Search results

List of referenced risks and numbers

Please note that these referenced risks and numbers are only examples for the training, so there is no complete list of risks.

To see a comprehensive list of threats and vulnerabilities you can use to develop a risk assessment and a risk treatment plan, please see this article:

• Catalog of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

In the Risk Assessment Table template available at this link: https://advisera.com/27001academy/documentation/risk-assessment-table/

You can see a demo of a list of assets, threats, and vulnerabilities.

This article will provide you a further explanation about risk assessment:

• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk assessment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Key elements of ISO 27001

First is important to note that ISO 27001 is not about "how to" (e.g., which documents, technologies, and other solutions to use), but about "what needs to be done" (i.e., which objectives to achieve, like treat risks, train people, etc.)

Considering that, some key elements you need to consider are:

• Top management support
• Definition of roles and responsibilities
• Information security risk management
• Employees engagement

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/

These materials will also help you in presenting ISO 27001:

• Why ISO 27001 – Awareness presentation (MS PowerPoint) https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
• ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/

Main challenges in the implementation of ISO 27001

The main challenges related to ISO 27001 implementation are:

• Lack of management support: without this support, you won't have the minimal resources and engagement to implement the required controls.
• Not using a project management approach: such implementation involves coordinating several people to perform dozens of activities, and without a methodology, you will finish inside a huge mess with no security at all.
• Lack of time for the implementation project: The project can be very important, but normally, there are a lot of urgent things happening that postpone the project.
• ISMS scope wrongly defined: not protecting information that really matters.
• Documentation: Procedures excess or lack of details may compromise operations.

This article will provide you additional information:

• The 3 key challenges of ISO 27001 implementation for SMEs https://advisera.com/27001academy/blog/2017/04/17/the-3-key-challenges-of-iso-27001-implementation-for-smes/

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Information Security Management System

Would you advise (feasible) and what recommendations would you give during or after the design of the ISMS an application be developed to carry out an automated and adequate management and monitoring of information security, with traceability when implementing an Information Security Management System ( ISMS)?

Please note that while some activities, like risk assessment and internal audit, require a lot of analysis and evaluation work to be done, and it is not possible to automate them, because some decisions require a human feeling and perception of the business environment that a machine cannot properly evaluate, some activities you can be automated, such as:

• collect data from existing databases (e.g. to help identity assets if an asset-threat-vulnerability risk assessment approach is used)
• compare data gathered with risk level limits to warn about risks that require further analysis
• organize and present data for decision making.

Considering that, in the development of an ISMS application to fulfill your needs, you need first identify which requirements this application needs to meet, to see the level of automation you can reach, and if this is enough for your purposes.

This article will provide you a further explanation about the use of tools:

• When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/

How to inspire people for new standard?

The most effective ways to get the engagement of people are:

• to show them how the new standard can benefit them, help them achieve their business results
• always take their opinion into account on project decisions
• be transparent with them about what you are going to do and why
• help them to resolve conflicts of interest with other areas, searching for mutually beneficial solutions

For further information, see:

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/

ISO 27001 Asset Management and Information Classification

The relation between them is that information classification policy is applied to the assets considered relevant to the ISMS scope, and these are identified and managed through the asset management process.

But please note that neither the Information Classification Policy and the Assessment Management Process, as well as information labeling, are prescribed by ISO 27001. They are only needed if there are relevant risks, or legal requirements, demanding their implementation.

Considering that, and your started scenario, information, and processes are also assets (you can add, for example, the categories "information" and "processes"), and the other stated assets also need to be classified (as Confidential, Restricted, or Internal use).

In case you have an asset like a laptop storing information with different classifications, you must use the highest classification to classify the laptop (in your case the laptop is to be considered confidential).

For further information, see:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Differences between EU MDR and US FDA regulations

Medical device regulation MDR 2017/745 is applicable to all medical devices that want to be placed on the EU market. Necessary Technical documentation is described in Annex 2 and Annex 3 of the MDR 2017/745.

Here are the links to that Annexes:

• EU MDR Annex 2 – Technical documentation - https://advisera.com/13485academy/mdr/technical-documentation/
• EU MDR Annex 3 – Technical documentation on post-market surveillance – https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/

A 510(k) is the technical dossier required by the US Food and Drug Administration (FDA) to sell a medium-risk medical device or IVD in the United States. It is formally called a Pre-market Notification. A 510(k) contains detailed technical, safety, and performance information about a medical device. The documentation must demonstrate the device in question is "substantially equivalent" to a predicate device (i.e. a product already cleared for sale in the US). The FDA must review the 510(k) and "clear" your device before you can legally sell or distribute it in the United States.

Here is the link to the content of the 510(k):

• Content of a 510(k) https://www.fda.gov/medical-devices/premarket-notification-510k/content-510k
• Premarket Notification 510(k) https://www.fda.gov/medical-devices/premarket-submissions/premarket-notification-510k

ISO 27001 Certification

I'm assuming that by practitioner certification you mean ISO 27001 foundations course

An ISO 27001 practitioner certification recognizes someone that has the competences to understand and work on the daily activities of an ISO 27001 ISMS, while the ISO 27001 Lead Implementer certification recognizes people who have competency on the ISO 27001 implementation process.

This article will provide you a further explanation about ISO 27001 lead implementer:

• What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/

These materials will also help you regarding ISO 27001 certifications:

• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• ISO 27001 implementation Free online training ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

Scoping an organisation to be ISO 27001 certified

According to ISO 27001, an ISMS scope must be defined in terms of information, locations, or business units to be protected, considering the organization's objectives and context. For small and medium-sized organizations usually it is better to include all the organizations in the ISMS scope because the effort to manage a scope that covers only part of the organization is not worthy.

These articles will provide you a further explanation about defining scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding defining scope:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 14001 The Difference between Procedure and Induction Documents

An induction document is a document related with the welcome or preparation of someone into a new job. A procedure is a document that explain how a task or set of tasks are done. A procedure can be used by anyone at any time, whenever there is a doubt. I use to say that a procedure, even for those with a lot of experience is like a map in the glove compartment of a car, or in a smartphone. Normally, we do not need to use it, but sometimes it is very useful.

Please check this article - List of mandatory documents required by ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-mandatory-documents-required-by-iso-140012015/ - where you can see that there is no mandatory requirement for induction documents in ISO 14001:2015.

Please check this information below about ISO 14001:2015:

• Plan-Do-Check-Act in the ISO 14001 standard - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/plan-do-check-act-in-the-iso-14001-standard/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/