Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Controls for a cloud provider
Answer:
I am sorry but I am not sure if I have understood your question. The maturity is not a requirement of ISO 27001, and the basic logic is perform the risk assessment and apply the appropriate controls.
Anyway, if you have a standard SQL image into a cloud provider infrastructure, and you can manage for example the information and the software, these assets need to be included in your risks assessment, and security controls involved need to be implemented by your organization.
For others assets that you can not manage (for example the IT infrastructure of the cloud provider), if there are risks related to them, you can perform a treatment establishing during the risk assessment that you transfer to external company the risks related to these assets, which means that in this case the external company is responsible of the implementation of the security controls, although you can review if these controls are implemented.
Anyway, keep in mind that ISO 27001 is not specifically developed for the cloud, for this you can use ISO 27017, so this article can be interesting for you “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
And this article related to the basic logic of ISO 27001 can be also interesting for you "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
And also this article about handling supplier security "6-step process for handling supplier security according to ISO 27001" : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
First things in ISO process
Answer:
I suppose that your question is related to the implementation process, if so, in the ISO process, for the implementation of an ISO standard, the first thing that you should look at is always related to obtain the management support. For this, is very important to show the 4 main benefits of the implementation of a ISO standard : compliance, marketing edge, lowering the expenses, and putting your business in order. For more information about this, please read this article “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Another important thing is to see the implementation like a project, so this article can be also interesting for you “ISO 27001 project – How to make it wo rk” : https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
By the way, in our free download section you can download a "Diagram of ISO 27001:2013 implementation (PDF)", and you can also download a "Project checklist for ISO 27001 implementation (MS Word)” : https://advisera.com/27001academy/free-downloads/
And this article gives you information about the ISO 27001 implementation checklist, establishing a priority order for all necessary steps “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Finally, our online course can give you detailed information about the implementation process of ISO 27001:2013 in your organization “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Asset identification in risk assessment
Answer:
This is a question of your ISMS scope - obviously the hardware on which the software and applications are running will be outside of your ISMS scope since they are operated by company Y that is not included in your ISMS scope.
However, if you control the data and the applications, then they should be included in your scope even though they are hosted on a hardware that is outside of the scope.
So when you perform the risk assessment, then you should do the following:
1) For your data and for applications - you treat them as assets, and look for threats and vulnerabilities, and then assess impact and likelihood. This article will help you: How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
2) For the hardware outside of your scope, you do not treat it as asset, but as a service provided by third party - you need to assess the threats and vulnerabilities related to this service. This article will also help you: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Main driving force for ISO 27001
Answer:
There are 4 main points, which are by the way the 4 main benefits of the implementation of ISO 27001 : compliance (to various regulations regarding data protection, privacy and IT governance), marketing edge, lowering expenses and putting your business in order. For more information about these benefits, please read this article “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And this free webinar can be also interesting for you “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
Finally, if you are interested in the implementation of the ISO 27001:2013 in your organization, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Implementing risk management
Answer:
Implementing risk management exceeds the requirements of the ISO 9001 that only requires risk-based thinking. For implementing the risk management it is best to follow ISO 31000 that provides framework for selecting methodology, defining the scope and conducting risk management. The process of risk management includes several steps :
1. Establishing the context
2. Risk identification
3. Risk analysis
4. Risk evaluation
5. Risk treatment
6. Monitoring and review
For more information, see:
- Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
- The Role of Risk Assessment in the QMS https://advisera.com/9001academy/blog/2014/01/07/role-risk-assessment-qms/ -
Work breakdown structure for ISO audits
Answer:
According to PMBOK 5, a work breakdown structure is “A hierarchical decomposition of the total scope of work to be carried out by the project team to accomplish the project objectives and create the required deliverables”.
So, we do not have a specific structure of this type for the definition of the work to be carried out during an audit, because it is not necessary in ISO audits, but we have this article that can help you to develop your own checklist for an audit “How to make an Internal Audit checklist for ISO 27001/ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
By the way, our online course can be also interesting for you because we talk in detail about how to perform an internal audit “ISO 27001:2013 Internal Audit Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
Finally, you can use the Work Breakdown Structure (WBS) for the implementation of complex security controls, so this article can be interesting for you "ISO 27001 project management: Implementing complex security controls using Work Breakdown Structure (WBS)" : https://advisera.com/27001academy/blog/2015/10/19/iso-27001-project-management-implementing-complex-security-controls-using-work-breakdown-structure-wbs/ -
Best practices in accessing business cloud applications
Answer:
Some best practices in accessing business cloud applications from mobile devices are:
- Use a secure channel for the connection (VPN, SSL, etc)
- Never store information related to your credentials of access in the device (avoid remember user/password in the device)
- Lock your device with a code, and also lock each app (above all the app that you use for accessing business cloud)
- Never share the device with another person
- Avoid Free public Wifi connections, or if you use one, be sure that your connection is protected by a secure channel (VPN)
By the way, we have a template related to the mobile devices, and although it is not mandatory in the standard ISO 27001, you can find it here “Mobile Device and Teleworking Policy” : https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/
We also have the template Bring You r Own Device (BYOD) Policy, and again it is not mandatory in the standard, but you can find it here “Bring Your Own Device (BYOD) Policy” : https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
Maybe can be interesting for you the standard ISO 27017, which is specifically focused on the information security control for cloud services, so this article can be interesting for you “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
Finally, if you are interested in the security controls of ISO 27001, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
ISO certification for SMME
Answer:
Since you are dealing with lot of different industries, you will have to make sure which ISO certificate does your client require. I will assume that it is ISO 9001:2015 certificate but the process is pretty much the same.
First you need to conduct the GAP analysis to determine to what extent you already meet the requirements of the standard and also what needs to be done in order to achieve the full compliance. Usually, you need to create additional procedures and records and to establish some new processes. Once you determine all activities that need to be done, you should create the Project Plan and define the deadlines, responsibilities and resources for each activity, this is nor a mandatory step but it will help you avoid missing something out. The next step is to implement all the activities and to conduct internal audit and management review to ensure that you are fully compliant with the standard. The final step is to hire certification body to conduct certification audit and issue you the certificate.
We offer documentation toolkits and free online courses for ISO 9001, ISO 14001 and ISO 27001 and together with the toolkit you will be entitled to online meetings with an expert that will help you in implementation, you can also ask unlimited number of questions via email.
Here are the links to our documentation toolkits:
- ISO 9001 Documentation Toolkit https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- ISO 14001 Premium Documentation Toolkit https://advisera.com/14001academy/iso-14001-premium-documentation-toolkit/
- OHSAS 18001 Premium Documentation Toolkit https://advisera.com/18001academy/ohsas-18001-premium-documentation-toolkit/
- ISO 27001 & ISO 22301 Premium Documentation Toolkit https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/ -
ISO 9001:2008 and ISO/IEC 20000
Answer:
1. ISO 9001 (please note - current revision is 2015, see here https://advisera.com/9001academy/knowledgebase/iso-9001-2015-revision/) is general standard related to the quality management. Partially, it is applicable to IT organization i.e. services. However, ISO 20000 is standard related to the management of IT services and is more appropriate for IT orga nizations. So, it is excellent match for IT division. But, if you are large division, be careful with the scope of the implementation (see this article to learn more https://advisera.com/20000academy/blog/2015/06/02/how-to-define-the-scope-of-the-sms-in-iso-20000/)
2. Yes, ISO 20000-1 must be fully implemented.
3. Yes, there is a toolkit which covers all requirements in ISO 20000, you can find it here: https://advisera.com/20000academy/iso-20000-documentation-toolkit
No, we don't offer certification, we are not certification body (see here to learn more https://advisera.com/blog/2016/02/29/accreditation-vs-certification-vs-registration-in-the-iso-world/) -
Internal audits, KPIs and Management review according to ISO 9001:2008
I have prepared QMS manual by referring other documents and renewed certificate 9001:2008 but want to learn and do myself since company is not willing to spend money on my training for ISO MR.
Answer:
The best way to start is to examine the mandatory documents for ISO 9001:2008, here is the article that can be useful to you: List of Mandatory Documents for ISO 9001 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
Internal audit includes planning the internal audit, defining scope of the audit, audit criteria, conducting the audit and reporting on the results of the audit, for more information see:
- 13 Steps for ISO 9001 Internal Auditing using ISO 19011 https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
- Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- Writing a good QMS internal audit report https://advisera.com/9001academy/blog/2015/03/17/writing-a-good-qms-internal-audit-report/
The purpose of the KPIs is to tell you whether the process is delivering what you expect form it or not, it is usually some parameter that can be measured or monitored. Here is an article that can be helpful to you How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/ and the free preview of the document for defining and monitoring KPIs Matrix of Key Performance Indicators https://advisera.com/9001academy/documentation/matrix-key-performance-indicators/
Management review has inputs and outputs required by the standard and that is something that cannot be avoided, additionally you can add some other inputs and outputs, depending on the requirements of your top management. For more information, see:
- How to make Management Review more useful in the QMS https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
- How to Make Management Review More Practical https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
Here is the free preview of the record for management review that contains all necessary information Management Review Minutes https://advisera.com/9001academy/documentation/management-review-minutes/