Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Information Security Risk Assessment and Risk Treatment
1. Are the risk treatment options limited to the four discussed in your publication?
I'm assuming you are referring to the book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Considering that, risk acceptance, risk avoidance, risk mitigation, and risk transfer are the most common and used treatments, but regarding ISO 27001 you can use other approaches you may find useful.
2. Is there conventional risk acceptance criteria, based on likelihood and consequence?
Common types of risk acceptance criteria involve financial, brand, and legal aspects, but there are no conventional details, like the range of financial values, because these details will depend on the business objectives and its tolerance to risks (e.g., for organizations with low tolerance to risk, the acceptable financial impact of risk will be lower than for organizations with high tolerance to risk)
For further information, see:
- Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
3. Is treatment options generated from risk acceptance criteria?
No. Treatment options are based on the identified risk and your available resources. The risk criteria will give you an idea about how much resources you should consider, but they do not define them.
For further information, see:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
4. How can I join your community...to review issues relating to 27001...tried to sign in but it's impossible...can only comment as a guest?
In order to post comments on our Expert Advice Community, you need to create an account at this link: https://community.advisera.com/sign-up/
After that, you will be able to log in and post questions and search for other topics you are interested in. -
Scope of legal and contractual requirements
Please note that ISO 27001 requires only requirements relevant to information security, not all the regulations in a country.
Additionally, please note that the list in the article you mentioned is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations for each country are listed (some even may have been withdrawn). To make sure you have the latest list of laws and regulations, it would be best to hire a local legal adviser.
For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
-
Preparing site for first-time ISO 13485 audit
This depends on the type of your medical device. It is expected that, if the medical device is sterile, those necessary premises are properly clean. Also, there should be no cross-contamination between warehouse and production, that pathways for raw material and final goods are not crossed over each other. It is also expected that everything will be properly labeled. For example, cabinets, tables, drawers if they can be used for different purposes (eg clean/unclean) that it is so marked; if there is a defined place to dispose of something then that too should be properly marked; in the warehouse to see exactly where the non-compliant products are disposed of, and to see the paths of forklifts and people. If separate work clothes are required, then the place from which one can only move in it should be marked.
Following article regarding infrastructure can be helpful:
- Managing medical device infrastructure requirements according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/06/28/managing-medical-device-infrastructure-requirements-according-to-iso-13485/
-
Annex A.14.2 controls
When we talk about developments within the organisation are we talking solely about development of software for use within the organisation, or does this include development of commercial software as a product to be sold to customers?
Please note that the term "developments within the organization" refers to the development process, not to the final users, so it is applicable both for when developed software is for internal use or is to be sold to customers.
Secondly, does the word development include the configuration (no coding or customisation) of commercial software packages such as Microsoft Dynamics CRM, or Xero accounting.
So, if development of cThe configuration is an action related to installation, not development.
Considering both previous answers, control A.14.2 would be applicable in case the mentioned development process covers commercial software.
-
ISO 27017 and ISO 27018
I'm assuming that by ITU you mean "International Telecommunication Union".
Considering that, ISO 27017 was developed in collaboration with ITU-T and there is a text-based on this standard published as ITU-T. X.1631 (07/2015), so controls from this standard are covered by ITU. Regarding ISO 27018, it only references ITU-T Y.3500, so probably some additional documents may be required (we are not experts on ITU, so we cannot provide a more precise answer).
-
Psychology within the scope of risk treatment and analysis
Psychology within risk treatment is out of our field of expertise, but in a general way, for every risk where the human factor is involved, you should consider means, motivation, and opportunity when analyzing a situation. By elimination of these elements from the situation, you can decrease the risk, and for controls, you should consider:
- definition of roles, responsibilities, and authorities, so people understand what is expected from them (this provide guidelines for the other two practices)
- awareness and training, so people understand why information security is important, the consequences of incidents, and how to perform their activities (this decreases motivation)
- segregation of duties, so a single person cannot perform all required task (this decrease means and opportunities).
These articles will provide you a further explanation:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
-
Final inspection
Before sending your finished product to customers/clients want kind of control should be done to ensure that specifications are met? What to control? How to control? With what frequency? What should be the sample size? Who will control? Where to record the results?
The following material will provide you more information about inspection:
- Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/ Article - How to establish QMS Statistical Process
- Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 –
https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
-
ISO 9001 Audit question
I think that the two most common questions during an ISO 9001 audit are.
What is your organization’s quality policy?
What is your work? What are you doing? How do you know what to do or how to do?The following material will provide you more information:
- What questions to expect on the ISO 9001 certification audit - https://advisera.com/9001academy/blog/2016/04/19/what-questions-to-expect-on-the-iso-9001-certification-audit/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/