Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Copying documents

    I’m assuming the question you refer to is about the usefulness of using ISMS documents from other organizations on your own.

    Considering that, the correct answer is that documents from other organizations are only useful as a starting point for developing your own.

    This is so because documents from other organizations will not be adjusted to your context, so they can become too bureaucratic, or not provide proper security.

    There wasn’t an alternative stating that it was forbidden to copy documents from other organizations because this is not always true. You may have access to documents from other organizations because they are of public nature, or because you may have some sort of agreement you have with them.

  • Conformio - setting up people and departments

    1 - I am starting on the list of requirements. As far as contracts are concerned, I understand that we specify the clause(s) of the contracts and what they require. So, that seems fine so far.

    Answer: Please note that the contracts in the list of requirements are those which prioritize the clauses your organization needs to comply with regarding interested parties (e.g., contracts with your customers).

    Contracts that prioritize the clauses the interested parties need to comply with on your behalf are controlled through the Supplier Security Policy, which is provided by Conformio.

    For further information, see:
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    2 - What detail is required.

    2.1 - As far as legislation is concerned, I’m not sure how specific we get. For example, in relation to the UK GDPR/Data Protection Act 2018 do we just specify “Article 5(1)(f) of the UK GDPR - Integrity and Confidentiality (the security principle)”.

    Answer: The level of detail must be sufficient to allow the designated person for complying with the requirement to understand what needs to be fulfilled, or where to find such information. Your example falls in the second type (i.e., you identify where the details to fulfill the clause can be found). An example for the first type would be including the information that a clause from a contract with a customer specifying that a full backup of all his information needs to be performed weekly.

    2.2 - You have a helpful list of legislation that may possibly affect ISO 27001. Do you have a more detailed analysis showing which parts of those acts etc., are specifically relevant to ISO 27001? For example, I believe that the Human Rights Act and the Freedom of Information Act only applies to public authorities. 

    There are quite a lot of acts etc., that I have heard for but don’t know in detail e.g., the Electronic Communications Act 2000. Do I have to work through all of these to see if they apply to us? That looks like a long job!

    Answer: Please note that the list of legislation provided in Conformio is a starting point. Since each organization can have different levels of compliance needs for each one, it is unfeasible to provide a more detailed analysis. Our recommendation is for companies to hire local expert advice to help identify your specific needs.

    3 - Valid from and deadline dates

    3.1 - What are these dates aimed at?

    Answer: The valid from date refers to the date when the requirement was published (i.e., when the law/regulation was published).

    The deadline date refers to the date by when the requirement must start to be enforced in the organization (in most cases it is related to an enforcement date defined in the law/regulation).

  • ISO27001 Implementation

    ISO 27001 consists of two parts:
    1 - the main part of the standard, from clauses 0 to 10, out of which clauses 4 to 10 are mandatory. These clauses defined what an Information Security Management System (ISMS) needs to perform, document, record, and deliver.

    2 - Annex A, which has 14 sections - it starts from A.5 to A.18. These sections contain the 114 controls, which defines information security requirements and controls objectives

    ISO 27001 Annex A is based on British Standard BS 7799-1 (Information technology - Code of practice for information security management ), which had the following structure:

    Foreword
    0 introduction
    1 scope
    2 terms and definitions
    3 structure of this standard
    4 risk assessment and treatment
    5 security policy
    6 organization of information security
    7 asset management
    8 human resources security
    9 physical and environmental security
    10 communications and operations management 
    11 access control
    12 information systems acquisition, development and maintenance
    13 information security incident management
    14 business continuity management
    15 compliance
    Bibliography
    Index

    So, when this content was incorporated to ISO 27001 Annex A, version 2005, to facilitate the transition for those who used the BS standard, the names and section numbers from sections 5 to 15 of the old BS 7799-1 were kept, only including the "A." to indicate they are part of the ISO 27001 Annex. When ISO 27001 was updated to version 2013 this sequence was maintained.

    Here you can see a further explanation:
    - A list of sections in Annex A: https://advisera.com/27001academy/iso-27001-controls/
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/

    This whitepaper also can help you:
    - Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001

  • Management Representative role choice

    There is nothing in ISO 14001:2015 about the management representative. So, organizations can chose a temporary employee to fulfill the role. Even in previous versions where the role of the management representative was included allowed the use of a temporary employee to fulfill the role. Some years ago I acted as management representative for a company, while being a service supplier

  • Scope in Conformio

    In the context of ISO 27001, interested parties are any entities (e.g., persons or organizations) that can influence your information security, or that can be affected by your information security activities. Considering that, and your examples, “local community” wouldn’t be an interested party, while your client would be.

    Regarding provided services, these are not part of the interested parties or interested parties’ requirements. They would be part of the ISMS scope, i.e., the elements of your organization you want to protect considering interested parties and their requirements

    For further information, see:

    This material can also help you:

  • Best approach in evaluating time and effort for certification

    The implementation duration and costs depend on many variables (e.g., size and complexity of the scope, financial resources, and expertise available, etc.), but for very small and small-sized business generally is possible to implement ISO 27001 within 3 months.

    For more information about the time needed for the implementation, I suggest you see this article: 

    Regarding costs, what I can tell you are some cost issues you should consider:

    • Training and literature
    • External assistance
    • Technologies to be updated/implemented
    • Employee's effort and time
    • The certification process

    These materials can provide you more information:

  • ISO 17025:2017 witnessing audit

    Witnessing is a technique use during internal auditing that is applicable to many activities. Typically a laboratory would as a minimum include technical witnessing of personnel. You would decide which activities to witness, based on risk.  Look at the scope of work and for a particular activity, e.g a test method, why you would decide what steps to audit.  Take the process of receiving samples to releasing results as an example. If  you have new personnel performing sample preparation, one Internal witnessing could be them demonstrating that step. If for example there have been nonconforming events raised due to problems with reagents, then plan to witness that activity.

     

    For more information on technical audits, see
    https://advisera.com/17025academy/blog/2020/11/10/iso-17025-technical-internal-audit-the-basics/

  • Risk Assessment Questions

    1. I have one hundred laptops, and thirty servers, do I list them all individually in the Risk Assessment Table?

    You do not need to list individual laptops and servers in the Risk Assessment Table.

    You can adopt a generic term like “laptop” or “server” if they share similar risks. In case there are laptops with specific risks, you can use specific assets like "laptop", "development laptop ", and "finance laptop ". The same concept applies to servers.

    For further information:

    2. The aforementioned devices are in outsourced data centers, but they still must be listed as risks, correct?

    The devices only need to be listed as risks in your Risk assessment table if you have control over them (i.e., the outsourced datacenter only provides the physical facilities, and you need to handle the risks related to the devices).

    In case they are controlled by the provider, then you should list the outsourced data center as an asset in your Risk Assessment Table (in this case you need to look for risks related to the supplier not protecting the devices).

    For further information, see:

    3. I am assuming that much of the risk will be transferred to the outsourcer?

    This decision will depend on which part has control over the assets. For example, if you have control over the servers (e.g., you need to configure them), then it does not make sense to transfer the risks for the outsourcer. In case you only use the services provided by the servers, which are controlled by the outsourcer, then the risks related to them can be transferred to the outsourcer.

    This article will provide you a further explanation:

  • Toolkit content

    First of all, we're sorry about this misunderstanding. 

    In the context of ISO 27001, "analysis" means the assessment of consequences and likelihood to define how big a risk is, and there is no need to perform any additional analysis. The Methodology document in your toolkit explains the criteria for assessing consequences and likelihood, and the Excel sheet enables you to do it quickly by selecting the values and the risks are calculated automatically.

    For further information, see:
    - ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

  • Implementation process

    Roughly speaking, ISO 27001 implementation steps can be resumed in:

    1. getting management buy-in for the project;
    2. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
    3. development of risk assessment and treatment methodology;
    4. perform a risk assessment and define the risk treatment plan;
    5. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
    6. people training and awareness;
    7. controls operation;
    8. performance monitoring and measurement;
    9. perform internal audit;
    10. perform management critical review; and
    11. address nonconformities, corrective actions, and opportunities for improvement.

    This article will provide you a further explanation about ISMS implementation:

    ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ 
    To see how documents compliant with ISO 27001 looks like, please take a look at the free demo of our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    These materials will also help you regarding the ISO 27001 implementation:

    Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    Regarding the selection of a consultant, the process needs to consider their experience & skills, reputation, and customized service.

    For more information, please read this article:
    - 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/ 
Page 145-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +