Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Guest
We're not experts in PCI DSS, but generally ISO 27001 documentation can help cover some of the requirements of PCI DSS - e.g. Access control policy.
This article from ISACA can provide you a comparison: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-1/comparison-of-pci-dss-and-isoiec-27001-standards
These articles will provide you further explanation about ISO 27001 and PCI DSS:
- PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences https://advisera.com/27001academy/knowledgebase/pci-dss/
- PCI-DSS vs. ISO 27001 Part 2 – Implementation and Certification https://advisera.com/27001academy/knowledgebase/pci-dss/
1. is the risk rating based on taking into account existing controls or in the case of no controls at all, before controls are applied?
How does control No 4 affect the risk level of risk no 4?Shouldn´t the sequence be:
- assess risk
- take into account existing controls
- update risk taking into account existing controls
- perform risk treatment for unacceptable risks and document in risk treatment table
-define a risk treatment plan
Risk rating must consider already implemented controls because this situation reflects the reality of your organization.
The mentioned control (locked in the file cabinet) decreases the effect of the vulnerability (unauthorized access to facilities allowed) in the likelihood because even if a person has unauthorized access to facilities since the confidential agreement is in a locked cabinet if the person has not appropriated tools he will not be able to access the agreement.
Considering your proposed sequence, taking into account the existing controls are performed at the same time when you assess risk, by the fact that the control will affect the components of the risk (i.e., impact and/or likelihood). So the sequence would be:
2. what about existing controls for No 1-3? None implemented yet?
In the tutorial, there are no controls implemented for risks 1-3. These examples were used to demonstrate the most common situation, where there are no controls implemented and a single asset can have multiples risk associated to it.
3. What about controls for risks that can be accepted?
For risks with no current implemented controls that are acceptable, you do not need to associate controls, so there is not to fill in in the last column.
In case you have a risk that is acceptable because you have an implemented control associated with it, you should evaluate if this control needs some kind of adjustment (e.g., a technological update, or change in the process). If no adjustments are needed then your job is finished.
In case you understand the control needs adjustment, then you must include this risk in the next step of the process, the risk treatment.
According to clause 9.3 Analysis and evaluation, organizations should consider how frequently it will analyze and evaluate data that will help determine areas for improvement. The organization should use methods and control data quality (to ensure that it is representative, unbiased, and accurate, for example) in order to promote fact-based management decisions. ISO 9001:2015 does not prescribe specific statistical techniques. Each organization should evaluate those that can be useful.
Please, consider this free webinar on-demand - Measurement, analysis, and improvement according to ISO 9001:2015 -
https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ where you find examples of statistical techniques used to help in making decisions
The following material will provide you more information about measurement:
Please check this Case study for ISO 9001:2015 transition in a construction company where you can find a sample of how to document such issues in a SWOT matrix: https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf?t=1493297551317
You can find more information about context below:
They can flowchart their activities and then apply the risk-based approach to determine where quality issues can occur. After evaluating those risks, the most relevant ones can generate a set of action plans in order to:
Design quality – for example, change a product in order to reduce failure modes;
Prevent quality – for example, by improving people competence or by working with better suppliers;
Control quality – establish control points and control plans
The following material will provide you more information about measurement:
According to clause number of 7.5.1 of the IATF 16949:2016 standard; the quality manual shall be documented. Although it is not a requirement, the quality policy generally continues to be documented in the quality manual.
With this new standard, the word ‘’procedure’’ is not used. Also, there is no definition for the Level 1 document.
To learn more about the mandatory documents, see this free white paper: Checklist of Mandatory Documentation Required by IATF 16949:2016 https://info.advisera.com/16949academy/free-download/checklist-of-mandatory-documentation-required-by-iatf-16949
Basic aspects of Quality management systems in ISO 9001 and ISO 13485 are very similar: documentation control, internal audits, corrective actions, management of non.conforming products, management review. From medical devices point of view, ISO 13485: 2016 is more important.
To understand better what are similarities and differences between these two standards, please read an article on the following link: Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/
On this link you can find several white papers about the planning process for implementation od ISO 13485, project proposal and similar: https://advisera.com/13485academy/free-downloads/
Here are few articles that discuss ITIL/ISO 20000 implementation and it's benefits i.e. challanges:
5 key benefits of ISO 20000 implementation https://advisera.com/20000academy/blog/2016/02/09/5-key-benefits-of-iso-20000-implementation/
4 Crucial Techniques for Convincing your top Management to Implement ISO 20000 https://advisera.com/20000academy/blog/2017/10/31/4-crucial-techniques-for-convincing-your-top-management-to-implement-iso-20000/
What are the most common ISO 20000 implementation myths? https://advisera.com/20000academy/blog/2016/02/23/what-are-the-most-common-iso-20000-implementation-myths/
5 excuses why IT organizations avoid ITIL implementation https://advisera.com/20000academy/blog/2015/08/25/5-excuses-why-it-organizations-avoid-itil-implementation/
How ITIL can help cloud services https://advisera.com/20000academy/blog/2015/07/28/how-itil-can-help-cloud-services/
This order follows exactly the sequence of requirements of ISO 27001.
Please note that the Risk Treatment Plan defines the actions, resources, responsibilities, and dates for the implementation of risk treatment options (e.g., risk transfer and risk mitigation), and you first need these options to be approved, generally as part of the SoA approval, so you can minimize risks of rework or loss of time if a treatment option is not approved.
These articles will provide you further explanation about the risk management process:
Let us start by what clauses could be candidate to non-applicability:
The following material will provide you more information about non applicable clauses: