Search results

SOA; CONTROL APPLICABLE vs. CONTROL IMPLEMENTED?

1 - Can you help me explain the implementation of SoA?

The implementation of SoA, i.e., of the controls identified as applicable, is made according to what is defined in the Risk Treatment Plan, which defines actions, responsible, and deadlines.

For example, if control A.12.3.1 Information backup is defined as applicable in the SoA, in the Risk Treatment Plan you will define activities like elaboration, approval, and publication of a Backup Policy, and the acquisition and implementation of a software solution to be implemented in your environment.

For further information, see:

• Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

2 - Is SoA acceptable if not all applicable controls are implemented? (control applicable) are not (control implemented)?

I’m assuming you are asking about SoA acceptance considering certification purposes.

Considering that, during a certification audit it can accept that certain controls stated in the SoA as applicable are not implemented if:

ISO 27005:2018

If I understood correctly, you want insight into the relevance of ISO 27005 to currently ISO 27001 based ISMS’s.

Considering that, although the asset, threat, and vulnerability risk identification method are no longer mandatory for ISO 27001, it still continues to be one of the most used approaches, due to its simplicity, so you should keep the ISO 27005 standard in your read list. For other approaches for risk assessment, you should consider also reading ISO 31010, which covers other Risk assessment techniques.

For further information, see:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/

Protection against abuse of rights

Additional controls you can consider are access control (i.e., people only have access to what is needed for doing their job), and segregation of duties (i.e., any critical/sensitive task cannot be performed by a single person).

For further information, see:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
• Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

04.1_Information_Security_Policy_Cloud_EN

1. Actually, my concern is not about the cloud document.  the title of the 2 documents is different. In the toolkit it is "INFORMATION SECURITY POLICY" but in the video, it is "INFORMATION SECURITY MANAGEMENT SYSTEM POLICY". I would like to make sure that they are the same documents.

The two documents are the same. Wherever you find a discrepancy between the videos and the toolkit templates, please consider the templates the most updated versions.

Furthermore, I see other templates online that have additional content than your document. Should they not be included in this policy as well? 

If you refer to the top-level Information Security Policy, please note it needs to be short and should not be confused with a more detailed IT Security Policy that is also part of the toolkit. The templates in Advisera's toolkit are designed for smaller and mid-size companies, are fully compliant with the standards, accepted by certification auditors, and are not too lengthy so as not to create an overhead. Of course, feel free to add any further text that you feel would fit well for your company.

ISO 27001 package question regarding risk assessment

If you already have implemented controls you need to take them into account when analyzing the risks, so your understanding is correct. In the Risk Assessment Table, in the last column, you can describe which controls are already implemented.

For further information, see:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

This material will also help you regarding risk assessment:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

PESTEL analysis in ISO 14001

Organizations are not closed systems. External issues are relevant topics that can influence the future of an organization. For example, governments can issue legislation that will affect the activity of an organization. Social trends can influence consumers' or clients’ priorities. You can use the PESTEL analysis to help in systematically determining external issues. After the PESTEL analysis, I recommend collecting positive external issues as opportunities and negative external issues as threats and organizing the information in a SWOT matrix that allows us to determine potential risks and opportunities. Please check these two free webinars where I demonstrate the use of the technique (they are about ISO 9001, but applicable also to ISO 14001):

• ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
• How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/ 

The following material will provide you with more information:

• Determining the context of the organization in ISO 14001 -https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
• Enroll for free in the course - ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Conciliation between Iso 13485 and EU MDR

Cloud services auditability

Implantación SGC

No, any mandatory documents and records from a clause not applicable to an organization are not relevant to that organization’s quality management system. For example, if clause 8.3 is not applicable, no records from that clause are required.

Please check the following information:

• List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
• What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/
• How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/