Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 Internal Audit practice and tips
I’m assuming you are referring to an internal audit.
Considering that, to perform an internal audit you should consider these steps:
- Develop an internal audit procedure
- Plan your audits, considering dates, criteria, and scope
- Develop checklists to help you not forget something during the audit
- Elaborate on the audit report which will include the non-compliances and other findings
These articles will provide you a further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
-
What to do with legacy documents & materials
1 - I am looking at our options in regards to planning a roll out of an information classification and retention policies and tools to withing our organization to help users identify, classify, and protect sensitive data and assets for ISO 27001.
Currently we have been filing all our information haphazardly in Dropbox. No standards. No management of the Dropbox folders ... so it's a mess. With 27001 we plan to setup a new structure in Dropbox and migrate/convert the Company documents/assets into the ring-fenced folders, and then freeze the existing Dropbox folders, with a long term objective of sun-setting the content.
Is there a tried and tested method for this task. We have limited resources so it will take time to do.
To build a structure that is sound for your business you can consider at least these approaches:
- organize documents by organizational units (i.e., which areas need access to which documents)
- organize documents by processes (i.e., which documents need to be accessed to cover related steps to deliver a defined result – e.g., documents related to payroll)
- organize documents by roles (i.e., which people needs access to which documents)
Considering that, you should follow these steps:
- list all documents that need to be accessed
- identify the documents according to defined criteria
- create specific folders to group documents that have similar criteria
The toolkits you’ve bought are an example of the organization by process (from document management to corrective actions). You can use them to organize your documents, or as a template to build your own structure.
2 - My other question is, will the auditors want to look at the legacy materials. Our aim is to put an ISO stake in the ground and have all relevant / supporting PowerX docs filed in the new folder structure. For ISO 27001 we will use Dropbox as the DMS, but will most likely migrate to alternative Apps/Software, such as Conformio in 2023.
Auditors will be looking for legacy materials only if they are previous versions of documents being used by the time of the audit, to check if document management criteria related to change control are being fulfilled (e.g., document review, change control, etc.).
For example, if your current Access control policy is an update of a legacy Access control policy, the auditor may want to see this document. On the other hand, if the legacy documents include a Backup policy related to a technology that was discontinued by the time the implementation of the ISMS started, there is no need to access this document.
-
QMS, Quality Manual, Quality Procedures and Quality Management Plan
A QMS, as ISO 9000:2015 defines, is part of a management system related to quality. While implementing a QMS an organization may develop non-mandatory documents like a Quality Manual, a kind of the QMS’s identity card, Quality procedures, documents that set rules about how organizations should act in certain circumstances. Concerning what is a Quality Management Plan, that terminology is not very common with ISO 9001:2015. So, different people may mean different things. For example, a QMP may mean how the QMS is applied in a particular project.
Companies that work on a project basis, like construction companies, normally have to develop a QMP for each project. Many times it is a client request.
You can find more information about documentation below:
- New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
-
QMS Manager Rights
According to clause 5.3 of IS 9001:2015, for each organizational role relevant to the QMS, organizations must determine authorities and responsibilities. Each organization may determine different documents and ways of compiling those authorities and responsibilities. For example, some organizations use job descriptions to do that.
Now, what those authorities and responsibilities are, for each role and organization is defined by each organization and approved by top management.
You can find more information below:
- How to document roles and responsibilities according to ISO 9001 - https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
- Enroll for free in ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
-
Risk Assessments in Conformio
1. Can assets be put in a hierarchy, so that filing cabinets can be seen as part of an office building, or firewall as part of a server? I think this would have benefits for overview and determining potentially assets affected by incidents related to other assets below or above in the hierarchy. I'm not sure whether this makes sense from a Risk Management perspective.
While this functionality would be interesting, it is not currently available in Conformio because it is not required by the standard (even the guidelines from ISO 27002 for ISO 27001 Annex A control A.8.1.1 Inventory of assets do not mention this), and the building of such hierarchy would mean a whole module by itself (it is a whole discipline of ITIL and ISO 20000 - Service Asset and Configuration Management).
For further information, see:
- Knowing your herd – Service Asset and Configuration Management (SACM) https://advisera.com/20000academy/blog/2013/06/04/knowing-herd-service-asset-configuration-management-sacm/
2. I see the same vulnerabilities for different assets, like inadequate change control for laws, regulations, etc but also for policies, procedures and work instructions. Is there a way to optimize this and to reduce the number of vulnerabilities?
Please note that a single vulnerability may impact different assets like in the example you provided, but it is not mandatory to associate that vulnerability for all listed assets. These relations are only suggestions provided to help you perform risk assessment, so you can decide to not select the vulnerability for some assets.
For further information, see:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
-
Question ISO 27001 implementation
Certifying only the small company is possible, provided it is legally separated from the bigger company, and you can include in the Information Security Management scope only the elements the small company controls (you do not need to separate everything).
For example, in physical terms, this means that this small company should be located on a floor of its own, not shared with employees of the bigger company.
In terms of policies and procedures, they should be divided in a way that you can control all the elements of your documentation, i.e., even if you need to follow the guidelines of the bigger company, you can do that in your own way. For example, you can implement access control in different ways.
Please note that if you find out that implementing such separation is too complex or costly, then an alternative would be to certify both companies, keeping the bigger company scope as small as possible (e.g., including only the processes that directly interact with the small company).
These materials will help you regarding scope definition:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
-
Questions Regarding Clinical Evaluation
We have noticed that our current clinical evaluation report does not meet the MDR requirements due to unsatisfactory documentation. Eventhough all clinical tests and results are good enough for proofing the product usage the consultant company did not properly documented as regulatory requested format and contents .So we need to reorganize CER report and need a new company/individual to assist us. Our intention is to work with a competent and reliable agent. In addition to CER work we also need to rework on some tests(Biocompatibility). So I need your guidance and recommendation for selecting a test center and CER process.Do you know any source for recommending us? -
Does ISO 19011:2018 align or integrate with ISO 27001?
ISO 19011 is a management system audit standard and can be used to help fulfill ISO 27001 requirements from clause 9.2 – Internal audit (e.g., provides guidelines for audit program planning, auditor selection, audit report documentation, etc.).
This article will provide you a further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
-
Infosec procedures
Control A.10.1.2 is covered in our template Policy on the Use of Encryption. You can take a look at its demo at this link: https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/
A vulnerability procedure is not mandatory for ISO 27001 and is not a common document adopted by organizations, so there is no template covering the specific clause of the standard related to it (control A.12.6.1 - Management of technical vulnerabilities).
Control A.12.6.1 does not prescribe how many scans are necessary for each classification asset. You should define these based on the results of risk assessment and applicable legal requirements.
This article will provide you with a further explanation about key management:
- How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
This article will provide you with a further explanation about vulnerability management:
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
For detailed processes and more technical reference you should consider NIST Special Publications:
- Technical Guide to Information Security Testing and Assessment https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
- Secure Software Development Framework (SSDF) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
- A Framework for Designing Cryptographic Key Management Systems https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-130.pdf
- Recommendation for Key Management: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf and https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt2r1.pdf
-
Quantity of risks
Considering that you will still receive inputs from your technical people, as a starting point, ~200 risks, with ~15% of them to be treated is a good scenario.
Please note that the auditor will be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity. The single point you need to pay attention to is to not overlook obvious risks, i.e., risks that someone with proper competence in the process or asset would easily identify. To mitigate this risk, you need to include in the risk assessment the personnel involved with the process or asset.
An additional thing to note is that risks for which you already have implemented controls (and you will only accept the risk) also count for your relevant risks.