Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 22301/business continuity

    1 - Question, am I going on the right path, and what are the pitfalls I may encounter. Some of our processes are relying on digitalize information system and if system fail we rely back to our manual system. We have not decided to go for ISO27001 yet.

    ISO22301 does not prescribe a risk assessment approach (you have to define one on your own), but please note that SWOT is not sufficient, because for risk assessment you need to perform risk identification and risk analysis, and SWOT will help you only to identify risks (the risk matrix system will help you to analyze the risks, so you can have them measured).

    Regarding ISO 27001, it is not required for ISO 22301 certification, but you can consider its security controls to support your BCMS implementation, as good practices.

    For further information, see:

    • ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-iso-22301-better-implement-together-free-webinar-on-demand/

    2 - Question, am I right to say that we only select such key cases on doing our BCMS and use those cases for the certification of ISO22301.

    I'm assuming that by key cases you are referring to the specific disruptive scenario that will be handled by your BCMS.

    Considering that, please note that the certification is based on the BCMS scope, which covers processes, locations, and or business units you consider relevant for business continuity. Relevant disruptive scenarios are identified after the BCMS scope definition.

    So, you need to define the BCMS scope first, because without it the certification auditor will be unable to evaluate if the selected key cases are relevant or not.

    Additionally, the BIA, risk assessment, strategy, planning has to be done for all the activities in the BCMS scope.

    For further information, see:

    3 - Final question, I saw the BIA template, it may be complicated for my staff to understand and use them effectively. Question is there any simpler template to use. We are just a service provider (ISO 9001 and OHSAS certified) at the airport for all cargo shipment and we also based on ISAGO-IATA requirement.

    Our BIA template contains the minimum information required by the standard, so to better help you we need more details to understand where potential difficulties may be.

    Please note that included in the template you have access to a video tutorial that can help you to fill in the BIA, using real data as examples. This may help you to fulfill the BIA.

  • Equipment maintenance

    For ISO 27001 you can define equipment as an asset that is used to store and/or process information or to support process information facilities.

    To identify equipment to be considered for information security you need to verify the ISMS scope and legal requirements (e.g., laws, regulations, and contracts) your organization must comply with. Base on the information your ISMS must protect, and in the legal requirements, you can identify equipment that must be considered for application of information security controls like A.11.2.4.

    To see examples of assets, I suggest you take a look at the free demo of our Inventory of Assets, sheet "Checklist of assets", at this link: https://advisera.com/27001academy/documentation/inventory-of-assets/

    Is contains examples of assets to be used in the risk assessment for ISO 27001.

    These articles will provide you a further explanation about assets and equipment:

  • Question about SOA

    1 - Is the SOA related to the scope?

    Your assumption is correct. The Statement of Applicability is used, among other things, to identify the controls applicable to protect the elements identified in the ISMS scope.

    This article will provide you a further explanation about the Statement of Applicability:

    2 - How can we verify the inclusion and exclusion of controls?

    Inclusions and exclusions of controls are made through the risk assessment and risk treatment process, and by the evaluation of legal requirements (e.g., laws, regulations, and contracts), your organization has to comply with it.

    This article will provide you a further explanation about risk assessment and risk treatment:

    These materials will also help you regarding ISO 27001:

  • Document control

    1 - Company documents such as "Contracts" signed with various clients. Does this form part of "internal" documents or external.

    Answer: Documents that need interaction with external parts, such as clients or suppliers, must be considered as external. So contracts must be considered external documents.

    2 - Would we have to follow a Change History table on them too?

    ISO 27001 requires that changes on documents are controlled, but the standard does not prescribe how, so you do not need to necessarily use a change history table.

    What generally happens with contracts is that changes on them are included as annexes, pointing out which clauses have been included, excluded, or changed.

    These materials will also help you regarding document management and ISO 27001:

  • ISMS implementation - digital banking sw engineering

    For the implementation of ISO 27001, after getting support for the project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:

    • defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties
    • development of risk assessment and treatment methodology
    • perform a risk assessment and define the risk treatment plan
    • controls implementation (e.g., policies and procedures documentation, acquisitions, etc.). Considering an SW engineering department, mostly certain, you will need to consider the controls from section A.14 - System acquisition, development, and maintenance
    • people training and awareness
    • controls operation
    • performance monitoring and measurement
    • perform internal audit
    • perform management critical review
    • address nonconformities, corrective actions, and opportunities for improvement.

    These articles will provide you a further explanation about ISMS implementation:

    These materials will also help you regarding ISO 27001 implementation:

    To see how documents for an ISMS looks like, please take a look at our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  • Exception process

    ISO 27001 does not prescribe how exceptions in the ISMS management and operation must be handled, so you can use a manual process to handle exceptions in an information classification policy. You only have to take care that such exceptions do not compromise the fulfillment of the standard's requirements because this would lead to nonconformities.

    These materials will help you regarding ISO 27001 requirements:

  • GDPR and ISO Compliance

    ISO 27001 does not prescribe restrictions about the use of PII, only that privacy and PII must be ensured considering applicable legal requirements, in case-control A.18.1.4 - Privacy and protection of personally identifiable information is applicable to your organization.

    Now, GDPR lets the data controller evaluate and balance the risk of security measures taken. There is a presumption of adequacy of encrypted data and encouraging Multi Factors Authentication. Of course, Article 32 GDPR on security measures requires the data controller to balance risks for the freedom and rights of data subjects with the state of art, cost of implementation and nature, scope, purposes of processing in order to determine the right level of security.

    These articles will provide you a further explanation about ISO 27001 and GDPR: 

  • Breakdown escalation procedure

    Escalation, as you know, means that if a problematic issue cannot be resolved by the relevant authority, it is forwarded to one or more senior authorities.

    It is important that the following issues take place in the escalation system.

    • Occupational Accident, occupational health and environmental safety and legal issues
    • A significant amount of customer returns from the field
    • Issues related to customer stopping
    • Product-safety related issues
    • Problems that may arise during product design or the new product launch process
    • Delays in handling customer complaints or disinterest in the complaint
    • Issues related to emergency action plans
    • Issues such as quality, line stoppage, machine breakdown, etc, that may be experienced in production
    • In cases of delay or disinterest in addressing internal problems


    So, the IATF 16949: 2016 standard expects you to set up a delegation system. The delegation system should, of course, be systematic. There is no requirement to be registered in one place. The issues mentioned above can be recorded in the Quality Management System in a single procedure and/or instruction, or in one or different tables or with the task-authority table and communication procedure, or with risk assessment and contingency plans.
     
    The important thing is how the escalation process is distributed to the organization, preparedness for bad scenarios, the knowledge, and competencies of the process owners about the subject.

     

     

  • Early preparation for ISO 27001

    The key considerations related to ISO 27001 you should take into account at this moment are:

    • identification of legal requirements (e.g., laws, regulations and contracts) related to software development and provision you need to comply with 
    • performing a risk assessment

    These two items are core for ISO 27001, and even if you are not going for implementation of ISO 27001, they can help you include controls to make your process less susceptible to information security incidents (e.g., controls from Annex A related to software acquisition and maintenance).

    These articles will provide you a further explanation about these topics:

    This course will help you in learning about ISO 27001:

  • Asset register

    1 - Should all these assets be included in the same column, having for example the categorization in another column or should I have 2 different tables, with a relation between supporting assets and primary ones?

     ISO 27001 does not prescribe how to build the risk register, so you can define it as better fits your organization. The most common approach is to use a single table for all assets, all listed in a single column (you do not need to define them as primary and supporting assets).

    2 - Are the threats and vulnerabilities related to supporting assets and thus impacting the related primary assets? How should this be mapped in an Excel file?

    ISO 27001 does not prescribe a risk assessment approach, only that you have to define one, so from our experience you do not need to think assets in terms of primary assets and support assets (this would only make your assessment unnecessary more complex). You can just link threats and vulnerabilities to a single level of assets

    To see how risk assessment looks like, I suggest you take a look at the free demo of our Risk Assessment Table at this link: https://advisera.com/27001academy/documentation/risk-assessment-table/

    These articles will provide you a further explanation about assets and risk assessment:

Page 397-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +