Search results

Risk Assessments in Conformio

1. Can assets be put in a hierarchy, so that filing cabinets can be seen as part of an office building, or firewall as part of a server? I think this would have benefits for overview and determining potentially assets affected by incidents related to other assets below or above in the hierarchy. I'm not sure whether this makes sense from a Risk Management perspective.

While this functionality would be interesting, it is not currently available in Conformio because it is not required by the standard (even the guidelines from ISO 27002 for ISO 27001 Annex A control A.8.1.1 Inventory of assets do not mention this), and the building of such hierarchy would mean a whole module by itself (it is a whole discipline of ITIL and ISO 20000 - Service Asset and Configuration Management).

For further information, see:

• Knowing your herd – Service Asset and Configuration Management (SACM) https://advisera.com/20000academy/blog/2013/06/04/knowing-herd-service-asset-configuration-management-sacm/

2. I see the same vulnerabilities for different assets, like inadequate change control for laws, regulations, etc but also for policies, procedures and work instructions. Is there a way to optimize this and to reduce the number of vulnerabilities?

Please note that a single vulnerability may impact different assets like in the example you provided, but it is not mandatory to associate that vulnerability for all listed assets. These relations are only suggestions provided to help you perform risk assessment, so you can decide to not select the vulnerability for some assets.

For further information, see:

• ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

Question ISO 27001 implementation

Certifying only the small company is possible, provided it is legally separated from the bigger company, and you can include in the Information Security Management scope only the elements the small company controls (you do not need to separate everything).

For example, in physical terms, this means that this small company should be located on a floor of its own, not shared with employees of the bigger company.  

In terms of policies and procedures, they should be divided in a way that you can control all the elements of your documentation, i.e., even if you need to follow the guidelines of the bigger company, you can do that in your own way. For example, you can implement access control in different ways.

Please note that if you find out that implementing such separation is too complex or costly, then an alternative would be to certify both companies, keeping the bigger company scope as small as possible (e.g., including only the processes that directly interact with the small company).  

These materials will help you regarding scope definition:

• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/ 
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Questions Regarding Clinical Evaluation

Does ISO 19011:2018 align or integrate with ISO 27001?

ISO 19011 is a management system audit standard and can be used to help fulfill ISO 27001 requirements from clause 9.2 – Internal audit (e.g., provides guidelines for audit program planning, auditor selection, audit report documentation, etc.).

 This article will provide you a further explanation about internal audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Infosec procedures

Control A.10.1.2 is covered in our template Policy on the Use of Encryption. You can take a look at its demo at this link: https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/

A vulnerability procedure is not mandatory for ISO 27001 and is not a common document adopted by organizations, so there is no template covering the specific clause of the standard related to it (control A.12.6.1 - Management of technical vulnerabilities).

Control A.12.6.1 does not prescribe how many scans are necessary for each classification asset. You should define these based on the results of risk assessment and applicable legal requirements.

 This article will provide you with a further explanation about key management:

• How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

This article will provide you with a further explanation about vulnerability management:

• How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

For detailed processes and more technical reference you should consider NIST Special Publications:

• Technical Guide to Information Security Testing and Assessment https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
• Secure Software Development Framework (SSDF) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
• A Framework for Designing Cryptographic Key Management Systems https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-130.pdf
• Recommendation for Key Management: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf and https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt2r1.pdf

Quantity of risks

Considering that you will still receive inputs from your technical people, as a starting point, ~200 risks, with ~15% of them to be treated is a good scenario.

Please note that the auditor will be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity. The single point you need to pay attention to is to not overlook obvious risks, i.e., risks that someone with proper competence in the process or asset would easily identify. To mitigate this risk, you need to include in the risk assessment the personnel involved with the process or asset.

An additional thing to note is that risks for which you already have implemented controls (and you will only accept the risk) also count for your relevant risks.

ISMS metrics related to Scope

 Regardless of the perspective, the development of metrics follows some general rules:

• Business relevant: the indicator should be aligned to clear business objectives or legal requirements.
• Process integrated: activities to collect the necessary data for a KPI should add the least amount of work possible.
• Assertive: the indicator should be capable of pinpointing relevant issues (e.g., process steps, organizational areas, resources, etc.) that need attention.

Considering Product development, some examples are:

• Percent of products of the portfolio supported by the ISMS
• Number of product development incidents related to information compromise
• Incident resolution time
• Percent of controls assessment performed
• Number of improvement initiatives

For further information, see:

• Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

ISMS metrics, from Product development perspective

Regardless of the perspective, the development of metrics follows some general rules:

• Business relevant: the indicator should be aligned to clear business objectives or legal requirements.
• Process integrated: activities to collect the necessary data for a KPI should add the least amount of work possible.
• Assertive: the indicator should be capable of pinpointing relevant issues (e.g., process steps, organizational areas, resources, etc.) that need attention.

Considering Product development, some examples are:

• Percent of products of the portfolio supported by the ISMS
• Number of product development incidents related to information compromise
• Incident resolution time
• Percent of controls assessment performed
• Number of improvement initiatives

For further information, see:

• Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

Calibration vs verification

You said you don't do outside calibrations. As a testing laboratory however, you need external calibration by competent parties to ensure metrological traceability. For example, the analytical balances.

You asked why the adjustment of instruments is not included in clause 7.4. Note that clause 7.4 deals with handling of test or calibration item (after the sampling step) and is applicable for laboratories handling items to be tested (testing laboratories) or calibrated (calibration laboratories).

It is clause 6.4 which deals with the requirements for equipment, including calibration of any equipment which can influence the validity or results generated (whether a test or calibration result). Here clause 6.4 requirements must be met for all equipment in the process, which in includes for example the components of the ICP, the standard used for the calibration curve and volumetric measuring devices used.

For more information and links to resources, see my reply to the question Equipment qualification at https://community.advisera.com/topic/equipment-qualification/