Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Business relevant data

    In the context of ISO 27001, ‘business-relevant data’ are those identified as:

    • paramount for the achievement of business objectives, results, and outcomes;
    • impacted by the most relevant risks identified in the risk assessment;
    • related to the fulfillment of legal requirements (e.g., laws, regulations, and contracts).

    In short, they are the information that will cause the most negative impact in case their confidentiality, integrity, and/or availability being compromised.

    In the Risk Assessment Table template included in your toolkit, you have a tab with examples of information security assets, and there is a specific category about data and information. This template is located in folder 5 Risk Assessment and Risk Treatment.

    These materials will also help you regarding ISO 27001 and information identification:

  • Implementation issues

    1. What implementation issues do you usually have?

    I’m assuming you are referring to ISO 27001 implementation.

    Considering that, the main challenges related to ISO 27001 implementation are:

    • Lack of management support: without this support, you won't have the minimal resources and engagement to implement the required controls.
    • Not using a project management approach: such implementation involves coordinating several people to perform dozens of activities, and without a methodology, you will finish inside a huge mess with no security at all.
    • Lack of time for the implementation project: The project can be very important, but normally, there are a lot of urgent things happening that postpone the project.
    • ISMS scope wrongly defined: not protecting information that really matters.
    • Documentation: Procedures excess or lack of details may compromise operations.

    This article will provide you additional information:

    2. Do you have implementation shortcuts that helps you streamline an implementation?

    Our ISO 27001 Documentation Toolkits are designed to be easy to use (minimal knowledge of the standard is required), listing folders and files in the order they must be implemented. Additionally, you can count on many resources on our site to help you implement the ISMS, like the free download content, blog articles, and at our Expert Advice Community, you can send your questions and scheduled meetings with our experts (sessions included in the toolkit).

    As examples of articles and similar material I can mention:

    To see how the toolkit documents look like, please access the free demos at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    These materials will also help you regarding ISO 27001 implementation:

  • Best methodology for information security risk assessment

    1. What is the best methodology for an information security risk assessment?

    Please note that there is no single answer for this question because the “best” methodology will depend on many variables like business context, objectives, internal culture, etc. You can even write your own methodology if you want.

    Now, the most commonly used methodology for information security risk assessment is the asset-threat-vulnerability approach, mostly because it was part of the previous version of ISO 27001.

    For further information, see:

    To see how risk assessment and risk treatment documents (including the Statement of Applicability) compliant with ISO 27001 look like, please see the free demos of this toolkit: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    2. How to ensure if privacy principles are dealt with in accordance with relevant legislation and regulations? If the client says that he is performing an assessment to ensure he is in line with the DPA, is this information enough to make him compliant with clause 18.1.4?

    Please note that control A.18.1.4 (Privacy and protection of personally identifiable information) requires PII to be protected as required by relevant applicable legislation and regulation, and to evidence conformity, with the control the client needs to present not only which legislation and regulation he/she must comply with, but also which controls are implemented and evidence that the control is performing as expected. 

    For example, if legislation requires information availability, then the client has to say how compliance is ensured (e.g., by implementing a backup policy), and presents evidence that the control is implemented (e.g., by showing backup generation logs and backup test results). So, only by stating that assessment is performed is not enough to provide evidence of compliance with control A.18.1.4.

  • Asset Classification Best Practices

    Good practice suggests that information assets classification should be done through a four-step process:

    • information assets should be entered in an Inventory of Assets, so you know which assets to protect
    • information assets should be classified, considering their value to the organization and the impact if compromised
    • information assets should be labeled, so people can identify their classification
    • information assets should be handled in a secure way, considering their classification level

    For further information, see:

    These materials will also help you regarding risk assessment and information classification:

  • ISO advantages and disadvantages

    In most cases the situation is that organizations are not aware of the cost of non-compliance, i.e., they don’t know how their profit margin, or productivity, are being impacted by the problems caused by lack of systematic management (in their point of view what they are profiting is fine, but they don’t know they could be profiting more by adopting ISO practices, even when considering the costs of adopting them).

    These articles will provide you a further explanation about ISO 27001:

  • ISO 27001 - Risk Assessment

    ISO 27001 does not prescribe how to record assets, so you can group assets that share risks and still be compliant with the standard. The only point you have to pay attention to is when recording this set of assets in your risk assessment. You will have to make sure that from the "set of assets" registry you can identify all the assets that form that set, so in the event the set changes you can identify the need for a risk assessment review.  

    This article will provide you a further explanation about managing assets:

    These materials will also help you regarding managing assets:

  • Lead Auditor vs Lead Implementer

    These courses are equal in their own way because they focus on different purposes.

    However, since the implementation is something organizations often perform only one time, and after that, they have a continuous maintenance effort, the demand for auditors is greater than for implementers. Also, to work for certification bodies is necessary to be approved in a Lead Auditor course, while for implementation the certification is not mandatory.

    This article will provide you a further explanation about these courses (although its focus is on ISO 27001, the same concepts apply to ISO 22301:

  • MDD to MDR Transition

    You can move to another notified body, but most important here is that findings that were raised against MDD are applicable for MDR as well. So you definitively need to solve those findings. Your CE mark will be under suspension until you comply with the MDR.

  • Using certified contract manufacturer impact

    If you a legal manufacturer and want to put a medical device under your name, then you are also obliged to be certified according to ISO 13485. The contract manufacturer is your outsourced process and you need to have a proper quality agreement with them in accordance with the requirement 4.1.5 from the ISO 13485.2016. This quality agreement is supposed to cover mutual responsibilities, but also what kind of control you will have over them. Usually, the following are control measures:

    Supplier's audit – you will perform supplier audit over them in a periodicity which will be risk-based the need for the outsourced company to notify you if it receives any complaint about similar products mutual communication in resolving complaints and inconsistencies - defined time required to respond to inquiries and clarifications

    Considering the MDR /CE mark, again if you are a legal manufacturer and want to put a medical device under your name, then it is your responsibility to prepare the technical file in accordance with the Annex II and Annex III of MDR. Be prepared that when the notified body will come for your MDR audit they will also go to the audit of the outsourced certified company.  

    For more information, see: 

Page 197-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +