Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Scope of ISMS

    Your understanding is correct. By defining physical limitations in your scope it will be easier to identify how to properly protect the information. Please note that the scope statement is not wrong, it only can be improved by specifying locations.

    Please note that the provided template for ISMS scope included in the toolkit cover all important elements for the scope definition. The comments included on it will guide you where to include the information about locations.

     This article will provide you a further explanation about the scope definition:

  • Understanding the organization and its context

    1. Can you provide any guidance or clarity on defining Clause 4.1 of ISO 27001, determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system?

    Examples of external issues are: geographical location, public infrastructure available, political, economic, social and technological trends, etc.
    Examples of interested parties: clients, suppliers, top management, and employees, etc.
    Examples of internal issues are: organizational culture, processes, and procedures, equipment, financial resources, etc.

    This article can help you:

    2. Also, where is this typically documented?

    ISO 27001 does not require documenting the context of the organization, and this is especially not recommended for smaller organizations - you only need to take into the context of the organization when defining the scope and doing the risk assessment.

  • Organizational Chart

    It is acceptable for ISO 27001 to reference to Organizational Chart in the elaborated documents, instead of using employee's names. In fact, this is a good practice, because, as you mentioned, by using roles instead of people's names, you do not need to update the documents every time the staff changes.

    This article will provide you a further explanation about defining scope:

    These materials will also help you regarding defining scope:

  • Implementation of the controls before audit

    If you go for the certification audit, you should have most of your controls implemented, and make sure that controls that mitigate the biggest risks are fully implemented.

    In other words, you can leave only a smaller number of less significant controls to be implemented after the certification. In such a case, you have to ask risk owners to accept the residual risks.

    This article will provide you a further explanation about certification:

    This material will also help you regarding certification:

  • Policy author

    ISO 27001 does not prescribe that documents' author must be part of the organization, so by the standard the fact that the author is an external consultant is not a problem.

    The auditor's concern may be related to the fact that an external consultant generally does not have deep knowledge of an organization to properly develop the documents.

    In this case, you need to ensure that documents are evaluated and approved by personnel with the proper competencies to do that, so they can validate that the documents fulfill the needs of the organization. For example, the Information security policy must be evaluated and approved by the CISO and Top manager of the ISMS scope (e.g., the CEO if the scope is all the organization or the department head if the scope is limited to a single department), and IT-related policies (e.g., backup policy; IT procedures, etc.) need to involve the IT manager.

    Provided that personnel from the organization with proper competencies are involved in the review and approval of documents, it should not be a problem who is writing them.

    This article will provide you a further explanation about creating documents:

    This material will also help you regarding creating documents:

  • ISMS controls refer to Finance

    Many thanks Rhand for your quick response - very helpful 

     

  • Risk assessment review

    1. When we revise a risk management table on annual basis (new document), I'm not sure if we assess risks (consequence and likelihood) with all implemented controls/safeguards on our mind or without them? If we take already implemented controls into account when assessing risks, almost all risks are acceptable (few residual remains), there is no need for additional treatment at this moment.

    When you perform a risk assessment review, you need to consider the risk values including the effects of implemented controls. You only need to ensure that the information about the implemented controls are also documented in the risk assessment.

    2. Hypothetical: if all risks are acceptable according to our methodology, is it ok not to have a Risk treatment plan?

    It is acceptable to have no update in the current Risk Treatment Plan in case all risks are acceptable, but please note that the Risk Treatment Plan can also be used to improve controls efficiency (i.e., you can achieve the same results using fewer resources), or in case you need to change technology, but this change will not have an effect on the risk value.

    This article will provide you a further explanation about continual improvement:

  • Risk Assessment Methodology

    It is expected that under an ISO 27001 certified ISMS an organization has only one risk assessment and risk treatment methodology approach, so it can produce comparable results all across the ISMS scope, but there are rare cases where parts of the scope may be under different legal requirements (e.g., laws, regulations or contracts) demanding each one of them to use a different approach, or the performed processes defined by the organization require different approaches (e.g., risk management process for project development and for financial risk assessment).

    In such cases, the ISMS must provide a way for the risks from different approaches to be compared (e.g., by using a conversion table, so the results from one approach can be translated to the other and vice versa)

    This material will also help you regarding risk management for ISO 27001:

  • ISO 45001 implementation

    The ISO 45001 standard is best implemented as any other project, with a structure plan and a firm foundation in approval by top management. The plan needs to have adequate resources to see it though, from performing the gap analysis to see what you already have in place that meets the standard, through the certification process. The steps of the implementation are graphically represented below.

    You can see the implementation process in this free: Diagram of ISO 45001 Implementation Process, https://info.advisera.com/45001academy/free-download/diagram-of-iso-45001-implementation-process

  • Cookies after blocking them

    It depends on cookies, there are some cookies for functionalities that cannot be blocked without preventing the website to work (in this case the website will be compliant).

    You should check what kind of cookies are still working and verify if they belong to cookies that can be blocked by users or not (tracking and statistic).

    Cookies are ruled by the e-privacy directive and they are connected to GDPR through Article 13 on consent. This may the European Data Protection Board reviewed the guideline on consent under GDPR and listed cookies: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en 

    You can find more information here:

    You may also consider enrolling in this online EU GDPR Foundations Course:

Page 365-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +