Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Limiting the scope
I wanna ask you one simple question. I will start a new ISO 27001 implementation in a large manufacturer.
This is a company having entities in other countries. They have already had ISO 27K certification for other countries but their scope is restricted only for few business units like R&D, Design, Service and Assembly Line.
I read yr article about defining the scope.
My question: If I don't take other departments (like HR, IT, Facilities, etc) in the scope, would these departments be external parties to these other units (that is, R&D, Design, Service and Assembly Line) in scope ? So, for each data interaction, would they need to do risk assessment with other departments of the company ? I think this will make it difficult to happen. Am I wrong ?
What do you suggest ?
Answer:
Basically these units (HR, IT, facilities, etc) should be treated in the same way as an external provider (which is providing internal services). So, the organization should perform the risk assessment of HR, IT and facilities units to identify if there are risks for the information for which R&D, Design, Service and Assembly are responsible. By the way, in this case is also very important to sign terms and conditions for the services provided.
Finally, generally the recommendation is try to extend the scope to the whole organization, and if it is not possible, try to set the scope in organizational units which are sufficiently independent. Maybe this article can be interesting for you “Problems with defining the scope in ISO 27001” : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
And maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
MAD, MTD, RTO
I am looking for a clear understanding for the following definitions and the difference between them.
MAD Maximum Allowable Downtime
MTD Maximum Tolerable Downtime
RTO Recovery Time Objective
Answer:
MAD and MTD are similar concepts, because they are related with the maximum time that a process, service, system, etc. can be inoperative or unavailable. Similar concepts also are MAO (Maximum Acceptable Outage) and MTPD (Maximum Tolerable Period of Disruption) which are used by ISO 22301 (official definition for both in accordance with ISO 22301: “time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable”).
Regarding the RTO, in accordance with ISO 22301: “period of time following an incident within which product or service must be resumed, or activity must be resumed, or resources must be recovered”.
So, in a disaster scenario, time to recover a part of the business (services, activities, etc) is related to the RTO, and time to recover 100 % the entire business is related to the MAD and MTD (or MAO, MTPD).
Maybe this article about the BIA can be interesting for you “How to implement business impact analysis (BIA) according to ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
And also this article "What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)" : https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/ -
Certification in Information security
I have a question for you ,I am looking for a certification in Information Security that should a correct path to my career after 9+ years of experience in ITIL , ITSM , Compliance , ISO 9000 , ISO 27001, Project Management ,Application Design and Testing .. As now I want to give my career a road reaching Information Security Professional. Was already looking for some courses like CISSP , CISM etc . However that s confusing me now. I am looking forward to your advise and suggestion that would prove as my guidance in archiving my Professional goal.
Answer:
From my point of view, if you already have knowledge and experience about ISO 27001, the next step can be a qualification like CISA, or ISO 27001 Lead Auditor certification. Generally CISSP is more focussed on technical issues, CISA is developed for IT auditors, and CISM is developed for IT security managers. This article can be interesting for you “CISA vs. ISO 27001 Lead Auditor certification” : https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
And also this article can be interesting for you “Qualifications for an ISO 27001 Internal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
Finally maybe our online course can be interesting for you “ISO 27001:2013 Interna Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
2008 or 2015?
Answer:
Since the new version of the standard is already published, I would suggest you to go with the new version. The main reason is you will avoid conducting a transition to the new version which is mandatory until September 2018. This will significantly decrease the cost of maintaining your QMS certificate because you will avoid implementing one version and than making changes to adapt to a new version.
The only reason for implementation of 2008 revision is there is a lot of materials regarding it and consultants are familiar with it so it would be probably easier to implement in, but again you can not avoid making a transition later.
For more information, see:
- ISO 9001:2015 – The benefits of early implementation https://advisera.com/9001academy/blog/2015/09/29/iso-90012015-the-benefits-of-early-implementation/ -
QMS audit of EPC projects
Answer:
Conducting QMS audit for EPC (Engineering, Procurement and Construction) project is the same as for any other part of your QMS.
First you need to plan the audit, meaning to determine the audit scope (it is EPC projects), audit criteria (ISO 9001 standard, legal and contractual requirements, etc), audit sequence, who you will be talking to and so on. Then you need to conduct the audit and finally to write the internal audit report.
For more information, see:
- Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- 13 Steps for ISO 9001 Internal Auditing using ISO 19011 https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
- Writing an Audit Checklist for ISO 9001 Processes https://advisera.com/9001academy/blog/2014/11/25/writing-audit-checklist-iso-9001-processes/
- Writing a good QMS internal audit report https://advisera.com/9001academy/blog/2015/03/17/writing-a-good-qms-internal-audit-report/
Finally, maybe can be also interesting for you our online course about ISO 9001:2015 internal audit, which contains detailed explanation of the internal audit process: “ISO 9001:2015 Internal Auditor Course” https://advisera.com/training/iso-9001-internal-auditor-course/ -
Threats into groups
Would you please send me the threats into groups based on their nature with an each example.
Answer:
I can give you some examples, which are based on ISO 27005 (code of best practices about information security risk management):
- Physical damage: Fire, water damage (due to flood), etc
- Natural events: Seismic phenomenon, volcanic phenomenon, etc
- Loss of essential services: Loss of power supply, failure of telecommunication equipment, etc.
- Compromise of information: Remote spying (a computer has been hacked), disclosure (the database of the organization published), theft of equipment, etc
- Technical failures: Equipment failure (the equipment cannot run due to hard drive fault), software malfunction (Windows cannot start), etc
- Unauthorized actions: Corruption of data (information in the database is modified without authorization), fraudulent copying of software (Windows without licenses), etc.
- Compromise of functions: Error in use (you forget to perform a backup), abuse of rights (someone without authorization performs actions as administrator), etc.
Anyway, here you can see our catalogue of threats & vulnerabilities, which I think that can be interesting for you “Catalogue of threats & vulnerabilities” : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Finally, maybe can be also interesting for you our online course about ISO 27001:2013 foundations, which contains detailed explantation of the risk assessment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Where to start the transition
Answer:
The best way to start with transition from 2008 to 2015 version of the ISO 9001 is to perform a GAP analysis to determine which of the new requirements your existing system already fulfills and than to establish a project to fulfill new requirements.
For more information about steps in the transition see this article:,
- How to make the transition from ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/ -
Incident Management - setting up resolution time
Your time related to priority level has to be agreed with your customer. Use priority matrix (see the article "All About Incident Classification" https://advisera.com/20000academy/knowledgebase/incident-classification/) and include definition of different type of incidents which belong to different priority levels in your SLA (to be clear which type of incidents belong to which priority level).
If you use a tool, insert priority levels inside your tool and connect them to SLA. -
Updating to ISO 27001:2013 Lead Auditor Course?
I was just about to contact you about the steps for obtaining the certificate and you sent me an appropriate email.
You said that I can take the course any time I want, of course after the payment.
Does it mean that the time of taking the exam is during the valid date of the standard, in other words, until other version of the standard is declared by the ISO organization.
Answer:
I am not sure what you mean, but if you are qualified as ISO 27001 Lead Auditor, it is so for any time, anyway if you are qualified now on ISO 27001:2013, and next year is published ISO 27001:2016, you will need to perform a transition course, but you do not lose your qualification about ISO 27001.
Maybe this article about qualifications can be interesting for you “Qualifications for an ISO 27001 Internal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/ -
IRCA/RABQSA accredited certificate
I am willing to undergo ISO:27001 certification. I want to know what difference does it makes whether the institute/organisation which is providing me training will give IRCA/RABQSA accredited certificate.
Answer:
They have the same functions (basically both can certify individual professionals: ISO 27001 Lead Auditor, Lead Implementer, etc) and they are competitors, so the difference can be that IRCA maybe is more known internationally, although RABQSA also has good prestige.
By the way, a course accredited (by IRCA or RABQSA, or any other), have more international prestige that one course that is not accredited by a entity with good prestige, although probably you can obtain the same knowledge.
This article can be interesting for you “Qualifications for an ISO 27001 Internal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
And finally, maybe our online course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/