Search results

Incident Management Procedure

1 - I really liked the document, I just have a question, is this document based on ISO/IEC 27000:2009? Is there any updated document according to ISO/IEC 27000:2013?

Please note that the main ISO standard for information security is ISO 27001 (which defines the requirements for the management system and potentially applicable controls), not ISO 27000 (which only defines vocabulary).

Considering that, our ISO 27001 templates, including the Incident Management Procedure, are based on the ISO 27001:2013, which is the current version of the standard.

For resources about incident management, please see:

• How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
• Using ITIL to implement ISO 27001 incident management https://advisera.com/27001academy/blog/2015/11/10/using-itil-to-implement-iso-27001-incident-management/t/

This material will also help you regarding incident management:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

2 - And also do you have a document which contains the list of incidents, event which can be considered as security incident?

An incident is a risk that has occurred. Considering that, you can use the following resources to built your own list of potential incidents:

• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

This material also can help you:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

List of points needed for making infrastructure GDPR compliment

It is not clear from your question if you refer to the company infrastructure concerning assets and organization or to the IT infrastructure. In general, there are different levels to consider from an infrastructure point of view.

The first of all is the privacy by design principle: you need that your infrastructure project considers GDPR requirements from the very beginning (what kind of data are going to be processed, for what purposes, how long data will be processed, who can access, how data will be secured). The Data Processing Impact Assessment process can help you to focus on specific GDPR requirements and design the infrastructure accordingly.

Then the privacy by default principle: your infrastructure should be settled considering GDPR requirement at its strictest. (i.e., setting data retention periods, defining the process to manage data subjects rights, following the data minimization principle which requires companies to collect and process only personal data which are necessary to reach the purpose for which had been collected). Internal policies and the registry of data processing will help you.

Adopting security measures refers to all the organizational and technical processes to ensure security. (i.e. internal policies on document access, on teleworking, on bringing your own device policies, or email security protocols, VPN, antivirus, antimalware, and so on.).

The GDPR leaves up to the controller the choice of the solutions which fit better to its own organization. The balance is among the state of the art, the costs, the kind of personal data involved, and the threat to individual’s rights and freedom arising from data processing which may differ from the brick and mortar shop to the marketing agency which monitors the behavior of customers and run targeted marketing campaigns.

Here you can find more information to start implementing GDPR:

• A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
• First steps to take to reach GDPR compliance: https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/
• Understanding 6 key GDPR principles https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
• How cybersecurity solutions can help with GDPR compliance https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/

To have a deeper idea of the list of requirements of GDPR you can consider enrolling in our free online trainingEU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Compliance with multiple standards

Deciding to apply for ISO certification is not a technical decision, it is a management decision. Normally, organizations decide to implement ISO 14001 because customers require it, or because being ISO 14001 certified is good for business because of customer requirements.

Please check the information below about implementation:

• Free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
• List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Accreditation of 17025

You  asked

1. I would like to know if all the used samples should be a CRM samples in order to obtain the 17025 accreditation and if we could realise just one repetability reproductibility test on one sample and compare the results with a CRM sample.

Method Validation and measurement uncertainty involves investigating the effect of both systematic and random errors on the accuracy of results. This involves two components -trueness and precision. Both these are qualitative descriptions, where bias is measured to represent trueness; and a measure of spread of results, such as standard deviation to quantify precision. Precision studies include repeatability, intermediate precision and reproducibility. Typically you will use a matrix matched reference material (RM), reference method or reference value to determine any bias; while test samples or spiked sample blanks (matrix matched) are acceptable for the precision studies. Of course RMs could also be used. It is important, either way,  to represent the entire working range; menaing that low, medium and high range samples should be included.

You  also asked

2. we use a Spark Atomic Emission Spectrometry to realise the chemical analysis (zinc and aluminium), there is any criteria in the iso 17025 that obligate us to use an ASTM OR AN iso reference and if yes what should we do if our range of work is out the range mentioned if the standard."

The laboratory need not use a standard method, unless a client or the sector specify you must. As an ISO 17025 accredited laboratory you need to select suitable methods and prove through method validation and quality control; they are adequate for the purpose. The involves showing that the inhouse or non-standard method achieves the performance required- for example limit of detection, accuracy, along with suitable low-enough measurement uncertainty.  This is where Proficiency testing or interlaboratory studies can be used to evaluate how the nonstandard method performs compared to laboratories who may be using a standard method. 

For more information, see the ISO 17025 toolkit procedure Test and Calibration Method Procedure, at https://advisera.com/17025academy/documentation/test-and-calibration-method-procedure/; along with the two supporting documents Test Method Development, Verification and Validation Register and Test Method Development, Verification and Validation Record.

Offices within scope

If you have e.g. hundreds of branch offices, then you should specify only the locations of main offices in your ISMS Scope document, and refer to some other document where you list all the branches - this other document could be your internal or public list of branch offices. 

If you go for the certification, you should consult with your certification body on how to document the locations. 

Here are some materials that will help you with setting the ISMS scope: 

• article How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• article ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• free online training ISO 27001 Foundations Course

Questions for ISMS

1. What is the ideal KPI's to measure the effectiveness of ISMS in an organization?

ISO 27001 does not prescribe which performance indicators should be adopted by organizations, so there is no such thing as an ideal KPI, and organizations must define them according to their needs and objectives. Some common issues organizations should take into account when defining KPIs are:

• Business relevant: indicator aligned to clear business objectives or legal requirements
• Process integrated: a KPI should add the least amount of work possible into business processes.
• Assertive: the indicator should be capable of pinpointing relevant issues that need attention.

As general examples we have:

• Percent of business initiatives supported by the ISMS
• Number of security-related service downtimes
• Percent of controls assessment performed
• Number of improvement initiatives

These articles will provide you a further explanation about performance indicators and security objectives: 

• Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
  - ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

2. Can the internal auditor participate in the ISMS activities and take some responsibilities e.g review Policies and standards, develop and create missing documents, be an ISMS Advisor...etc

I'm assuming that by "standards" you mean "procedures".

Considering that, in case you only have one internal auditor, he should not participate in the ISMS activities and take responsibility for its implementation and operation, because this would cause a conflict of interest during the audit (an auditor should not audit his own work). In case you have more than one internal auditor available, they can perform some activities, provided that during the audit they do not audit their own work.

This article will provide you a further explanation about internal audit:

• Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Access control

Considering ISO 27001, I suggest these articles from Advisera:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
• How two-factor authentication enables compliance with ISO 27001 access controls https://advisera.com/27001academy/blog/2017/01/16/how-two-factor-authentication-enables-compliance-with-iso-27001-access-controls/
• The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
• How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/

Considering other sources, I suggest:

• NIST Special Publication 800-53 (Rev. 4) - Security and Privacy Controls for Federal Information Systems and Organizations https://nvd.nist.gov/800-53/Rev4/family/Physical%20and%20Environmental%20Protection 

These materials can also help you:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Access control

Considerando a norma ISO 27001, sugiro consultar os seguintes artigos da Advisera:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
• Como a autenticação por dois fatores apoia a conformidade com os controles de acesso da ISO 27001 https://advisera.com/27001academy/pt-br/blog/2017/01/17/como-a-autenticacao-por-dois-fatores-apoia-a-conformidade-com-os-controles-de-acesso-da-iso-27001/
• The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
• Como proteger contra ameaças externas e do meio ambiente de acordo com o controle A.11.1.4 da ISO 27001 https://advisera.com/27001academy/pt-br/blog/2016/01/27/como-proteger-contra-ameacas-externas-e-do-maio-ambiente-de-acordo-com-o-controle-a-11-1-4-da-iso-27001/

Considerando outras fontes, sugiro:

• NIST Special Publication 800-53 (Rev. 4) - Security and Privacy Controls for Federal Information Systems and Organizations https://nvd.nist.gov/800-53/Rev4/family/Physical%20and%20Environmental%20Protection

Este material também pode ajudar:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Implementing ISO 27001 in a greenfield

1 - What are the key considerations when implementing an ISMF such as the ISO 27001 in a greenfield site – i.e. an organization where there are nothing in terms of security policy or practice. Would we go through the normal workflow of implementing ISO 27001 or are there deviations?

ISO 27001 was designed to be implemented in organizations of any size and industry, so the general steps are the same, including a greenfield site. In fact, in some cases, the absence of previous security policies or practices is good because it does not bring undesired behavior and minimizes resistance to change.

Broadly speaking, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:

• defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
• development of risk assessment and treatment methodology;
• perform a risk assessment and define the risk treatment plan;
• controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
• people training and awareness;
• controls operation;
• performance monitoring and measurement;
• perform an internal audit;
• perform management critical review; and
• address nonconformities, corrective actions, and opportunities for improvement.

To see how documents compliant with ISO 27001 look like, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This article will provide you a further explanation of ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

2 - Can you suggest any additional resources I could use for greenfield implementation?

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course at this link: https://advisera.com/training/iso-27001-foundations-course/