Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 9001 in agriculture
Answer:
ISO 9001 is applicable to any kind of business including the agriculture, and its benefits can be achieved regardless of the fact that the company is making products or providing a service.
Here are some articles that might be interesting for you:
- What is ISO 9001? https://advisera.com/9001academy/what-is-iso-9001/
- Six Key Benefits of ISO 9001 Implementation https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- ISO 9001: Why it should be viewed as a business management system https://advisera.com/9001academy/blog/2014/06/24/iso-9001-viewed-business-management-system/ -
Analyzing threats
Ricardo, ISO 27001 does not prescribe how you should combine assets, threats and vulnerabilities, which means you have to use a system that makes most sense for your situation.
In my view, if there are little risks related to a particular server, then you can view the server as a single asset where hardware, software and data are combined; if there are numerous risks that are related to this server, in such case you can view separately those three assets. -
Secure Engineering Principles (control A.14.2.5)
Answer:
The control A.14.2.5 is related to the large information system design, which also includes the development of software. So, you simply need to design the security into all architecture layers: business, data, application and technology.
How can you design security during the development of software? With a Secure Development Policy, I mean, with rules that establish how to codifying a secure code, so an auditor could search this document (although is not mandatory to have a document for this).
So, generally the auditor will search in your organization procedures or technical instructions that you uses for the information systems design: Some examples: Secure Development Policy, Policy of fortification of servers, policy of configuration of data bases, etc.
Regarding the Secure Development Policy, this template can be useful for you (you can see a free version cl icking on “Free demo” tab) “Secure Development Policy” : https://advisera.com/27001academy/documentation/secure-development-policy/
By the way, for more information about the security controls, our online course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 20000 / ISO 27001 in pharmaceutical industry
Answer:
I think that the solution is (almost) in the middle. Namely, ISO 13485 is based on ISO 9001 and provides good foundation for some parts of the SMS and ISMS. But, majority of work (during implementation and afterwards) should be made by someone involved in respective activities, like you suggested – head of IT. But, all systems should be integrated, so there should be close cooperation between QA and IT. -
Risk Assessment Table
You can merge them into a single asset type - as you mentioned "Employee laptops".
In the video, you also mention that in the merge process, we should choose the highest overall score for each asset listed if there is overlap from many independent assessments done by independent asset owners. This conflicts with my original intuition: If an asset has multiple vulnerabilities, I originally assumed we should include the same asset multiple (potentially many) times in the Risk Assessment table, not just the highest.
You should include all the threats and vulnerabilities related to these assets that are merged, however for the level of impact and level of likelihood you should take the highest score from all the asset owners - this way you won't lose any information, and you will be aware of the worst case scenario. -
Documenting clause 4 of ISO 9001:2015
Answer:
The clause 4 of ISO 9001:2015 explicitly requires documenting the scope of the Quality Management System.
However, there are other information that are required, but they don't have to be documented. Such information are regarding internal and external issues and needs and expectations of the interested parties. These information don't have to be documented although it is required that they are "monitored and reviewed" and the best way to do it is by documenting them.
For more information, see:
- How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015// -
The same document for different controls
Answer:
I am sorry but I am not sure if I have understood your question, but you can use the same document for different controls (and you can include in the document references to all security controls that apply). For example, with our template “Operating Procedures for Information and Communication Technology” you can implement the relevant controls of A.12 (and some others from others clauses of the standard). If you are interested, you can see a free version of this template clicking on “Free demo” here “Operating Procedures for Information and Communication Technology” : https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
By the way, it is not necessary a document for all security controls, if you want to know the list of mandatory documents, I recommend you this article “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Finally, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Risk owner's approval
My question is when we need to obtain risk owner's approval and its' should be record as evidence?"
Answer:
Basically, the owner's approval is required before the Risk treatment plan is to be implemented. As evidence you can maintain a meeting with the risk owner (you need a minute of the meeting).
This article about the steps of the risk assessment & treatment can be interesting for you “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
And also this article about the risk owners “Risk owners vs. Asset owners in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Finally, maybe our online course can be also very interesting for you because we also talk about the risk owners “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Information security at strategic level
Answer:
I am sorry but I am not sure what do you mean, anyway, at a strategic level, from my point of view, you need to show the benefits to invest in ICT or cybersecurity. Remember that ISO 27001 is very related to ICT and cybersecurity, and you can use it to implement cybersecurity in your organization (with the support of the ICT). In this case, at a strategic level, you can show the benefits of the implementation of ISO 27001 that basically are 4 main points: compliance, marketing edge, lowering the expenses, and putting your business in order. This article can be interesting for you “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And also this free webinar “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
By the way, do you kn ow our free eBook about cybersecurity? You can download it here “9 Steps to Cybersecurity” : https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/ -
Security measures
The question is related to this article which speaks about the Statement of Applicability, so the form he mentions is Statement of Applicability: https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Answer:
I suppose that you mean “security measures”, if so, these measures should be determined by the company that have implemented ISO 27001 (not by his customer or by his certification body), and you only need to implement the measures that are necessary to reduce the risks identified during the risk assessment & treatment. So, in the SOA you will need to apply only the security measures that are necessary to reduce the risks identified.
By the way, you will complete the SOA after the risk treatment, but before the risk treatment plan. Do you want more information about the steps of t he risk assessment treatment? This article can be interesting for you “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This article can be also interesting for you “Risk Treatment Plan and risk treatment process – What’s the difference?” : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Finally, do you know our online course? “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/