Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 14001 / Questions for your Management team

    Consider this article, Questions to successfully perform ISO 14001 top management audit - https://advisera.com/14001academy/blog/2019/06/17/iso-14001-top-management-audit-what-questions-to-ask/ as a good start to thinking about an approach to develop a checklist regarding top management.

    About leadership – think about questions regarding environmental policy, environmental objectives, and action plans to achieve them. Think about questions regarding management review and system effectiveness.

    About environmental aspects – does top management have an idea about what are the main significant environmental aspects and impacts, and how they relate to the environmental policy?

    About risks and opportunities – you can always ask if top management knows about the main risks and opportunities, what was done to act upon those risks and opportunities, and if those actions were effective.

     

  • Questions ISO 27001

    1. Every information security policy must have at least one procedure associated with it.

    ISO 27001 does not specify that you need to have procedures related to policies, nor does it specify what kind of policies and procedures to write. Our recommendation for smaller companies is to use a minimum number of policies and procedures to avoid overhead.

    For further information, see:

    2. Can security policies and procedures be written in the same document or should they be separate documents?

    ISO 27001 does not prescribe how policies and procedures must be documented, so organizations can develop them as best fit their needs.

    Considering that, policies and procedures can be part of the same document but you have to take care to not create a document too big or complex to use or maintain. In such cases, it is best to keep policies and procedures as separate documents.

    For further information, see:

    3. Should the strategic information security policies be in a separate document from the technical information security policies? or can they be in the same document?

    Strategic and technical information generally have different publics (e.g., strategic information for top management, and technical information for operational staff), so while you can have both information in the same document, in general, they are developed as separate documents.

    4. What is the difference between Policies, standards and Procedures?

    A policy defines a certain intention and gives direction (e.g., Information Security Policy), whereas a standard specifies a standardized way of doing something (e.g., ISO 27001 specifies how to manage information security).

    As for a procedure, it defines the steps required for performing an action (e.g., a procedure back defines the steps to back up information).

    5. Should the person in charge of information security be independent from the area of information technology? Or can it be a person/Position that is part of the Information Technology area?

    ISO 27001 does not prescribe who should be responsible for information security, so organizations can designate this person as best fit their needs.

    So, this person being or not being part of the area of information technology is an acceptable possibility.

    For further information, see:

    6. Can the technology leader also be responsible for information security?

    This role can also be an alternative for the person responsible for information security.

    7. Do you have any template of how to write a strategic information security plan?

    Please note that ISO 27001 does not require a strategic information security plan to be developed. A similar high-level document compliant with ISO 27001 is the Information Security Policy, located in the folder General policies in your toolkit.

    For further information, see:

    8. Can you send me examples of Major nonconformities and minor nonconformities?

    First, it is important to note that major nonconformities and minor nonconformities are commonly used only in certification audits. Internal audits do not require the application of such classifications.

    Examples of minor non-conformities: some of the training records are missing, not all employees are trained as they should be, some of the employment records are missing, etc.Examples of major non-conformities: management review not performed, and a minor non-conformity not being resolved within the defined deadline.

    For further information, see:

    9. Can the vulnerability tests of information assets be carried out by the same organization or must an external provider be contracted to carry them out?

    Please note that ISO 27001 does not prescribe who must perform vulnerability tests, so both alternatives are accepted by the standard.

    10. Is an information security incident the Materialization of a security risk?

    Your assumption is correct.

    Risk refers to the probability of something negatively affecting information.

    An information security incident means that something in fact negatively affected the business or information which should be protected.

    11. What is the difference between an information security event, an information security incident and an information security risk?

    An event refers to something that happened that is relevant to be recorded, but you are not sure it negatively impacted information security.

    An incident refers to something that happened and that in fact has negatively affected information security.

    Risk refers to the probability of something happening and negatively impacting information security.

    For further information,see:

    For additional support, we suggest these materials:

    • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    • Third Party Response

      When you are accessing data of a data subject on LinkedIn, you are processing that individual’s personal data, and according to article 6 – Lawfulness of processing – you need at least one legal ground for processing: consent, contractual obligation, legal obligation, vital interest, public interest, legitimate interest. If that person is contacted using LinkedIn platform’s features, such as Add Connection, InMail, Messaging, you don’t need data subject’s consent for processing, as that person already accepted LinkedIn’s Terms and Conditions, which allow that person to be contacted (if he/she didn’t modify the privacy preferences in the account). However, if you download/archive a person’s data from LinkedIn, you need another legal ground for the processing. It can be consent, but you need to obtain that person’s consent BEFORE you download/archive his/her data from LinkedIn.

      Please also consult these resources:

    • 27001:2022 Query

      Hi Dejan,

      Regarding this article:

      https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/

      1 - What's the difference between a Section and an Annex? (Is the Annex just an Appendix?)

      I assume you are asking about ISO 27001 sections and Annex A. Annex A lists all the 93 controls, and they are divided into 4 sections (Organizational, People, Physical, and Technological controls).

      2 - ISO 27001 has 114 controls in Annex A - ISO 27002-2022 now has only 93, down from 114 - does/how does this affect the controls in 27001 Annex A - i.e. will they now be 93, not 114?

      Your assumption is correct. Released  in October 2022, ISO 27001:2022 Annex A has now only 93 controls, aligning this standard with ISO 27002:2022.

      3 - So will ISO 27001 become ISO 27002?

      ISO 27001 will not become ISO 27002. They have different purposes.

      Please note that ISO 27001 is the standard that provides requirements for the implementation of an Information Security Management System (ISMS), while ISO 27002 is a complementary standard, which provides guidance to implement controls defined in ISO 27001:2022 Annex A. Additionally, ISO 27002 is not mandatory to implement ISO 27001 requirements.

      For further information, see:

      4 - Also, in reality, how would a small company deal with the following:A.5.7 Threat Intelligence - gather information and analyse them? (interpret)Could this be outsourcing to AV/MDR or something else?

      To implement control A.5.7 Threat Intelligence, a company should consider gathering information internally (e.g., from logs of internal systems, incident reports, etc.), as well as from external sources (e.g., vendor reports, government agency announcements, etc.)

      ISO 27001 does not prescribe that the organization needs to perform this information gathering by itself, so outsourcing this activity is an acceptable option.

      For further information, see:

      • Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/

      • 8.5.1.5 Total productive maintenance

        Thank you.

      • SoA update

        For this conversion you need a map identifying:

        • the new IDs for old controls that did not change. For these you only need to update the control ID from your current SoA, keeping all the remaining information the same. For example, control A.9.1.1 Access control policy, is now A.5.15 Access control.
        • the new IDs for old controls that change only the control name. For these, you need to update the control ID and control name from your current SoA. For example, control A.14.3.1 Protection of test data is now A.8.33 Test information
        • the new IDs for old controls that were merged. For these you need to create a new entry, merging the information from merged controls, and excluding the entries from the older version. For example, controls A.5.1.1 Policies for information security and A.5.1.2 Review of the policies for information security are now A.5.1 Policies for information security
        • the new IDs for the new controls. For these, you will need to update your risk assessment to verify if these new controls are applicable or not and include the proper information. For example, control A.5.7 Threat intelligence

        This paper can help you with the new IDs:

        This tool can also help you:

        • ISO 27001:2013 to ISO 27001:2022 Conversion Tool https://advisera.com/insight/iso-27001-2013-to-iso-27001-2022-conversion-tool/

        • Controls in new ISO 27001

          Controls from the 2022 version of ISO 27001 already can be implemented. Most of the controls did not change, so most significant upgrades will be related to the need to implement the new 11 controls, and these only will be necessary in cases there are relevant risks or applicable legal requirements demanding their implementation.  

          For further information, see:

        • ISO/IEC 27001 Implementation

          It’s not our policy to make recommendations about external tools.

          In terms of Advisera products for ISO 27001 implementation we can mention:
          - ISO 27001 documentation toolkit, a set of document templates you can use to implement the standard
          - Conformio, a cloud-based software solution that can help you implement and operate an Information Security Management System compliant with SIO 27001.

          For further information, see:

          • Toolkits vs. Conformio – Which is more applicable for my company? https://advisera.com/articles/toolkits-vs-conformio-which-is-more-applicable-for-my-company/
          • Conformio (online tool for ISO 27001) https://advisera.com/conformio/
          • ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

        • Change control document

          Please note that at beginning of section 3 Change management, you can adapt the following text:

          “Each change to operational or production systems must be made in the following way:” replacing “change to operational or production systems” to the scope of change you want to cover, like:

          “Each change to software, virtual machines, and technological and development environments must be made in the following way:”

          In case you need to write a more detailed document, e.g., for including specific activities for each type of change, you can schedule a meeting with one of our experts so he can help you develop the document. To schedule a meeting please access this link: https://advisera.com/contact/

          For further information, see:
Page 46-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +