Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Identifying the changes in ISO 27001 scope

    The definition and changes of the ISMS scope when information is on a cloud solution will depend on the control you have over the cloud

    • for IaaS, the scope excludes physical infrastructure and virtual machines
    • for PaaS, the scope excludes virtual servers, and, to some degree, applications
    • for SaaS, the scope excludes datacenter facilities’ physical location, hardware, and software

    This article will provide you a further explanation about defining a scope considering cloud models:

    Regarding clauses from sections 4 to 10 of the standard, the best approach would be to verify all of the one by one. Regarding controls, the proper way is by reviewing the results of risk assessment and risk treatment, and the applicable legal requirements.

    The reason is that these approaches for the on-prem scope will allow you to review the current scope, and for the cloud scope all the elements are necessary for the certification.

  • Assets Inventory and Risk Assessment

    1. Some of the cloud services we are using are already ISO 27001 certified (like AWS, e.g., or some service hosted in AWS). Does that have any meaning for us?

    ISO 27001 certified suppliers will make the management of your risks related to them easier because your organization and these suppliers will have a common base to manage information security risks (e.g., they will have an SoA that can make easier to you to evaluate how they treat risks relevant to your organization).

    For further information, see:

    2. Do we still have to consider Risks for that cloud services as well?

    If these cloud services store or process information that is part of your ISMS scope, then the risks related to them need to be considered (e.g., a disaster can hit their sites, or a cyberattack, that can compromise your information that is with them). In this situation, any related treatment will be a part of contracts or terms of service you have with these suppliers.

    These articles will provide you a further explanation about ISMS scope considering cloud services and management of suppliers:

    3. Could we group the Assets so that they become more manageable? E.g. one group: Cloud services, and perform the Risk Assessment for this group, or divide it to SaaS and IaaS groups.

    The short answer is yes.

    ISO 27001 does not prescribe how to build the asset register, so you can define it as better fits your organization.

    In your case, you can group assets, or uses them individually, the way you understand will better fulfill your needs. For example, if you have several laptops with the same level of risks you do not need to list them individually, you can have a single asset called "laptop". In case you have laptops with a different risk level, such as laptops from a development and maintenance department, you can create an asset called "development laptops".

    In short, you should consider splitting assets in details when they require different levels of protection.

    This article will provide you a further explanation about assets register:

    4. Who should be the Asset Owner of Operating System – the user? And the Risk Owner is the System Administrator?

    First is important to note that ISO 27001 does not prescribe who the asset owner must be, so organizations are free to define the asset owners as best fit them.

    Considering that, as a good practice, you should consider as the asset owner the first management level with responsibility for protecting and managing the asset, because this will make the decisions about the asset faster and more effective.

    For example, if the asset is a server, the owner should be the server's administrator. In the case of laptops, you should consider the asset owner the laptop user.

  • ISO 17025 Management document structure

    To answer your question, let me highlight firstly that they serve different purposes. In the context of ISO 17025:2017, however, the answer would be the Quality Policy as it provides a framework to establish the quality objectives, meaning quality-focused results to be achieved.

    It is also mandatory for laboratories to have policies and objectives that are aligned to address impartiality, competence and consistent operation – all quality components. The Quality Policy is the core of the management system, binding the laboratory in a singular vision of what Quality means to your organisation. It focuses your attention to structure processes and documentation appropriately, as it is the crucial focal point for addressing risks and opportunities.

    A Quality Manual on the other hand is not mandatory, although useful to “bring” all your processes and procures together. The mandatory documentation requirements could be met with a master index of documents and separate procedures.

    Have a look at these ISO 17025 toolkit document templates for some more insight: Quality Policy at https://advisera.com/17025academy/documentation/quality-policy/;  as well as the Quality Manual at https://advisera.com/17025academy/documentation/quality-objectives/

  • Disaster recovery plan in ISO 9001

    ISO 9001:2015 does not require creating a disaster recovery plan.

    It is not required to have implemented a quality management system according to ISO 9001:2015 to create a recovery disaster plan.

    What happens is that ISO 9001:2015 in clause 6.1 requires that organizations determine potential risks and evaluate them. If those risks are significant, organizations should implement actions to prevent those risks from happening or minimizing its consequences. If an organization determines and evaluates potential risks with catastrophic consequences it may conclude that a disaster recovery plan must be design and implemented. Attention, designing that plan would be a decision from the organization not a mandatory requirement from the standard.

    The following material will provide you more information about risks and opportunities:

  • What should I request from the client to do a DR Plan?

    Broadly speaking, considering ISO 27031, an ISO standard focused on IT disaster recovery, a Disaster Recovery Plan should cover:

    • Required key competencies and knowledge
    • Facilities
    • Data
    • Processes
    • Suppliers

    To see how a disaster recovery plan looks like, I suggest you take a look at the free demo of our Disaster Recovery Plan at this link: https://advisera.com/27001academy/documentation/disaster-recovery-plan/

    This document will help you to define precisely how an organization will recover its IT infrastructure and IT services within set deadlines in the case of a disaster or other disruptive incident, also attending requirements of ISO 27001 and ISO 22301.

    This article will provide you a further explanation about ISO 27031:

  • ISO 27000 Lead Auditor

    1.Is it necessary or recommended to have a foundation certification to be secured prior to the lead auditor certification?

    ISO 27001 Lead Auditor certification does not require prior certifications.

    To take the exam you need to attend the ISO 27001 Lead Auditor course, which provides enough information for the exam (although previous knowledge and/or experience may allow you to take more value from the course).

    These articles will provide you a further explanation about the lead auditor course:

    These materials will also help you regarding the lead auditor course:

    2. I am a Quality Manager with relevant 8 years of experience and I intend to switch to core GRC roles. Will this certification benefit to clear CISA as my future certification aspirations?

    ISO 27001 Lead Auditor can help you prepare for CISA certification, but please note that CISA is more comprehensive than ISO 27001 Lead Auditor, so you will have to complement your study.

    This article will provide you a further explanation about CISA and ISO 27001:

    3. Any other tips if you think might help me scale up would be appreciated.

    ISO 27001 can support part of the Governance, Risk, and Compliance process, so to enhance your skills you also have to consider competences related to COSO and COBIT.

    These articles will provide you a further explanation about COSO, COBIT, and Governance:

  • Risk Assessment

    First is important to note that ISO 27001 does not prescribe an approach to be used for risk assessment, only what must be performed.

    Considering that, we generally recommend the asset-based risk assessment, because it is easier to perform. However,  with the process-based risk assessment you can have a more understandable context to identify and evaluate risks, so the decision about which approach to use will depend on the competencies you have available and objectives you want to achieve.

    These materials will provide you a further explanation about risk assessment approaches:

  • Documented checklist for SaMD

    Here you can find  the general list of mandatory documents for ISO 13485:2016:

    As a manufacturer of software, from that list you do not need the following:

    • Arrangements for control of contaminated or potentially contaminated product (clause 6.4.2)
    • Requirements for cleanliness of product (clause 7.5.2)
    • Records of sterilization process (clause 7.5.5
    • Procedure and records for validation of process for sterilization and sterile barriers systems (clause 7.5.7)
    • Records of traceability and name and address of the shipping package consignee (clause 7.5.9.2)
    • Procedure for preserving the conformity of product (clause 7.5.11)
    • Records of rework (clause 8.3.4)

    If you do not have any kind of service (repair) in your business, then even the following requirement is not applicable for you:

    • Procedure and records for servicing of the medical device (clause 7.5.4)

    Furthermore, each medical device software must be in compliance with the following standard:

    For more information on ISO 13485, please see the following links:

Page 301-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +