Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 controls (SOA)

    It is possible to use such justification for the exclusion of control, but please note that common understanding is that information in the SoA refers to elements that are part of the ISMS scope, and such justification (referring to elements, not in the ISMS scope) would only add unnecessary complexity to your document (e.g., an auditor would have to work again on the ISMS scope document to confirm that the development process is out of the scope).

    It is simpler to say that the control is not applicable because there are no relevant risks and/or legal requirements demanding the implementation of the control.

  • QMS processes

    The main purpose of a quality management system (QMS) is consistently meeting customer requirements and enhancing their satisfaction. The process approach is one of the eight quality management principles upon which ISO 9001:2015 is based. According to this principle, a desired result is achieved more efficiently when activities and related resources are managed as a process. So, ISO 9001:2015 invites organizations to see themselves as a system of interacting processes. One can say that the QMS is that collection of processes.

    I like to use the process approach as a way of modeling how an organization works. For example, the main processes for a service providing organization can be around something like:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/1935f850-848f-49a9-afd0-b9009018cd92

    All organizations are different, so there is no universal set of processes. Each organization should design the set of interrelated processes that bests suits the purpose.

    Please check in this free webinar on demand how the set of processes can be determined and the process approach can be used - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/

    You can find more information about the process approach in the following links:

  • Management representative's responsibilities

    Although the function of the management representative, referred to in the previous edition, is not mentioned in ISO 9001: 2015 - the roles, responsibilities and authorities remain, but it is up to top management to define who should be assigned. This aims to reinforce the possibility that the responsibilities regarding the QMS belong to a group of people, and not exclusively to a single representative of the management or the quality manager. They can be assigned to those responsible for the different processes and to other people in the Organization.

    You can find more information about the management representative in the following links:

  • ISO 22301/business continuity

    1 - Question, am I going on the right path, and what are the pitfalls I may encounter. Some of our processes are relying on digitalize information system and if system fail we rely back to our manual system. We have not decided to go for ISO27001 yet.

    ISO22301 does not prescribe a risk assessment approach (you have to define one on your own), but please note that SWOT is not sufficient, because for risk assessment you need to perform risk identification and risk analysis, and SWOT will help you only to identify risks (the risk matrix system will help you to analyze the risks, so you can have them measured).

    Regarding ISO 27001, it is not required for ISO 22301 certification, but you can consider its security controls to support your BCMS implementation, as good practices.

    For further information, see:

    • ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-iso-22301-better-implement-together-free-webinar-on-demand/

    2 - Question, am I right to say that we only select such key cases on doing our BCMS and use those cases for the certification of ISO22301.

    I'm assuming that by key cases you are referring to the specific disruptive scenario that will be handled by your BCMS.

    Considering that, please note that the certification is based on the BCMS scope, which covers processes, locations, and or business units you consider relevant for business continuity. Relevant disruptive scenarios are identified after the BCMS scope definition.

    So, you need to define the BCMS scope first, because without it the certification auditor will be unable to evaluate if the selected key cases are relevant or not.

    Additionally, the BIA, risk assessment, strategy, planning has to be done for all the activities in the BCMS scope.

    For further information, see:

    3 - Final question, I saw the BIA template, it may be complicated for my staff to understand and use them effectively. Question is there any simpler template to use. We are just a service provider (ISO 9001 and OHSAS certified) at the airport for all cargo shipment and we also based on ISAGO-IATA requirement.

    Our BIA template contains the minimum information required by the standard, so to better help you we need more details to understand where potential difficulties may be.

    Please note that included in the template you have access to a video tutorial that can help you to fill in the BIA, using real data as examples. This may help you to fulfill the BIA.

  • Equipment maintenance

    For ISO 27001 you can define equipment as an asset that is used to store and/or process information or to support process information facilities.

    To identify equipment to be considered for information security you need to verify the ISMS scope and legal requirements (e.g., laws, regulations, and contracts) your organization must comply with. Base on the information your ISMS must protect, and in the legal requirements, you can identify equipment that must be considered for application of information security controls like A.11.2.4.

    To see examples of assets, I suggest you take a look at the free demo of our Inventory of Assets, sheet "Checklist of assets", at this link: https://advisera.com/27001academy/documentation/inventory-of-assets/

    Is contains examples of assets to be used in the risk assessment for ISO 27001.

    These articles will provide you a further explanation about assets and equipment:

  • Question about SOA

    1 - Is the SOA related to the scope?

    Your assumption is correct. The Statement of Applicability is used, among other things, to identify the controls applicable to protect the elements identified in the ISMS scope.

    This article will provide you a further explanation about the Statement of Applicability:

    2 - How can we verify the inclusion and exclusion of controls?

    Inclusions and exclusions of controls are made through the risk assessment and risk treatment process, and by the evaluation of legal requirements (e.g., laws, regulations, and contracts), your organization has to comply with it.

    This article will provide you a further explanation about risk assessment and risk treatment:

    These materials will also help you regarding ISO 27001:

  • Document control

    1 - Company documents such as "Contracts" signed with various clients. Does this form part of "internal" documents or external.

    Answer: Documents that need interaction with external parts, such as clients or suppliers, must be considered as external. So contracts must be considered external documents.

    2 - Would we have to follow a Change History table on them too?

    ISO 27001 requires that changes on documents are controlled, but the standard does not prescribe how, so you do not need to necessarily use a change history table.

    What generally happens with contracts is that changes on them are included as annexes, pointing out which clauses have been included, excluded, or changed.

    These materials will also help you regarding document management and ISO 27001:

  • ISMS implementation - digital banking sw engineering

    For the implementation of ISO 27001, after getting support for the project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:

    • defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties
    • development of risk assessment and treatment methodology
    • perform a risk assessment and define the risk treatment plan
    • controls implementation (e.g., policies and procedures documentation, acquisitions, etc.). Considering an SW engineering department, mostly certain, you will need to consider the controls from section A.14 - System acquisition, development, and maintenance
    • people training and awareness
    • controls operation
    • performance monitoring and measurement
    • perform internal audit
    • perform management critical review
    • address nonconformities, corrective actions, and opportunities for improvement.

    These articles will provide you a further explanation about ISMS implementation:

    These materials will also help you regarding ISO 27001 implementation:

    To see how documents for an ISMS looks like, please take a look at our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  • Exception process

    ISO 27001 does not prescribe how exceptions in the ISMS management and operation must be handled, so you can use a manual process to handle exceptions in an information classification policy. You only have to take care that such exceptions do not compromise the fulfillment of the standard's requirements because this would lead to nonconformities.

    These materials will help you regarding ISO 27001 requirements:

  • GDPR and ISO Compliance

    ISO 27001 does not prescribe restrictions about the use of PII, only that privacy and PII must be ensured considering applicable legal requirements, in case-control A.18.1.4 - Privacy and protection of personally identifiable information is applicable to your organization.

    Now, GDPR lets the data controller evaluate and balance the risk of security measures taken. There is a presumption of adequacy of encrypted data and encouraging Multi Factors Authentication. Of course, Article 32 GDPR on security measures requires the data controller to balance risks for the freedom and rights of data subjects with the state of art, cost of implementation and nature, scope, purposes of processing in order to determine the right level of security.

    These articles will provide you a further explanation about ISO 27001 and GDPR: 
Page 397-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +