Search results

Risk based calculation

ISO 27001 does not prescribe how to calculate risks, so organizations can adopt the approach that better suits their needs. 

Considering that, please note that the most commonly used approach is the asset-threat-vulnerability, which does not use only physical assets, but also, information, data, services, and other kinds of assets, where risks are determined according to their impacts related to information Confidentiality, Integrity, and Availability.

For further information, see:

• ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/

In this article you will find information about:

• Main steps in risk management
• Risk assessment methodology
• Risk assessment
• What to use instead of an asset-based approach for ISO 27001 risk identification

• Inquiry

  ISO 27001 does not prescribe controls hierarchy to be implemented, so large majority of companies do not differentiate between high and low level controls. We also do not recommend this approach because it only creates an overhead.

  Although ISO 27001 does not specify this, you could apply "high-level" and "low-level" concept to policies - the top-level Information Security Policy could be considered as a "high-level" policy because it defines security rules for a whole company, whereas a "low-level" policy could be Backup policy because it defines security rules for only one part of the company.

• ISO 27001 EA Codes

  I’m assuming that by EA Codes you mean the codes for ISO Certification Scope.

  Considering that, EA Codes are not used or required by ISO 27001. They are used by certification bodies during the certification process to identify the main business activity related to the certification scope.

• Implementing ITSM and Agile Methods Together

  Thanks for that information 

• Risks to Impartiality

  Yes, you are correct in your interpretation. A laboratory needs to consider possible risks to impartiality (in terms of the definition of impartiality), then identify any that may be possible  (even if low probability) in your context (what you do, who your clients and external providers are, and what your organizational structure is). They are many aspects that are covered under impartiality. These are explained in the definition of impartiality in ISO 17025, where impartiality is simply the

  presence of objectivity; meaning there are no conflicts of interest (or they are resolved/safeguarded)are resolved so that there are no factors that can negatively influence activities of the laboratory. Look at the standard for the other terms such as “freedom from bias”. So anything that will impact any established policies including a Code of Conduct. For example, personnel is put under undue pressure where they have to as you say take shortcuts that may jeopardize the results. Everything must be in place to ensure competent, consistent operations. i.e. consistently valid results.

  You asked
  is there a good way to communicate these?

  Through risk analysis and the use of tools showing cause and effect, and fishbone diagrams. Involve all relevant personnel. Use brainstorming and set out a process chart for an activity showing the inputs and outputs and the influencing factors. Then indicate the controls in place. Using your risk register indicate whether with those current controls (risk treatment) if the risk is at an acceptable level or not. Then record how you will monitor the effectiveness over time – for example, monthly meeting discussions, when onboarding new personnel, clients, or suppliers, and during internal audits,

  For more information, have a look at the advice answers

  Compliance with the ISO/IEC 17025:2017 requirement for Impartiality - https://community.advisera.com/topic/compliance-with-the-isoiec-170252017-requirement-for-impartiality/

  Procedure for impartiality - https://community.advisera.com/topic/procedure-for-impartiality/

  The ISO 17025 document template: Registry of Key Risks and Opportunities, is available for as part of the toolkit for preview and purchase separately too at  https://advisera.com/17025academy/documentation/registry-of-key-risks-and-opportunities/

• Disaster Recovery and Business Continuity Testing

  Considering the most used standards for these topics (ISO 27001 for information security and ISO 22301 for business continuity), these standards do not prescribe how often testing and exercises should be taken.

  To comply with these standards, you need to perform a risk assessment and identify applicable legal requirements to define the proper frequency for these testing and exercises.

  In case your risk assessment and requirements do not provide a proper reference, you can try starting with these suggestions:

  • testing backups and sequel databases - e.g., once a quarter
  • BC testing and exercises - e.g., once a year

  For further information, see:

  • Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/
  • How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

  • Clarification on ISO 27001:2022 certification

    1 - From the implementing/certification point of view, shall the described be considered globally, all included in the implementation/certification, or rather, is it possible or advisable to separate them? I.e., consider the platform separately, with its own certification.

    Due to the size of your company (around 60 employees), unless you have specific requirements for this cloud-based platform to have its own certification (e.g., a law or contract with a customer), the best approach is to consider a single implementation covering all the organization, because, for companies of this size, the effort to separate what is included in the ISMS scope from what is not included is not worthy.

    For further information, see:

    • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    2 - If they were to be separate, how would this even be managed in Conformio?

    In case you have a need for the platform to be in a separate implementation/certification, you can create two regular Conformio accounts (one for each instance you want to certify) and do a separate certification for both. As separated accounts, it is not possible to share documents or data to manage both implementations in an integrated form. 

  • Preventive action

    Basically, it can be both. But, in my opinion, it is better to be preventive action.