Search results

Information security risk management and internal audit

1. I purchased your Risk Assessment Table and Risk Treatment Table. I have completed this phase of the planning for our ISO Certification.  Now, once I have filled out the excel Spreadsheets does that count as my "Risk Report" for purposes of satisfying the mandatory document for Certification audit?
My next step is the SOA correct?

First is important to note that a "Risk Report" is not a mandatory document for ISO 27001. The standard requires retention of some documents as evidence that risk assessment and treatment was performed, and for that purpose the Risk Assessment Table, the Risk Treatment Table, the Statement of Applicability (yes, this is the next step of the risk assessment and treatment process), and the Risk Treatment Plan, are enough.

This article will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

2. What course do you recommend so I can be prepared to do an internal audit and improvement for the ISMS for my company?

As a course for internal audit I suggest you to take a look at our ISO 27001:2013 Internal Auditor Course at this link: https://advisera.com/training/iso-27001-internal-auditor-course/

In this online course, you’ll learn all the requirements and best practices of ISO 27001, but also how to perform an internal audit in your company. The course is made for beginners. No prior knowledge in information security and ISO standards is needed.

ISO/TS 29001 in addition to ISO 9001

ISO/TS 29001 main advantage is about including specific requirements of the petroleum industry. ISO 9001 has general requirements, but ISO /TS 29001 includes specific requirements relevant for the industry and its risks.

QMS for medical devices

Thanks, Carlos

Difference between ISO 9001 and ISO 17025

ISO 9001 is about implementing a quality management system and is applicable to any kind of organization. Quality management systems can be certified by a certification body.

ISO 17025 is about “General laboratory competency of testing calibration requirements” and is applicable to laboratories that produce results, like composition of a sample, that can be used in a court of law. ISO 17025 main concern is competent, impartial, and consistent operation of laboratories. ISO 17025 is mainly used by calibration laboratories. Laboratories are accredited by an accreditation body.

The following material will provide you more information about ISO 17025:

- What is ISO 17025? - https://advisera.com/17025academy/what-is-iso-17025/
- Please check our ISO/IEC 17025 Blog - https://advisera.com/17025academy/blog/
- Download free ISO/IEC 17025 materials - https://advisera.com/17025academy/free-downloads/

Expanding scope

It is possible to include this new part of the scope in the surveillance audit for year 2, provided that you inform your certification body of this change in due time, and that the new part of the scope fulfills all requirements of the standard and the risks related to integrating this new scope to the current one are assessed and treated as necessary.

Data capacity and information security

 The lack in the capacity of an asset (e.g., equipment, media, service, etc.) to store, process and/or transmit data affects directly the concept of information availability. This impact on availability can occur when an asset is destroyed, has an unplanned stop, or when it is required beyond the limit it can be used. 

Capacity of an asset has no direct impact on integrity and confidentiality.

For further information, please read:
- Implementing capacity management according to ISO 27001:2013 control A.12.1.3 https://advisera.com/27001academy/blog/2016/02/22/implementing-capacity-management-according-to-iso-270012013-control-a-12-1-3/
- Can ISO 27001 help your organization in a DDoS attack? https://advisera.com/27001academy/blog/2017/12/04/can-iso-27001-help-your-organization-in-a-ddos-attack/

Evidence for Product realization

Yes, you do need to provide evidence for this section 7, but only for those sections that are applicable for your company. Therefore, for each section that is not applicable for you, you can state that in your Quality manual. For example, section 7.5.2 Cleanliness of product is probably not applicable, then 7.5.5 Particular requirements for sterile medical devices, 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems, and 7.5.9.2 Particular requirements for implantable medical devices. For each of these sections you need to provide justification for why it is not applicable. For example, you can state „7.5.2 Cleanliness of product is not applicable since we do not produce any product“ or „7.5.5 Particular requirements for sterile medical devices is not applicable since we do not produce sterile medical devices.“

Threats to network assets

Some common threats related to network equipment like Routers, Core-Switch, and firewall are:

• Access to the network equipment by unauthorized persons
• Damages resulting from penetration testing
• Errors in maintenance
• Malfunction of equipment

This article will provide you further examples of applicable threats:
Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

SHEQ

Thank you very much. This was a confirmation for me.

Quality objectives and Internal and External Risks

1.How to submit to our dept/unit (Human Resources) the quality objectives?

Your organization defined some quality objectives and you need to deploy them to the HR department. I would start by a presentation from top management communicating to all what are the quality objectives and why are they important for all. Then, I would meet the HR manager to work with him or her around the question: how the HR team can contribute to meet these objectives. For example, a quality objective like "Reduce delivery delays by ..." may be helped through reducing absenteeism. Can HR assume a departmental objective to reduce absenteeism? If that is the case do not forget to include how much the organization saves (or not lose) by reducing delivery delays and absenteeism.

2.How to submit to our dept/unit (Human Resources) the internal & external risks that can affect the intended objectives of the dept/unit quality management system

Start with the intended objectives, I always recommend starting from there when determining risks and opportunities. What can be seen as a promoter of friction against meeting the objectives? Those are the risks.

What could undermine your intention of reducing absenteeism? You can call a team and develop a brainstorm, perhaps using a cause-effect diagram to develop a list of possible risks.

After listing those risks evaluate them.

The following material will provide you more information about quality objectives and risks:

- Article - How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

- Article - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

- Article - How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/

- Free webinar on demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//

- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

- Book - Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/