Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Access Management process ownership
Well, Access Management is fulfillment of Information Security Management policies. But, that doesn't mean that Information Security Management should keep ownership of the Access Management process. Reason is that Access Management is operational process. In the real life, it's rare that an organization has Access Management function. Usually, IT Operations Management performs tasks which belong in the domain of the Access Management, i.e. IT Operations Management should/could have ownership of the process.
Read the article:
"ITIL Access Management – where do you think you’re going?" https://advisera.com/20000academy/blog/2014/02/12/itil-access-management-think-youre-going/ to gain more information about Access Management. -
ISO 22301 and the risk assessment
I am interesting in buying the ISO 22301 toolkit, but i am wondering why the Risk assessment is not included in the toolkit despite RA is essential part of Business Continuity.
Answer:
You are right, the Risk Assessment is essential part of Business continuity, but this does not mean that you need a specific document for example for the Risk Assessment methodology (in ISO 27001 it is mandatory). In ISO 22301 only is mandatory to have documented the results of risk assessment (clause 8.2.3), and you can merge it with the results of the Business impact analysis through the Business continuity strategy. If you want to know the list of mandatory documents of ISO 22301, this article can be interesting for you “Mandatory documents required by ISO 22301” : https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
So, in our ISO 22301 Toolkit we do not have a specific template related to the Risk Assessment, but we reference the risk management in our template about the Business continuity strategy (section 3.2) . You can see a free version of our template here clicking on “Free Demo” tab “Business Continuity Strategy” : https://advisera.com/27001academy/documentation/business-continuity-strategy/ (you can summarize the results of the Business impact analysis and Risk assessment in the Business continuity strategy).
Anyway, if you are interested in the risk assessment, you can also use our Risk assessment methodology (included in the ISO 27001 Toolkit) “Risk Assessment and Risk Treatment Methodology” : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/, and this article can be also interesting for you “Can ISO 27001 risk assessment be used for ISO 22301?” : https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/ -
Logos for a company with ISO 27001 implemented
We have now completed all mandatory documentation and processes and implemented a security training and exam throughout the company.
Do you have logos or know of any logos that we can use to show that we are compliant with ISO 9001, ISO 22301 and ISO 27001.
Answer:
I am sorry but we do not have logos, keep in mind that generally the logos about ISO 27001 (or ISO 9001, ISO 22301) are issued from a certification body after the certification process, so if you have implemented the standard in your organization, next step should be certify it, and on this way, the certification body can give you a logo about the system certified (if your organization is compliant with the requirements of the ISO standard).
By the way, do you need information about how to choose a certification body? Maybe this article can be interesting for you “How to choose a certification body” : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Limiting the scope
I wanna ask you one simple question. I will start a new ISO 27001 implementation in a large manufacturer.
This is a company having entities in other countries. They have already had ISO 27K certification for other countries but their scope is restricted only for few business units like R&D, Design, Service and Assembly Line.
I read yr article about defining the scope.
My question: If I don't take other departments (like HR, IT, Facilities, etc) in the scope, would these departments be external parties to these other units (that is, R&D, Design, Service and Assembly Line) in scope ? So, for each data interaction, would they need to do risk assessment with other departments of the company ? I think this will make it difficult to happen. Am I wrong ?
What do you suggest ?
Answer:
Basically these units (HR, IT, facilities, etc) should be treated in the same way as an external provider (which is providing internal services). So, the organization should perform the risk assessment of HR, IT and facilities units to identify if there are risks for the information for which R&D, Design, Service and Assembly are responsible. By the way, in this case is also very important to sign terms and conditions for the services provided.
Finally, generally the recommendation is try to extend the scope to the whole organization, and if it is not possible, try to set the scope in organizational units which are sufficiently independent. Maybe this article can be interesting for you “Problems with defining the scope in ISO 27001” : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
And maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
MAD, MTD, RTO
I am looking for a clear understanding for the following definitions and the difference between them.
MAD Maximum Allowable Downtime
MTD Maximum Tolerable Downtime
RTO Recovery Time Objective
Answer:
MAD and MTD are similar concepts, because they are related with the maximum time that a process, service, system, etc. can be inoperative or unavailable. Similar concepts also are MAO (Maximum Acceptable Outage) and MTPD (Maximum Tolerable Period of Disruption) which are used by ISO 22301 (official definition for both in accordance with ISO 22301: “time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable”).
Regarding the RTO, in accordance with ISO 22301: “period of time following an incident within which product or service must be resumed, or activity must be resumed, or resources must be recovered”.
So, in a disaster scenario, time to recover a part of the business (services, activities, etc) is related to the RTO, and time to recover 100 % the entire business is related to the MAD and MTD (or MAO, MTPD).
Maybe this article about the BIA can be interesting for you “How to implement business impact analysis (BIA) according to ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
And also this article "What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)" : https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/ -
Certification in Information security
I have a question for you ,I am looking for a certification in Information Security that should a correct path to my career after 9+ years of experience in ITIL , ITSM , Compliance , ISO 9000 , ISO 27001, Project Management ,Application Design and Testing .. As now I want to give my career a road reaching Information Security Professional. Was already looking for some courses like CISSP , CISM etc . However that s confusing me now. I am looking forward to your advise and suggestion that would prove as my guidance in archiving my Professional goal.
Answer:
From my point of view, if you already have knowledge and experience about ISO 27001, the next step can be a qualification like CISA, or ISO 27001 Lead Auditor certification. Generally CISSP is more focussed on technical issues, CISA is developed for IT auditors, and CISM is developed for IT security managers. This article can be interesting for you “CISA vs. ISO 27001 Lead Auditor certification” : https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
And also this article can be interesting for you “Qualifications for an ISO 27001 Internal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
Finally maybe our online course can be interesting for you “ISO 27001:2013 Interna Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
2008 or 2015?
Answer:
Since the new version of the standard is already published, I would suggest you to go with the new version. The main reason is you will avoid conducting a transition to the new version which is mandatory until September 2018. This will significantly decrease the cost of maintaining your QMS certificate because you will avoid implementing one version and than making changes to adapt to a new version.
The only reason for implementation of 2008 revision is there is a lot of materials regarding it and consultants are familiar with it so it would be probably easier to implement in, but again you can not avoid making a transition later.
For more information, see:
- ISO 9001:2015 – The benefits of early implementation https://advisera.com/9001academy/blog/2015/09/29/iso-90012015-the-benefits-of-early-implementation/ -
QMS audit of EPC projects
Answer:
Conducting QMS audit for EPC (Engineering, Procurement and Construction) project is the same as for any other part of your QMS.
First you need to plan the audit, meaning to determine the audit scope (it is EPC projects), audit criteria (ISO 9001 standard, legal and contractual requirements, etc), audit sequence, who you will be talking to and so on. Then you need to conduct the audit and finally to write the internal audit report.
For more information, see:
- Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- 13 Steps for ISO 9001 Internal Auditing using ISO 19011 https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
- Writing an Audit Checklist for ISO 9001 Processes https://advisera.com/9001academy/blog/2014/11/25/writing-audit-checklist-iso-9001-processes/
- Writing a good QMS internal audit report https://advisera.com/9001academy/blog/2015/03/17/writing-a-good-qms-internal-audit-report/
Finally, maybe can be also interesting for you our online course about ISO 9001:2015 internal audit, which contains detailed explanation of the internal audit process: “ISO 9001:2015 Internal Auditor Course” https://advisera.com/training/iso-9001-internal-auditor-course/ -
Threats into groups
Would you please send me the threats into groups based on their nature with an each example.
Answer:
I can give you some examples, which are based on ISO 27005 (code of best practices about information security risk management):
- Physical damage: Fire, water damage (due to flood), etc
- Natural events: Seismic phenomenon, volcanic phenomenon, etc
- Loss of essential services: Loss of power supply, failure of telecommunication equipment, etc.
- Compromise of information: Remote spying (a computer has been hacked), disclosure (the database of the organization published), theft of equipment, etc
- Technical failures: Equipment failure (the equipment cannot run due to hard drive fault), software malfunction (Windows cannot start), etc
- Unauthorized actions: Corruption of data (information in the database is modified without authorization), fraudulent copying of software (Windows without licenses), etc.
- Compromise of functions: Error in use (you forget to perform a backup), abuse of rights (someone without authorization performs actions as administrator), etc.
Anyway, here you can see our catalogue of threats & vulnerabilities, which I think that can be interesting for you “Catalogue of threats & vulnerabilities” : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Finally, maybe can be also interesting for you our online course about ISO 27001:2013 foundations, which contains detailed explantation of the risk assessment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Where to start the transition
Answer:
The best way to start with transition from 2008 to 2015 version of the ISO 9001 is to perform a GAP analysis to determine which of the new requirements your existing system already fulfills and than to establish a project to fulfill new requirements.
For more information about steps in the transition see this article:,
- How to make the transition from ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/