Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Toolkit content

    1. Wondering a bit about organization of files; We have a list of policies we need to write first – one is "Information Security Awareness, Education & Training" - I find it in referenced as A.7.2.2

    Yet when I go in the folder below where I expect to find it in, there is not an A.7.2.2. document …27001_EN\08_Annex_A_Security_Controls\A.7_Human_Resource_Security.

    There IS a A.7.2_Statement of Acceptance.

    Please note that ISO 27001 does not require a policy for "Information Security Awareness, Education & Training" to be written. For certification purposes, it is sufficient the training and awareness plan, located on folder 09 Training and Awareness.

    For further information, see:

    2. Also, the following are policies we need; however they seem to paint to no specific document.  Where would you recommend we add these?

    Patch Management Policy – in A.8.2 – IT Security Policy?

    Information Security in Project Management – where to discuss this or assign project manager responsibilities?

    Separation of Development, testing & Operational Environments – listed as a.12.1.3 – but not sure where to create it as I can’t find any sample wording.

    Patch management would be best covered in A.12.1 - Security Procedures for IT Department, located on folder 08 Annex A Security Controls >> A.12 Operations Security since it involves change management.

    Overall project manager responsibilities can be defined in the Information Security Policy, located on folder 04 General Policies and specific responsibilities can be defined in the project's documentation.

    Separation of Development, testing & Operational Environments would be best covered in A.14 - Secure Development Policy, located on folder 08 Annex A Security Controls >> A.14 System Acquisition Development and Maintenance

    These articles will provide you further explanation:

  • Copy of the ISO/IEC 27001 standard licensed document

    Employees do not need to have a copy of the standard for themselves. It is sufficient that the management make available a licensed copy of ISO/IEC 27001 whenever they need to consult the standard.

  • Management review inputs

    Internal and external issues is one thing, interested parties is another thing (about interested parties check 9.3.2 c) 1)).

    Let's imagine that an organization is located in a country that recently lifted the typical quarantine restrictions due to the coronavirus pandemic. What impacts were caused by an event of this nature in the world where that organization operates? Here are some possible external factors:

    Which suppliers have closed and will not open again? What suppliers were discovered during the emergency and behaved very well? What legislative changes have occurred and will not be removed? What new models of reaching out to customers have been tested, discovered and may be of importance in the future? What social and economic changes were introduced by the pandemic and the corresponding quarantine? How will the market behave in the future? Unemployment, loss of income, interest rates, indebtedness, ... how will they affect the future?

    Here are some possible internal factors (considering that the organization managed to work at least in part during quarantine):

    How did the organization perform? Strengths and weaknesses? What has been learned? Who is lost in the meantime and will not return to the organization? What practices were established during the quarantine that deserve to continue? What are the consequences of the adoption of telecommuting, tele-meetings, new communication infrastructures? What are the consequences of having a much more versatile group of employees now?

    You are trying to sense the stage where next months, or year will take place.

    Please, consider enrolling in this free webinar - How to use ISO 22301 to continue operations during the pandemic - https://advisera.com/27001academy/webinar/how-to-use-iso-22301-to-continue-operations-during-the-pandemic-free-webinar/

     You can find more information about management review below:

     

  • Consulting

    To understand the content needed for a Business Continuity Plan - ISO 22301 and an information security management plan - ISO 27000, I recommend these books:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ 

    You also can found useful information in these articles:
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    Please, also consider this resource: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

     

  • Objectives documentation requirements

     ISO 27001 does not prescribe how to document information security objectives, so both way you proposed are acceptable.

    What normally happens in ISO 27001 implementation projects is that High-Level Info Sec Objectives are documented in the Information Security Policy and other security objectives are documented in the Statement of Applicability document.

    To see how these documents look like, please access these links:
    - https://advisera.com/27001academy/documentation/information-security-policy/
    - https://advisera.com/27001academy/documentation/statement-of-applicability/

    These articles will provide you further explanation about Information Security Policy and Statement of Applicability:
    - What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

     

  • Performance evaluation and pollution control

    First, let us consider what is pollution prevention: One of the commitments of the environmental policy (5.2); prevention of pollution is what is done by an organization to reduce or control the creation, emission, and discharge of any waste or pollutant related to the environmental aspects. 
    So, while determining environmental aspects and impacts (6.1.2), you should identify any creation, emission, and discharge of any waste or pollutant. Develop action plans (6.1.4) to prevent, reduce or control pollution. Those action plans will be translated into operation improvement (8.1) and emergency prevention and response (8.2). Performance evaluation (9.1) will check if results are according to what was planned.

    You can find more information about ISO 14001 below:

     

  • Compliance with AB and CB certification

    ISO 19011:2018 mentions the possibility of using remote audits and virtual audits. There is an important remark: Performing remote audits can depend on the kind of risk to achieving the audit objectives, the level of confidence between auditor and auditee’s personnel and any regulatory requirements. 
    Please check ISO 19011:2018 Annex A.1 Applying audit methods. See also Annex A.15 Visiting the auditee’s location and Annex A.16 Auditing virtual activities and locations.

    Deciding when and how to use remote auditing techniques depends on the audit objectives, scope and criteria, the available technology, the competency of the auditee and auditor to use the technology, and the type of audit evidence that needs to be gathered. The key question is whether the remote auditing techniques allow you to meet your audit objectives while benefitting from the audit process, or whether the use of remote auditing techniques could be a disadvantage to your audit.

    Some remote audit activities are:

    • ensuring remote access protocols and devices, software, etc.;
    • ask for permission in advance for any screenshots and consider confidentiality and security matters and avoid recording individuals without their permission;
    • use floor plans/diagrams of the remote location for reference;
    • maintain respect for privacy during audit breaks.

    In my country, we are under lockdown. We are all experiencing teleworking. For example, I’m realizing that many meetings are being more efficient this way. Perhaps in the future, this will be the new normal, many meetings will continue to be done this way. So, my best advice is to start practicing remote audits, to test different approaches, to test different technologies, to learn how to answer remote audit risks like:

    • Communication equipment fails or is unreliable;
    • Internet access fails or is unreliable;
    • Internet security—information confidentiality and integrity;
    • Auditee personnel do not adhere to scheduled meeting times;
    • Auditee personnel constantly leave scheduled meetings to take care of other business;
    • Auditor accepts audit evidence that is not objective and impartial;
    • Auditee stages certain events or activities of the audit;
    • Auditor or audit program manager approves an on-site proxy auditor that is not qualified to expedite the audit.

    I invite you to read this article – What are the benefits and barriers when performing remote audits? - https://advisera.com/articles/what-are-benefits-and-barriers-when-performing-remote-audits/

    Concerning AB and CB requirements it is advisable to contact them. However, you can check these two documents:

     

  • A.6.2 Mobile Device and Teleworking Policy

    Please note that your toolkit already contains a template for the Information Classification Policy, located on folder 08 Annex A Security Controls >> A.8 Asset Management

    Basically, the process for information classification should cover these steps:

    • Inventory information: know which classified information you have in your possession, and who is responsible for it
    • Classify information: give a degree of classification according to the value of information
    • Label information: how the information classification is known by users
    • Handle information: rules on how to protect each type of information depending on the classification level

    This article will provide you further explanation about Information classification according to ISO 27001:

  • Meas of Uncert Budget/Pipette

    Advisera’s ISO 17025 toolkit guides you through the implementation of ISO 17025. We do not produce your actual uncertainty budget as part of the Advisera ISO 17025 Academy, but guide you on what is required.

    The  ISO 17025 document template: Evaluation of Measurement Uncertainty Procedure and related Measurement Uncertainty Checklist and Measurement Uncertainty Record are available as part of the ISO 17025 toolkit; or as separate documents. The procedure provides a flowchart and defines the steps required to plan, measure and calculate the data required for an evaluation of measurement uncertainty program. It lays down the basic first steps required for the program and references the recommended resources for completing the required calculations. The checklist guides you, where you can list the uncertainty factors. This can then be customised for your uncertainty budget.

    Have a look at the available toolkit documents

     

  • ISO 27001 Security Awareness Training

    Yes, you do not need to document each and every control - in such cases, you will use awareness sessions and trainings to explain to your employees how particular security activities need to be done.

    In the SoA you cannot simply refer to the Training Plan - you need to explain in a sentence or two how the control is implemented - e.g. "The data recorded on media must be encrypted."

    Please note that some controls, when identified as applicable, require documentation (e.g., control A.9.1.1 - Access Control Policy).
Page 417-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +