Search results

Impact level in specification of security requirements

In this case, you have two options:

1 - Use the worst-case scenario for impact considering the threats and vulnerabilities in the category that is closest to the specific information system you want to determine the impact level for. For example, if you have a pair of threat and vulnerability with the highest level of risk and this one can be related to your specific information system, you use it as specification.

2 - Add this individual information system as a specific asset and identify specific threats and vulnerabilities for this information system and use them as specification of security requirements.

Please note that one criterion to choose the proper approach will depend on the criticality of these individual systems (the more critical, the more important is that this asset is considered individually instead of as part of a group). It will also depend on the type of risks related to the categories you have (sometimes useful risks can be identified from these general categories and you do not have to work on a specific asset).

Work instructions and processes

If you check the list of mandatory documentation - List of mandatory documents in AS9100 Rev D - https://advisera.com/9100academy/knowledgebase/list-of-mandatory-documents-in-as9100-rev-d/ you will see that only a few procedures are required. However, I recommend, and most organizations do it, having a set of procedures that describe: What is done; By whom; and When.

When detailed information about how to do it is needed, we use Work Instructions.

There is no universal standard way for writing Work Instructions. You can use:

- Written text;
- Drawings and diagrams like used with furniture mounting instructions;
- Sets of photos or pictures like in a comic book;
- Short movies explaining and showing how to do it;
- A mix of the above approaches.
 

Work Instructions should be written with effectiveness in mind. Will people understand and use it when needed? And when used will they be easy to understand? 

I try to avoid lengthy Work Instructions because people will, probably not use them.

The following material will provide you more information about documentation:

- Article - AS9100 Rev D vs. Rev C: What has changed? - https://advisera.com/9100academy/knowledgebase/as9100-rev-d-vs-rev-c-what-has-changed/
- AS9100 Knowledge base - https://advisera.com/9100academy/knowledgebase/
- Book - Applying AS9100 Rev D - https://advisera.com/books/applying-as9100-rev-d/

ISMS scope change

1. If a company has been ISO27001 certified over the last couple of years and the scope is for say Datacenter facility Mgt/Infra/Network Services, Managed Security Services, Operations Support - covering server, Helpdesk, etc and now due to changes in the organization, say, one of the area MSS has been moved to a centralized function under their regional HQ, is the existing ISO27001 certification still valid?

The ISO 27001 certification would be still valid for the scope that remains under control of the company (i.e., the MSS would not be part of the ISMS scope anymore). This change in the ISMS scope needs to be need to informed to the certification body.

2. If not why? If yes, why?

A change in the ISMS scope is something expected during a certification life cycle and this situation does not make it invalid, provided that the new scope still fulfills all requirements of the standard.

3. What can be done to minimize a recertification?

Since the certificate is still valid, there is no need for recertification.

4. Can a surveillance audit still proceeds?

The surveillance audits can proceed normally. You only have to inform this situation to the certification body so they can review the surveillance audit schedule. In this situation, you have to evaluate the impacts of the change in the scope and make proper adjustments in the ISMS (e.g., risk assessment, risk treatment, SoA, etc.).

Please note that one adjustment is also to create an agreement with the new "provider" of the MSS, i.e. the regional HQ. 

Roles and responsibilities for infosec management

First of all, sorry for this confusion.

Top-level information security roles and responsibilities are defined in the Information Security Policy.

Specific roles and responsibilities for information security are defined in each template, considering activities to be performed (i.e., there is no central document specifying these ones). The parts in a template where you can find roles can be identified by a text like "[jobtitle]". For example, in the Backup policy, you have "[jobtitle] is responsible to perform backup restore."

ISO 27001 does not prescribe which roles and responsibilities must be performed, so an organization is free to define the framework that best suits it (e.g, by creating new roles, or designating information security responsibilities to already existing roles.

These articles will provide you further explanation about roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

ISO 9001 and corporate office audit

If there are processes relevant for the scope of the quality management system performed by your corporate office, they have to be audited too. Some organizations agree with their certification body and, on the day of the audit, people from headquarters come to the production site to be audited there, they bring documentation and have access to the digital information. So, in your case, your organization can evaluate what is better, and communicate that to your certification body.

The following material will provide you more information about certification audits:

- How to prepare your company for the ISO 9001 certification audit - https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/- What questions to expect on the ISO 9001 certification audit - https://advisera.com/9001academy/blog/2016/04/19/what-questions-to-expect-on-the-iso-9001-certification-audit/- Enroll for free in the course - ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/- Book – Preparing for ISO Certification Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

GDPR and security measures

You are the best, thank you! 

ISO 17025 and HLS

ISO 17025 is not required to be consistent with the ISO High Level Structure (HLS), as the standard is not classified by ISO as an ISO Management System Standard (MSS). The scope of an ISO management system standard is to specify requirements (repeatable steps) for a quality management system, whereas ISO 17025 is an ISO standard providing general requirements for the competency of laboratories; prepared by CASCO, the ISO Committee on conformity assessment. Laboratories use the guidelines and incorporate them into their overall management system.

ISO 9001, along with other ISO Management System standards, such as ISO 14001, are applicable to a wide range of businesses. They are therefore required to have a common framework, the ISO High Level Structure (HLS). This facilitates easier integration between systems of different disciplines.

This article has some information on the ISO Directive around the HLS, so may be of interest to you - “Has the PDCA Cycle been removed from the new ISO standards?” https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/

ISMS implementation

1. We are initiating an implementation project of an ISMS, it was decided to work with internal staff, our question is whether with the "Premium Package of documents on ISO 27001 and ISO 22301", is it enough to implement an ISMS without having previous experience?

Our toolkits focus on customers with little to no previous knowledge of ISO 27001, so, considering the access to our knowledge base, video tutorials, and consultation through email or live meetings, you have all the support you will need to implement an ISO 27001 ISMS with your own personnel.

For further information, please see:
- How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/

2. Are there any certifications to be an ISO 27001 auditor? which would you recommend us?

There are two types of ISO 27001 certification for Auditors:
- ISO 27001 Internal Auditor - this certification recognizes competence for a person to audit his own organization
- ISO 27001 Lead Auditor - this certification recognizes competence for a person to audit on behalf of an certification body

At this point, the Internal Auditor certification would be sufficient for your needs

These articles will provide you further explanation about internal audit:
- ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

Regarding a course, please take a look at this suggestion:
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Certificación y objetivos de calidad

Respecto a la Política de Calidad - En este enlace tiene acceso a la vista previa de nuestra plantilla de Política de Calidad: https://advisera.com/9001academy/es/documentation/politica-de-calidad/

La política de calidad debe de cumplir con lo siguiente:
- Ser apropiada al propósito y contexto de la organización, y que esté alineada con la dirección estratégica de la organización.
- Que proporcione el marco de referencia para el establecimiento de los objetivos de calidad
- Que incluya un compromiso de cumplimiento con los requisitos que sean aplicables a su SGC 
- Que contenga el compromiso con la mejora continua del SGC

En estos artículos puede encontrar más información sobre la política de calidad:

- How to write a good quality policy: https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
- How does the ISO 9001:2015 revision affect the queality policy: https://advisera.com/9001academy/blog/2018/04/10/how-does-the-iso-90012015-revision-affect-the-quality-policy/

Con respecto a los objetivos de calidad - En este enlace tiene acceso a la vista previa de nuestra plantilla de Objetivos de Calidad: https://advisera.com/9001academy/es/documentation/objetivos-de-calidad/

En general los objetivos de calidad deben de ser SMART, por sus siglas en inglés:
- Específicos:
- Medibles:
- Alcanzables:
- Realistas
- Basados en el tiempo

En este artículo puede encontrar más información de los objetivos de calidad - Cómo escribir buenos objetivos de calidad: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-escribir-buenos-objetivos-de-calidad/

Estos materiales pueden serle de ayuda para entender mejor la política de calidad y los objetivos de calidad:
- Inscríbase gratis en este curso -  Curso de Fundamentos de la nroma ISO 9001:2015 - https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Libro – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/  

Raising a Non Conformity or Observation in Internal Audit

First, it is important to note that, considering ISO 19011, the standard used for auditing ISO management systems, audit findings can be conformity, nonconformity, opportunities for improvement, and recommendations (i.e., there is no definition for observation in the standard as an audit finding).

Considering that, an internal auditor also can raise a non-conformity for your ISMS even if you have passed a certification.

The difference between an NC and an observation is that for the second one you do not have enough evidence to support a non-conformity statement. In this situation, the internal auditor can make an observation to the organization so its staff can decide to work on an evaluation to identify if further work has to be done. It also can be used by another auditor in another audit to verify if the situation has evolved to a well-based non-conformity or not.

This course can give you further information about internal audit:
- ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/