Search results

Vigilance

We are currently making update dof our toolkit and some more information will be covered until June 2021. 

Corporate Branding policy

For this purpose, you should consider at least these controls:

• 18.1.2 Intellectual property rights: this one can be your main guidance on how to protect your corporate logo
• A.15.1.2 Addressing security within supplier agreements: this one can help you control how your corporate logo should be used by your suppliers.

These materials will help you regarding security controls:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Controls from section A.18

First of all, sorry for this confusion. Documents that cover controls from section A.18 can be found here:
- documents in the toolkit in folder "02 Procedure for identification of requirements” ("Procedure for Identification of Requirements" and "Appendix – List of Legal, Regulatory, Contractual and Other Requirements")
- control A.18.1.2 is included in the document IT Security Policy (you'll find it in the toolkit in folder 08 Annex A security controls - A.8 Asset management) in the section "3.15. Copyright".

It is important to note that every control does not need to be documented and to avoid unnecessary administrative work the toolkit includes only all the mandatory + all most common documents.

In the root folder of the Demonstration Kit, you'll find a document called “List of Documents” that explains which control/clause is covered by which document, and which documents are mandatory.

Questions about scope, requirements and controls

Hi, about Q4.1 I think I didnt explain right. We are assesing for each asset how is its status related to the 114 controls, as some kind of a GAP analysis. So we have 150 assets and 114 controls for each one. A lot of excel sheets.... The "Risk Treatment Table included in your toolkit in folder 05 Risk Assessment and Risk Treatment" that you mention is for the risk assesment and only to include actual threats, I think. Not the status of each asset related to each control, but of course both are connected. My question was about any tool to hadle this huge amount of information (150x114), for what I've seen I dont think Conformio has any option to hadle this specific information but only risk assesment as in the template in the tool kit. Maybe we are overkilling with this exercise. Look like base on your answer that this list of Assets vs All 114 controls, it is not required. Is this correct?

Thank you very much in advance 

Your assumption is right. ISO 27001 does not require a list of Assets vs. Annex A controls. As you already perceived, this approach only creates a lot of data that won’t be very useful.

The standard’s approach for the application of controls is based on the identification of applicable legal requirements and mitigation of relevant risks. This way you keep your information at a minimum, i.e., only the basic information about assets (in the inventory of assets document), the assessed risks (in the risk assessment table), and the treated risks (in the risk assessment table).

By the way, included in your toolkit you have access to a video tutorial that can help you fill in the risk assessment and risk treatment table.

This article will provide you a further explanation about risk assessment and risk treatment:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding assets, risk assessment, and risk treatment:

• Asset List for ISO 27001 Risk Assessment (MS Word) https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/
• Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
• Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

ISO 22301 as a market edge

By enabling organizations to better manage business continuity capabilities, ISO 22301 can:
- allow organizations to operate on reduced costs when compared with the competition, allowing them to offer better prices
- provide confidence that when disruptive events occur they will be able to recover faster
- allow potential customers to reduce assurance costs related to their audit procedures

These aspects can make an organization present itself as a better choice in the eyes of potential customers.

For furhter information, see:
- ISO 22301 benefits: How to get your management’s approval for a business continuity project https://advisera.com/27001academy/knowledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/

Toolkit content

I do understand the urgency, however, but nothing will happen if you will receive it later in June. I have to check with my colleagues is it possible to send you a draft version.

Risk Control Table

When you assess the impact and the likelihood of a risk, you have to take into account the existing controls, filling in the information about them in the column "Existing controls", so your example is the proper way to assess risks when controls are already implemented.

This article will provide you a further explanation about likelihood and impact:

• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

This material will also help you regarding risk management:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Listing mitigated risks in RAT

1 – In the RAT, presumably I do not list risks that are already mitigated?

When performing Risk Assessment and Treatment you need to include every risk you understand as relevant, even if there are controls already implemented to treat them.

If you already have controls implemented, you should consider their effects on the risk value, so that your risk assessment table reflects the current situation of your environment. The existing controls should be included in the "Existing Controls" column in your Risk Assessment Table template.

By the way, included in the toolkit you bought you have access to a video tutorial that can help you fill the risk assessment and risk treatment tables.

These articles will provide you a further explanation about risk assessment:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

These materials will also help you regarding risk assessment:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• Free webinar The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

2 – Is it possible to see an example of a real and completed RAT, preferably for a SaaS business?

Unfortunately, we do not have example documents we can disclose due to confidentiality agreements with our customers.

By the way, included in the toolkit you bought, you have access to video tutorials that can help you fill in the risk assessment and risk treatment templates.

For examples of risk assessment, I can suggest you these materials:

• Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
• ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

Pulverizing samples

ISO 17025 does not prescribe technical details regarding methods. In order to establish a suitable process and sample preparation procedure, you need to consider the performance capability of the pulveriser, your type of sample and the time it takes the operator to clean or prepare pulverising cups. Then you can do a mathematical calculation of the process capacity over 10 h.

For more information on ISO 17025 requirements, see the articles
What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/ and 
What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/

Risk assessment

1. The risk assessment methodology document is the same for 22301 and 27001? There is no direct reference to ISO 22301 in the sample document, only ISO27001. Is it appropriate in case I'm not only implementing 27001? Let’s suppose I implement ISO 22301 or possibly ISO 22301 + 27001 simultaneously.

ISO 22301 does not prescribe a risk methodology approach to be used, so you can use the Risk Assessment and Risk Treatment Methodology document defined for ISO 27001 for complying with ISO 22301 requirements.

For further information, see:

• How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
• How can ISO 27001 and ISO 22301 help with critical infrastructure protection? https://advisera.com/27001academy/blog/2017/09/25/how-can-iso-27001-and-iso-22301-help-with-critical-infrastructure-protection/

2. Do I understand correctly that risk assessment should cover all business processes / activities involved in the business continuity management system?

Your understanding is correct. The risk assessment must be applied to all elements defined in the BCMS scope.

These articles will provide you a further explanation about risk assessment in business continuity:

• Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/