Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Differences between ISO 9001 and ISO 27001
What is the difference between ISO 9001 & 27001?
Answer:
Basically ISO 9001 is for the management of quality (in services, process, etc), and ISO 27001 is for the management of information security. Another important difference: Both standards talk about risks, although ISO 27001 is about risk management while ISO 9001 is about only risk analysis.
These articles can be interesting for you:
What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/
What is ISO 9001? : https://advisera.com/9001academy/what-is-iso-9001/
Methodology for ISO 9001 Risk Analysis : https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
And also can be interesting for you this ISO 27001 vs. ISO 9001 matrix (PDF), you can download it here : https://advisera.com/27001academy/free-downloads -
Context of the organizacion
I am not sure if I have understood your question, but if you want to include a list of interested parties in your ISMS scope document, you can do it, but this does not mean that the interested parties are included in the scope of the ISMS, because the definition of the scope is about areas, information systems, services, etc. about your organization.
Anyway, regarding the interested parties, the important is the identification of the requirements of the interested parties, and you can do it in an independent document. For example, you can use this template (you can see a free demo clicking on “Free demo” tab) “List of Legal, Regulatory, Contractual and Other Requirements” : https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
This article can be useful for you “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
And also this one “How to identify interested parties according to ISO 27001 and ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
And our online course can be also interesting for you because we give more information about the ISMS scope and the interested parties “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Auditors can verify technical aspects¿?
Does the auditor verify technical aspects, for example the quality of a network architecture from the security point of view, or the truth of information recorded in risk assessment table?
Answer:
The auditor can verify technical aspects for example the quality of a network architecture, because ISO 27001:2013 in the Annex A has controls related to IT, for example A.13.1.1, A.13.1.2, A.13.1.3 which are related to network security management, and also can verify the truth of information recorded in risk assessment table, because the auditor needs evidences about the implementation and maintenance of your ISMS.
This article can be interesting for you Infographic: The brain of an ISO auditor What to expect at a certification audit : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/ -
Clause related to interested party
I want to ask clause related to interested party.
Answer:
The clause of ISO 27001:2013 related to interested parties is "4.2 Understanding the needs and expectations of interested parties", although clause "4.1 Understanding the organization and its contest" is also related with interested parties (for external context you can consider interested parties).
This article can be interesting for you How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
And also this one Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/ -
Labelling of information
I want to ask you about Labelling of information in iso 27002. In iso 27002:2013 in 8.2.2 Establish information labeling procedures. Information marking procedures should apply to information and associated assets presented in a physical or electronic format if we say that the server (physical format) is information.
so how can we labeling a server ?
Answer:
I am sorry, but a server is not information, is an asset of type hardware that can have information (the information is another type of asset). But a server can contain another type of asset: software. How can we classify the information in electronic format- that contains a server? If is a document, you simply can include in the first page the type of classification, or if the information is in a data base (software) or other software, maybe you can include a message in the start of the operative system through a script- showing that the information on the server is confidential, or internal, etc.
By the way, information in physical format can be a physical paper, and a lso you can include on it in the first page- the type of classification.
This article about the classification of information can be interesting for you Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
And also this article about the asset inventory How to handle Asset register (Asset inventery) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Differences between COBIT, ISO 20000-7, ITIL and Risk Management
clear distinction between cobit 5, iso 200007, itil and risk management
Answer:
COBIT 5 is a framework related to IT governance and include aspects of IT service management, information security, business continuity, etc. ISO 20000-7 is a code of best practices for the implementation of ISO 20000-1 in the cloud, ITIL is a code of best practices for the IT service management, and the risk management is a tool that you can use to analyze and treat risks (you can identify and reduce them in your business).
By the way, do you know how to write a risk assessment methodology? This article can be interesting for you How to write ISO 27001 risk assessment methodology : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/ -
Tools to audit compliance
Can you recommend tools to audit compliance?
Answer:
Sure, you can try our Internal Audit toolkit (you can see a free version clicking on Free Demo tab) ISO 27001/ISO 22301 Internal Audit Toolkit : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
You can also develop your own Internal Audit checklist reading this article How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Asset based or process based?
I need one clarification on risk assessment , risk treatment and SOA, for ISO27001:2013 is based on "Business process" or it is Asset base.
This is a confusion, some say's it is Asset base and some says as per new revision it is "business process base".
I need your audiences or related link for more information, on the said subject.
Answer:
ISO 27001:2013 is not based on asset and neither on business process, this mean that you are free to develop your methodology on the base that you want (asset or business process). Although generally is recommendable a risk methodology based on asset.
This article can be interesting for you What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/ -
SoA - Confidential?
For this reason, we do not include sensitive information in our SoA. It is all well and good the certificate showing a company is compliant, but without visibility of the SoA we don't know the scope of that compliance, and the associated state of their security. A business could have marked all the key elements as not applicable, and been compliant. -
Additional controls
We had a situation in the recent surveillance audit and appreciate your input here.
One of our company's division handles non-voice KPO and it was certified for ISO 27001:2013 standard during May 2015 (Certification Upgrade Audit). However now we added a chunk of Heathcare domain to our KPO division. We connect to the customer's machines through VPN and process the records (no data is copied to our local machines) and the KPO bay is 'no mobile - no paper' zone. However just to track the progress of records we process, the team lead types the client's name in an excel sheet maintained in local machine followed by start date , target date of completion and to whom it is assigned.
Would like to know if I need to add any HIPPA control to my SOA in these scenarios. Can we use client's name alone in local machine for tracking ? what is the HIPPA Control when work is outsourced ?
P.S: The MSA says a generic statement " All relevant HIPPA Controls are applicable" But didn't say explicitly anything.
Answer:
Regarding the compliant with ISO 27001:2013 it is not strictly necessary to implement additional controls, I mean, with the 114 controls of the Annex A of the standard is enough, although the implementation of additional controls for example controls related to HIPAA- can be a best practice.
But if HIPAA applies to your business, effectively you can include controls related to this standard in the SoA of ISO 27001, so in this case you can have an unique ISMS with the controls of both standards.
Regarding the use of clients name alone in local machine, it is related to personal data, and depending of your country, a specific regulation can be apply, but generally you can use this information applying security controls established by the regulation of your country. Anyway, ISO 27001:2013 has in the Annex A the control "A.18.1.4 Privacy and protection of personally identifiable information", for the protection of this type of data. This article about the regulations and laws of many countries related to information security can be interesting for you Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
Regarding your last question, I am sorry but I am not expert in HIPAA but from my point of view if you have an external provider who is working with information protected by HIPAA, this provider need to apply controls of this standard.
You can find more information of HIPAA on the official site of U.S. Department of Health & Human Services : https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html