Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Toolkit documentation

    Please note that ISO 27001 does not require documents to be developed to implement controls A.7.5 and A.7.8, so a brief description of their implementation can be included in the Statement of Applicability, and this template can be found in folder 06 Applicability of Controls (in this template a suggested text on how to document this information is included).

  • DR distance

    Please note that there is no definitive answer about how far apart a disaster recovery site should be.

    Main ISO standards covering this topic (ISO 27001, for information security, and ISO 22301 for business continuity), as well as most regulations and industry practices, do not define any specific distance to recovery sites, because many factors can affect what would be considered a “safe” distance (e.g., type of disaster, access to public services, risk level, etc.). From our experience, we suggest you start a discussion suggesting a distance between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location, and from that analyze your organization's context (a geographic situation, available resources, required investment, etc.).  

    This article will provide you with a further explanation of the distance of the recovery site:

  • Lead Auditor certification

    Please note that accreditation only applies to organizations that certify other organizations' management systems (e.g., ISO 27001, ISO 9001, etc.), or certifies people that are approved on their training (e.g., Lead Auditor, internal auditor, etc.).

    Considering that, once you have passed the Lead Auditor exam from an accredited training provider there is no need to submit your certification for accreditation. The fact that the provider is accredited already validates your certification.

    For further information, see:

  • Documentation hierarchy

    ISO 27001 does not prescribe documentation hierarchy, so organizations can adopt the framework that best suits their needs.

    Considering that, using ISO 10013 as a reference for documentation hierarchy is an acceptable approach.

    Regarding the fact that ISO 10013:2001 is a withdrawn standard, unless you have specific requirements to adopt this version (e.g., customer requirement or law), you should consider using the 2021 version of the standard, because its requirements are better aligned with current versions of ISO management systems standards.

    For further information, see:

    • How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/

    • Does a company need to be ISO certified to present a Quality Manual?

      No, any company can prepare a quality manual. By the way, ISO 9001:2015 no longer mentions a quality manual.

      Please check these articles:

    • Information Security Policy Creation

      Examples of Information Security Objectives are:
      - decrease the impact and/or number of information security incidents by 30% in 12 months
      - increase revenue of service XYZ by 5% in 12 months
      - win a new customer in 6 months
      - increase market share by 3% in 12 months

      For further information, see:

    • Statement for logs retention periods regarding critical assets

      ISO 27001 does not prescribe retention periods for logs.

      To define proper retention periods, you need to perform a risk assessment and identify applicable legal requirements.

      In case your risk assessment and requirements do not provide a proper reference, you can try starting with a retention time of one year.

      For further information, see:

    • Distributor vs Supplier quality agreement

      Quality agreement should be with the actual manufacturer because you need to be sure that the device is produced in accordance with ISO 13485 and MDR.  

    • ISM Policy

      ISO 27001 does not prescribe which objectives to define, so you can use objectives related to your business strategy, to specific customers and regulators you must comply with. Additionally, you can also use more specific objectives related to security controls, security processes, etc.

      Some specific examples are:

      • win a new customer in 6 months
      • increase market share by 3% in 12 months

      For further information, see:

      • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

      • Custom Control Creation

        Considering your stated situation (Having operating system software and databases that are at the end-of-support life cycle), suggested assets, vulnerabilities, and threats, with respective controls are:

        • Assets: “Operating systems” and “Database management systems”
        • Vulnerabilities: “Rules for software and its databases not clearly defined” and “Requirements for software development not clearly defined”
        • Threats: “Maintenance errors” and “Application error”
        • Controls: “A.8.25 - Secure development life cycle” and “A.8.8  Management of technical vulnerabilities”

        Please note that end-of-support is part of the retirement step of an asset life cycle management process (in this case, applied to assets operating system software and databases), and so it is an expected situation for IT operations.

        Considering that, the vulnerability, in this case, would be related to not knowing what to do by this time.
Page 41-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +