes tratar con activos (de la misma manera que en ISO 27001), lo cual te dará más información detallada sobre dónde están las vulnerabilidades. Este artículo te puede interesar “Can ISO 27001 risk assessment be used for ISO 22301?” : https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
Y también nuestra base de conocimiento relativa a gestión de riesgos : https://advisera.com/27001academy/knowledgebase-category/risk-management/ -
Some types of assets
Answer:
Yes, you are right, one type of asset is the information, but there are others: people, services, hardware, software, etc. So, for the identification of assets, is important to establish a classification for all different type of assets. This article can help you for this classification “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And keep in mind that the classification can also mean the classification of the information, so you can also establish a classification for the information of your organization, because for example you can have confidential information, which access is completely different that public information (others type of information can be restricted, and internal use). For more information about this, please read this article “Information classification according to ISO 27001” : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
And our online course can be also interesting for you, because we give more detailed information about the asset inventory “ISO 27001:”013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Opportunities in the methodology of risk assessment?
Kindly tell me one easy way to do it to fulfill the requirement of the standard. like can i describe that in the manual that opportunities are identified in the objectives and KPIs are set to achieve those objectives; opportunities?
Answer:
No, it is not necessary to put something related to opportunities in the methodology of risk assessment, because risks and opportunities are related to the objectives, and any action that you take, that is related to the achievement of the security objectives, but is not related to the risk management, can be considered to be addressing the opportunities. An example related to an opportunity can be: Your organization buys a cheap firewall which gives to your organization the opportunity to reduce risks, but this firewall can also produce increased risks due to low quality of the device.
One easy way to fulfill this requirement, related to opportunities, of the standard, is that you can document such actions in your Management review minutes, in corrective actions, or any other records or documents that you use in your company (for example actions agreed through email), but from my point of view the methodology of risk assessment is not the best way.
And keep in mind that you should document your general information security objectives in the information security policy, and control specific information security objectives in the SOA (Statement of Applicability).
For more information about the objectives, please read this article “ISO 27001 control objectives – Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
And our online course can be also interesting for you because we give detailed information about addressing risks and opportunities “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Controls for a cloud provider
Answer:
I am sorry but I am not sure if I have understood your question. The maturity is not a requirement of ISO 27001, and the basic logic is perform the risk assessment and apply the appropriate controls.
Anyway, if you have a standard SQL image into a cloud provider infrastructure, and you can manage for example the information and the software, these assets need to be included in your risks assessment, and security controls involved need to be implemented by your organization.
For others assets that you can not manage (for example the IT infrastructure of the cloud provider), if there are risks related to them, you can perform a treatment establishing during the risk assessment that you transfer to external company the risks related to these assets, which means that in this case the external company is responsible of the implementation of the security controls, although you can review if these controls are implemented.
Anyway, keep in mind that ISO 27001 is not specifically developed for the cloud, for this you can use ISO 27017, so this article can be interesting for you “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
And this article related to the basic logic of ISO 27001 can be also interesting for you "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
And also this article about handling supplier security "6-step process for handling supplier security according to ISO 27001" : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
First things in ISO process
Answer:
I suppose that your question is related to the implementation process, if so, in the ISO process, for the implementation of an ISO standard, the first thing that you should look at is always related to obtain the management support. For this, is very important to show the 4 main benefits of the implementation of a ISO standard : compliance, marketing edge, lowering the expenses, and putting your business in order. For more information about this, please read this article “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Another important thing is to see the implementation like a project, so this article can be also interesting for you “ISO 27001 project – How to make it wo rk” : https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
By the way, in our free download section you can download a "Diagram of ISO 27001:2013 implementation (PDF)", and you can also download a "Project checklist for ISO 27001 implementation (MS Word)” : https://advisera.com/27001academy/free-downloads/
And this article gives you information about the ISO 27001 implementation checklist, establishing a priority order for all necessary steps “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Finally, our online course can give you detailed information about the implementation process of ISO 27001:2013 in your organization “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Asset identification in risk assessment
Answer:
This is a question of your ISMS scope - obviously the hardware on which the software and applications are running will be outside of your ISMS scope since they are operated by company Y that is not included in your ISMS scope.
However, if you control the data and the applications, then they should be included in your scope even though they are hosted on a hardware that is outside of the scope.
So when you perform the risk assessment, then you should do the following:
1) For your data and for applications - you treat them as assets, and look for threats and vulnerabilities, and then assess impact and likelihood. This article will help you: How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
2) For the hardware outside of your scope, you do not treat it as asset, but as a service provided by third party - you need to assess the threats and vulnerabilities related to this service. This article will also help you: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Main driving force for ISO 27001
Answer:
There are 4 main points, which are by the way the 4 main benefits of the implementation of ISO 27001 : compliance (to various regulations regarding data protection, privacy and IT governance), marketing edge, lowering expenses and putting your business in order. For more information about these benefits, please read this article “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And this free webinar can be also interesting for you “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
Finally, if you are interested in the implementation of the ISO 27001:2013 in your organization, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/