Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Evidencing requirements

    The customer has a very small organization, with an IT organization of 5 people.Almost all IT services are outsourced using Google cloud.
    1 - What is the best way to deal with controls like logging, capacity management, cabling security, monitoring system use etc. All the measures associated with this control are followed up by the supplier. Our customer does not know exactly how Google Cloud has implemented the measures for this control. Google cloud is ISO 27001 certified.

    Answer: The best way to handle controls managed by suppliers is by means of information security clauses in contracts or service agreements, where these clauses enforce the level of protection you expect from the supplier.

    For more information, see:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
    - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

    2 - My question is:Is it necessary to explain how these controls are implemented by Google or is a more general reference for example a reference to the certification of google cloud sufficient?

    Answer: Since your customer is participating in a government tender you have to consider the tender's rules to identify which level of detail is required to fulfill the tender process. In other words, if the tender rules require you to explain how the controls are implemented, then referencing to Google's certification is not going to be enough.

  • Filling SoA


    Answer:

    In this case (when you have a large number of risks to refer in the SoA) I suggest you to list in the SoA only the IDs of the 3 or 4 most critical risks related to this control and inform the quantity of other risks that justify the application of this control that can be found in the results of risk assessment. See this example:
    "Risks #3, #18, #27, and 23 other risks that can be found in the results of risk assessment."

  • Improvement targets and budget targets


    Answer
    I agree with your organization’s approach. One target is for the budget and has to be communicated to the Finance. The other target is for internal use to guide an improvement project. There is no guarantee that the improvement target will attain. When the budget is prepared, the organization sometimes has no idea about what should be done to meet the improvement target.

    The following material will provide you more information about quality objectives:
    How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
    - Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO 9001 and fertility centers


    Answer
    Yes, ISO 9001 is applicable to fertility centers. ISO 9001 is applicable to any activity, both public and private.

    The following material will provide you more information about ISO 9001 applicability:
    ISO 9001 Requirements and Structure - https://advisera.com/9001academy/knowledgebase/iso-9001-requirements-and-structure/
    - Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Scope definition


    (1 - I hope you are very well, I write since the company where I am currently working wants to be certified in 27001, but just wants to certify a "product" which is electronic invoicing, I wanted to know if this is possible, since I have confusion at the time to delimit the scope of the ISMS and the information security policy, would the policy exclude the other processes and areas of the company?

    Answer:

    First it is important to note that ISO 27001 does not certify "products", o nly processes. So in your case the certification would be related to the electronic invoicing process.

    Regarding scope definition, you can limit the scope to any size you want, and you can exclude processes, locations or business units you think should be left outside the scope.

    2 - And, due to cost issues, it would also be less beneficial since it would increase when you want to certify the other processes of the company?)

    Answer:

    The smaller the scope, the smaller the certification costs will be, in fact including process you do not want to certify now, will increase the costs of certification (many certification bodies use the total of personnel involved in the scope to define required days for the certification, which directly impacts certification costs).

    These articles will provide you further explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
    - How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

  • Complaining to the certification body

    My reason for asking is that I have an example of where a company has flouted almost every rule in terms of maybe a dismissal or redundancy. Should this be brought to the attention of the body that appointed them for this standard as clearly, they are not being met.

    Answer
    Although there is no explicit HR policy, a certified organization must comply with the requirements of HR-related clauses. For example, clause 7.1.4 on the environment for processes operation addresses both physical and human factors. Among the human factors the standard mentions in a note social and psychological factors, which may frame the concerns you expressed.
    Anyone who feels that an organization, while certified, is not meeting the requirements of the standard can always formally complain to the certification body that issued the certificate.

  • Filling SoA justification


    Answer:

    In fact entering the whole risks from the risk treatment table in the SoA is not the best way to justify applicable controls. What you can do is to include only the risk ID of the risks related to control A.12.6.1, according to your Risk treatment table. For example, you could write "Risk 001, 003, and 023 ".

  • Record of Processing


    Answer:

    Article 30(5) of the GDPR provides an exemption that allows companies to avoid Article 30 record-keeping obligations provided that the processing is (i) only occasional; (ii) the processing is not considered a risk to the rights and freedoms of the data subjects; and (iii) the processing is not of ‘Special Categories of Data’ (Article 9.1) or personal data relating to criminal convictions and offences.

    So unless you fall under the exemptions above you need to create an Inventory of processing activities or ROP as you called them.

  • Filling asset inventory


    Answer:

    First is important to note that both approaches are acceptable, but to keep your inventory less complex we recommend you to list only the highest impact associated to an asset.

  • ISO 27001-2019


    Answer: First of all, sorry for this situation. In the future if you want to contact us please use this e-mail: support@advisera.com

    With this email you can either post a question or schedule a meeting with one of our consultants.

    Second, the reason for my inquiry is due to the fact that I just found out about the IS/IEC 27001:2019 version and was wondering how this will affect our current initiative. To be honest, we are still very much at the beginning and I think that it would definitely be best to move forward with the latest version of the standard rather than continue with the 2013 version. I just started reading and am tryi ng to find what differences there may be between the 2 versions, but if you can provide that comparison and tell us your thoughts about how you think we should progress, that would be very much appreciated.

    Answer: Please note that ISO 27001:2013 was indeed reviewed in 2019, but it was confirmed as the current standard, so no changes will be required for those organizations already certified, or in process of certification of this version of the standard (the version of the current standard will still be 2013, not 2019). For more information, please access this link: https://www.iso.org/standard/54534.html
Page 512-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +