Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Performing risk assessment and risk treatment

    General steps for risk assessment and treatment are:

    • Risk identification (i.e., identification of elements that compose the risk, and already implemented controls)
    • Risk analysis (i.e., the definition of risk value, considering any already implemented controls)
    • Risk evaluation (i.e., comparing the risk value to risk acceptance criteria to decide if additional treatment is required)
    • Risk treatment (i.e., defining which treatment is to be applied, and its effect on the risk)

    Considering your scenario, and the approach asset-threat-vulnerability, we would have as an example:
    - Risk identification: assets would be any power dependable equipment (e.g., servers, desktops, routers, etc.), threat (power failure), vulnerability (lack of power generator), and implemented control (UPS)
    - Risk analysis: without any emergency power supply, your operations will run as long as the charges of your UPSs before normal power supply is recovered, so the risk of operational disruption will increase with time (i.e., you have to consider how long your UPSs will last and how long it will be necessary to normal power supply to be reestablished to value the risk).
    - Risk evaluation: considering your risk evaluation criteria you can decide how to treat (e.g., mitigate, transfer, accept, or avoid)
    - Risk treatment: for mitigation: you may decide to keep the power supply, for transfer you can decide to operate in a facility physically maintained by a third party, or you can do nothing and absorb the impact if the risk occurs.

    Please note that this analysis is valid only for this scenario. For example, if the asset to be removed is a notebook, you must take other considerations to take into account, like the information stored in the notebook.

    This material will provide you further explanation about risk assessment and treatment:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding risk assessment and treatment:
    - Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • ISO 27001 - what to do after certification

    1. Just a quick question. After you go through all the steps in the ISO27001, and after you get the recertification, do you need to redo a risk assessment every year? Or do you just follow-up on the risks?

    For ISO 27001, it is mandatory that risk assessment be performed at planned intervals, or when significant changes (i.e., related to defined criteria to perform risk assessment) are proposed or occur. Considering that, you cannot just follow-up on identified risks, but you have to perform at least one risk assessment between the audits planned by your certification body. For example, if your surveillance audits are annual, then you have to perform at least one risk assessment per year.

    2. And risk-wise, do you do a threat modeling/profiling to better capture risks or what would you recommend?

    Threat modeling/profiling is a good approach to help identify risks, but please note it is not mandatory for ISO 27001, so you should consider the costs and benefits of such approach for each risk assessment you perform (e.g., for a big and complex risk assessment it may be useful, but for a smaller scope of risk assessment of a simple brainstorm technique may be simpler and obtain quite good results).

    3. And finally, what would you recommend to do yearly (and plan yearly) so that the certificate is kept in good health? Thank you very much in advance, any help is indeed greatly appreciated.

    One of the main advantages of a management system is that it already defines what must be done to keep the system up and running. The main points to be performed are:
    - risk assessment and treatment
    - awareness and training
    - monitoring, measurement, analysis, and evaluation of controls and security objectives
    - internal audit
    - management review

    By performing these activities, you will be aware of which corrections and improvements are needed and the priority they need to have to ensure the ISMS is continuously compliant and achieving its objectives.

    These articles will provide you further explanation about these topics:
    - How to maintain the ISMS after the certification https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/

    - How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
    - How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
    - Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

  • Documents implementation

    1. As part of ISMS implementation, do we have to make all the Advisera Templates be read and understood by all the colleagues in the Organization after filling up the Templates or just only Information Security Policy Document?

    First is important to note that not all templates need to be implemented, only those identified as mandatory by the standard, and those related to controls identified as applicable according risk assessment results need to be implemented (you can see which files are these in the List of Documents file included in your toolkit).

    Considering that, individual people need to read only the documents that are relevant to them, i.e., all employees in the organization do not need to read all documents.

    This article will provide you further information about documents to be implemented:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    2. In every doc, it is mentioned as “Users of this document are [job title].” So here should we mention the concerned approver or the Person e.g. (CISO or all the User in the Department).

    Please note that for every time a doc mentions “Users of this document are [job title].” you need to identify the person(s) or role(s) which need to know the document to perform an information security related activity. So the information here will vary from case to case.

    For example, for the Information Security Policy, all personnel in the scope are users of this document. For the backup policy, it can be restricted to IT staff, and the management review may be limited to top and senior management personnel.

    This article will provide you further explanation about documenting responsibilities:
    - How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

  • Compliancy officer, DPO, and CISO

    Considering these definitions:
    - Compliance officer: professionally responsible to ensure that all requirements (e.g., statutory, legal, contractual, etc.), internal and external, are fulfilled.
    - Data Protection Officer: professionally responsible for the protection of data.
    - Chief Information Security Officer: a senior-level executive responsible for an organization's information and data security.

    In this scenario, the compliance officer has a broader scope of work. He has to work with ALL internal and external requirements (information security requirements are only part of the business).

    The DPO and CISO work more closely but from different points of view. While the DPO focus is to ensure data is protected, the CISO must also balance the need for data protection with business objectives, strategies, and available resources.

  • Handling assets

    In case an inventory of assets is applicable to your organization, ISO 27001 does not prescribe how it must handle assets, so you can group them as best they fit your organization's needs.

    For example, you can group your servers if they have similar characteristics, or share similar risks.

    This article will provide you further explanation about asset register:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • Applicable ISO 9001:2015 clause

    I don’t have enough information about what you consider a project. A project can be about design and development of a new product or service, and a project can be about product realization like a building.

    If the project is about design and development monitoring delays can be used as a way of monitoring, of controlling, project evolution. In that case we are talking about clause 8.3.4 b) (project review activities) and 8.3.4 f) states the need of keeping records of project review activities)

    If the project is about product realization clause 8.5.1 a) 2) can be related with results to be obtained with the project (quality, cost and delivery). Clause 9.1.1 (last paragraph) requires keeping records to evidence results.

    The following materials will provide you more information about mandatory records:

    - Article-  List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
    - Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

  • Processes and records for CE purposes

    1. So if I understand correctly the auditor will also need to audit the relevant processes at our external foreign production facility, as part of our ISO 13485 certification process

    Yes, you understood it correctly - the auditor will also need to audit the relevant processes at your external foreign production facility, as part of your ISO 13485 certification process. When it comes to the manufacture of medical devices, production must be audited during the audit, regardless of whether the production takes place within the company or is outsourced.

    2. How would this relate to the fact that these exact processes are already ISO13485 certified processes? Would this help in any way? Could the auditor (partly) rely on this?

    According to the definition from ISO 13485:2016 who manufacturer is (3.10) - natural or legal person with responsibility for design and/or manufacture of a medical device....; whether or not such a medical device is designed and/or manufactured by that person himself or on his behalf by another person(s). No metter that your manufacturing process is outsourced, it is your responsibility over it and need to be audited as your process. The fact that this company is ISO 13485 certified only helps them as much as they know what to expect during the audit.

  • ISO standard for physical security

    I'm assuming you are referring to an ISO standard for physical security. Considering that, please note that physical security is a broad topic (e.g., from the protection of facilities to protection of credit card readers), so without further detail is not possible to give you a more precise answer.

    What I can tell you is that most of ISO standards related to physical security are related to Information Technology (e.g., ISO/IEC TS 30104:2015 Information Technology — Security Techniques — Physical Security Attacks, Mitigation Techniques, and Security Requirement, ISO/IEC TS 22237-6:2018 Information technology — Data center facilities and infrastructures — Part 6: Security systems, and ISO/IEC NP 24383 Information technology — Physical network security for the accommodation of customer premises cabling infrastructure and information technology equipment)

    In this ISO site, you can make a search more detailed according to your demands: <a href="https://www.iso.org/search.html?q=physical%20security&hPP=10&idx=all_en&p=0&hFR%5Bcategory%5D%5B0%5D=standard

    " class="content-link Link" target="_blank">https://www.iso.org/search.html?q=physical%20security&hPP=10&idx=all_en&p=0&hFR%5Bcategory%5D%5B0%5D=standard

    This article will provide you further explanation about physical security and ISO 27001:- Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/

  • Customer feedback

    For European market there is a guidelines from European comission on the following link 

    https://ec.europa.eu/growth/content/draft-guide-distribution-medical-devices-including-vitro-diagnostic-medical-devices_en

    For American market, please follow guidelines from FDA on the following link

    https://www.fda.gov/medical-devices/device-registration-and-listing/who-must-register-list-and-pay-fee

  • ISO 9001 for R&D

    Who decides the product specification, the supplier, the customer, or a co-creation? If the supplier decides the final product specification, clause 8.3 applies.

    If the customer defines the final product specification, clause 8.3 does not apply. Although remains the question about development (what raw materials to use, what production process to use, what process parameters to follow, what process control to follow, what quality control to follow.

    The following material will provide you information about applicability of clauses:

    - What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
    - Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 471-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +