Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Templates for controls from Annex A

    In general, these topics are already covered by the daily activities of an HR area of an organization (they are part of its core activities), so we do not provide related templates to not add unnecessary administrative effort to the ISMS (you can adopt the documents you already have and only adjust them to the requirements of related ISO 27001 controls).

    In case you do not have such documents, you can contact us through email or online meeting, so we can help you develop such documents.

  • Risk assessment

    1.  Regarding risks that come from outside of the scope, should we consider these risks in the Risk Assessment and apply controls to mitigate them, or we need to include the source of them in the scope, for example, there are some laptops that can access and (download or view) some sensitive data from what is in the scope, so should we need to include these laptops in the scope or just apply some controls to mitigate risks come from them?

    Answer: If risks, internal or external, have the potential to impact the elements of the ISMS scope, then you have to include them in the risk assessment, and apply controls to mitigate those identified as unacceptable.

    About including the risk source information, ISO 27001 does not prescribe this information as mandatory, so this will depend on the risk assessment methodology you are using, because some of them require this information and others do not.

    For further information see: ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    2.  What is the difference between the existing controls and planned controls? do we need to have both in the risk register?

    Answer: Existing controls are controls already implemented by the time you perform the risk assessment, while planned controls are controls you intend to implement after the approval of risk treatment.

    Existing controls must be included in the risk register if they have any impact in the assessed risk value, and planned controls must be included in the risk register only for risks considered unacceptable and are to be treated (i.e., for risks identified as acceptable there is no need for planned controls).

    3. Should we write already mitigated risks in the risk assessment phase, for example, a security feature in a system is enabled so no risk right now, but if someone disables this feature, then it may lead to a potential risk, so do we need to write down these risks in the risk assessment phase?

    Answer: This is an example of risk with existing control applied, and if this risk is relevant to your ISMS scope, then it must be included in the risk assessment, so you have a formal knowledge that exists and is already being treated.

    4. How we can design a criteria for the impact if our scope is in cloud?

    Answer: ISO 27001 does not prescribe the use of specific criteria for impact on elements of the scope in the cloud, so you can use the same criteria for impact used in your standard risk assessment.

    What happens when part of the scope is in the cloud is the modification of the responsibilities for the assets, and on the impact and likelihood levels for those elements, not in their type.


    For further information, see:
    - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/


    These materials can also provide further information:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

     

     

  • Procedure for documents and records

    The activity of establishing and maintaining ISO 17025:2017 documents and records is a critical activity in most laboratories, as it usually involves many personnel meeting many ISO 17025 requirements. A procedure is therefore required, being defined as a “specified way to carry out an activity or a process”. (ISO 9000:2015)

    Although it is noted that procedures can be either documented or not; consider that documents and records are core to meeting every ISO 17025 requirement. If a documented procedure did not exist to establish, identify, approve, review, change and control distribution of documents and records; a laboratory would risk the quality and control of many processes within the ISO 17025 management system.  As ISO 17025 requires a laboratory to consider and address risks of all activities, a documented procedure to manage documents and records is considered mandatory.

  • ISO 13485 implementation time frame

    This depends on how big is your company, is your company on one location or several; how many employees there are and how complicated are your processes. Usually, for very small companies it is necessary 2 or 3 months; small organizations up to 50 employees could implement in 6-8 months; medium-sized organizations up to 500 employees could implement in 8-12 months; larger organizations can take 12-15 months to implement.

  • Residual risk

    First, you have to identify which documents in your organization contain information about residual risks (e.g., risk assessment and treatment report), and them which persons, or roles must have access to them (e.g., risk owner, asset owner, top management, responsible for information security, etc.). With this information, you can check if the significant residual risk is being provided to the appropriate people.

    This information is identified during the definition of the risk assessment and risk treatment processes required by ISO 27001.

    To see how a document with such information looks like, Is suggest you to take a look at the free demo of our Risk Assessment and Risk Treatment Methodology at this link: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
    This article will provide you further explanation about risk assessment and risk treatment methodology:

    These materials will also help you regarding risk assessment and risk treatment methodology:

  • Remote Audits in Manufacturing

    Remote audits are about using technology to collect evidences, gather information, interview an auditee, etc. when “face-to-face” methods are not possible or desired.

    ISO 19011:2018 mentions the possibility of using remote audits and virtual audits. There is an important remark: Performing remote audits can depend on the kind of risk to achieving the audit objectives, the level of confidence between auditor and auditee’s personnel and any regulatory requirements. Please check ISO 19011:2018 Annex A.1 Applying audit methods. See also Annex A.15 Visiting the auditee’s location and Annex A.16 Auditing virtual activities and locations.

    Deciding when and how to use remote auditing techniques depends on the audit objectives, scope and criteria, the available technology, the competency of the auditee and auditor to use the technology, and the type of audit evidence that needs to be gathered. The key question is whether the remote auditing techniques allow you to meet your audit objectives, while benefitting the audit process, or whether the use of remote auditing techniques could be a disadvantage to your audit.

    Remote audits can be useful for auditing manufacturing during circumstances beyond the control of the organization, commonly referred to as “Force Majeure”. Remote audits can be useful for reducing audit costs and increasing audit efficiency.

    The following material will provide you more information about remote audits:

  • ISO 27007 vs ISO 19011 for auditing

    ISO 27007 is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. ISO 19011 was designed to conduct internal or external audits in management systems in general.

    ISO 27007 provides additional recommendations to the guidance provided by ISO 19011. For example where ISO 19011 states you must look for evidences for compliance, ISO 27007 will suggest specific evidences and tests for ISO 27001 clauses and controls from Annex A.

    Considering that, for a specific ISO 27001 context, ISO 27007 is more recommended. If you have to also audit other ISO management systems, like ISO 9001 and ISO 14001, ISO 19011 would be a better choice.

    This material can help you:
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 14001 and recording opportunities

    First, let us consider what ISO 14001:2015 considers mandatory. Clause 6.1.1 states the need to maintain a list of the risks and opportunities that need to be addressed by the organization.

    Second, records are the memories of an organization. Without memory it is much more difficult to improve, to compare last year’s point of view with your current situation, with what your organization in the meantime lived, tested, suffered, and improved.

    The following material will provide you information about document requirements:

  • Consulting and conflict of interest

    1 - When we talk about ISO27001, what is the consulting evidence?

    I'm assuming you are referring to consulting services hired to support operations related to an ISO 27001 based ISMS, because of your second question about pen test and SOC implementation.

    Considering that, ISO 27001 does not prescribe evidences for consulting, but since consulting is a kind of service, you should consider at least these evidences:
    - contracts or service agreements (they define what is to be delivered and the rules of execution of the job)
    - any evidence of the delivery of what was required (e.g., final reports and all other documents produced by a consultant)
    - any evidence of the acceptance by the customer of what was delivered (e.g., acceptance letters, receipts, etc.)

    2 - Is pen test or contract for implementation of SOC type of consulting?

    Consulting is any kind of service where expert advice is provided, so pen test and implementation of SOC can be provided as a consulting.

    3 - Is a CB allow to give these services to their client?

    I'm assuming that by CB you are referring to Certification Body.

    Considering that, a certification body must avoid performing any other activity to a client in a way that can affect its capacity to evaluate the client in an independent way.

  • ISO 14001 and ISO 9001 similarities

    Both standards require that the policy:

    • Be appropriate to the purpose and context of the organization;
    • Frame the management system objectives;
    • Include a commitment to meet compliance obligations (although 9001 uses another language);
    • Include a commitment to continuous improvement of the management system;
    • Be kept as documented information;
    • Be communicated internally and made available to interested parties

    While the quality policy, according to ISO 9001, must support the strategic orientation of an organization, the environmental policy, according to ISO 14001, must take into account the relevant environmental impacts and include a commitment to the prevention of pollution and protection of the environment.

    You can find more information about management system policies:
Page 423-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +