Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Use of encryption

    First it is important to note that this impediment is not absolute. If your organization's Information Classification Policy defines the use of encryption with central key management as a general solution for all information classification levels, than the IT departmen t can implement it as you described.
    The use of encryption solutions must be considered wisely because it can have some potentially restrictions or negative consequences, e.g., in some countries the usage of encryption is defined by law; also if an employee leaves the company and all his data is locked on a encrypted disk, then the company cannot access this data.

    This article will provide you further explanation about information classification:
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  • Transferred risks


    1 - El propietario del activo debe ademas aplicar controles sobre para mitigar este riesgo, o en l momento de transferir el riesgo, la aplicacion de los controles, desaparece?

    2 - Puedo transferir el riesgo a un tercero y a la vez, decidir aplicar controles propios para estos servidores criticos?

    (In the risk analysis, if it is decided to transfer the risk of some assets, to a third party, with whom there is a maintenance contract. For example, it is decided to transfer the risk of a very critical set of servers to the maintenance company.

    1 - Should the owner of the asset also apply controls over to mitigate this risk, or at the time of transferring the risk, does the application of the controls disappear?

    Answer: First it is important to note that if you adopt the option to transfer the risks, the application of controls does not disappear, only the implementation method changes from your own implementation to "implemented by third-party".

    Considering that, once risks are transferred to the third-party, the asset owner should also consider the application of controls from section A.15.1 Information security in supplier relationships, to ensure the existence of contracts or agreements to enforce the proper treatment of the transferred risks.

    For additional information, please read:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
    - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

    2 - Can I transfer the risk to a third party and, at the same time, decide to apply my own controls for these critical servers?)

    Answer: In theory you can do that, but it does not make much sense, since you are contracting someone just to protect your servers. Additionally, these paralleled applied controls may interfere with each other and reduce overall server security or performance.

  • Integrating ISO 14001 & ISO 45001 into ISO 9001


    Answer:
    As you have indicated, many of the processes are similar between the three standards, such as internal audit and management review, so creating an integrated management system does not add three times the work. The main processes to add onto the ISO 9001:2015 QMS would be:
    For ISO 14001:2015 EMS, environmental aspect and impact assessment (how the company interacts and affects the environment), determining environmental legal requirements and compliance and preparation for emergency response.
    For ISO 45001:2018 OHSMS, consultation and participation of workers, hazard identification and assessment, OH&S determining legal requirements and compliance, elimination of hazards, preparation for emergency response and the addition of incident investigation into the corrective action process.

    For a better understanding of how to integrate these standards, see the whitepaper: How to integr ate ISO 9001, ISO 14001 and ISO 45001, https://info.advisera.com/9001academy/free-download/how-to-integrate-iso-9001-iso-14001-and-iso-45001

  • ISO 45001: Support, Operation and Performance


    Answer:
    The first thing to note, is that Iso 45001:2018 does not require an OH&S manual, but you can choose to write one if you find this useful to collect your information. So, it is not a requirement to go through everything in the standard and say how you do it. The three main topics you are asking about cover the following sub-clauses in the standard:
    Support – This clause talks about how you identify resources for the OHSMS, define and ensure competence for activities, raise awareness of the OHSMS, communicate both internally and externally and how you manage your documents and records.
    Operation – This clause talks about controlling your operations through hazard elimination and reducing risks, managing change and ensuring that necessary OH&S information is part of your procurement activities. Further you need to plan for potential emergencies.
    Performance evaluation – This clause talks about how you monitor a nd measure processes, perform internal audit, and conduct management review of the OHSMS.

    For a better understanding of the clauses of ISO 45001:2018, see the whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

  • Risk and asset owner


    camara y videograbador de CCTV
    propietario del riesgo: el responsable de mantenimiento
    propietario del activo: el responsable de IT
    Pero: queremos transferir el riesgo a una empresa externa que sera ademas, la responsable del mantenimiento diario y aplicaremos los controles posteriores.

    Me puedes confirmar si es posible realizarlo de esta forma con algunos activos?

    (Hello, I have a doubt in the risk analysis. Can I have 1 asset, with 1 owner of the risk, other than the owner of the asset and then also transfer the risk of this asset, to a third party? for example:

    CCTV camera and video recorder
    risk owner: the person responsible for maintenance
    asset owner: the IT manager
    But: we want to transfer the risk to an external company that will also be responsible for daily maintenance and we will apply the subsequent c ontrols.

    Can you confirm if it is possible to do it this way with some assets?)

    Answer:

    Your assumption is correct. You can have the risk owner as a different person from the asset owner and transfer the risk is an acceptable risk treatment option

    These articles will provide you further explanation about asset and risk owner and risk treatment option:
    - Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
    - 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

  • Defining ISMS scope and access profiles


    Bien, en nuestra empresa tenemos aplicaciones propias y externas alojadas en nuestro CPD, pero también utilizamos otras como servicios en la nube, mi duda es ¿Estas aplicaciones en la nube utilizadas como servicios entran dentro del alcance del SGSI? Yo creo que sí porque están involucradas en los procesos de la compañía pero necesito de su opinión.

    Otra duda: en la política de control de acceso en el apartado 3 ustedes han establecido en la planti lla perfiles de usuario y derechos:

    ¿Estos sistemas son todas y cada una de las aplicaciones dentro del alcance del SGSI o son procesos (donde puede haber más de una aplicación que se use)?

    (Before I ask you a question, I put you in a situation: My company previously carried out a risk analysis for which we have said analysis and the declaration of applicability (apply everything), to advance in the objective of obtaining the ISO 27001 certification, it was incorporated into Our company a responsible for legal compliance and has taken the lead to achieve this certification, analyzed the data mentioned above and asked IT for security policies (this is the reason for the acquisition of the templates: the creation of our policies in base to these templates)

    1 - Well, in our company we have our own and external applications hosted in our CPD, but we also use others as cloud services, my question is: Are these cloud applications used as services within the scope of the ISMS? I think so because they are involved in the company's processes but I need your opinion.

    Answer:

    If these cloud applications store or process information you want the ISMS to protect, then you have to include them in the ISMS scope.

    For further information, please see:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
    - How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

    2 - Another question: in the access control policy in section 3 you have established in the template user profiles and rights: Are these systems each and every application within the scope of the ISMS or are they processes (where there may be more than one application used)?)

    Answer:

    The access profiles refer not only to systems, but also to networks, and facilities, included in the ISMS scope. Please note that you should consider each profile covering as much elements as possible so you do not finish with a great number of profiles to manage.

  • ISO 27001 Objective measurement document

    Hi  @PiersAnderson , I have sent you more information about the upgrade options directly at your email address. Thank you.

  • Compras y evaluación de proveedores


    Respuesta:

    Efectivamente en ese caso no se necesitaría hacer una evaluación de ese proveedor. Sin embargo, debe también pensar en otro tipo de proveedores que tiene su empresa si el alcance del sistema de gestión afecta a toda la organización. Por ejemplo, proveedores de servicios de entrega, proveedores de materiales de oficina, proveedores relacionados con software y hadware, etc. También estarían incluidas subcontratas que realiza su empresa, por ejemplo una compañ ía de RRHH para selección de personal, una empresa para realizar el diseño de su página web o que la gestione, etc. Así que muy probablemente sí que necesite este documento de evaluación de proveedores.

    Para más información sobre la evaluación de proveedores puede ver los siguientes materiales:
    - Artículo - How to evaluate supploer performance according to ISO 9001:2015: https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
    - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • ISO 20000 certification


    Answer:
    I assume you'd like to know how does certification process look like. Here is the article which explains certification process:
    "Process to obtain ISO/IEC 20000 certification: Companies and individuals" https://advisera.com/20000academy/knowledgebase/iso-20000-certification-the-process-of-obtaining-a-certifica/

    This book can help you further:
    PREPARING FOR ISO CERTIFICATION AUDIT: A PLAIN ENGLISH GUIDE https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

    and this webinar (applicable also to ISO 20000 implementation):
    ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

  • Document control


    Answer: ISO requirements for document control refer to:
    - documented information required by the Standard (e.g., results of risk assessment and treatment, internal audit program and reports, etc.)
    - documented information determined by the organization as necessary for the ISMS

    Considering that, for organization's documents you must include only those related to the ISMS scope, i.e., those information you want to protect, and this most likely won't mean all information, either because it would be too expensive to protect all of them, or because the different values they have to the business.
    This article will provide you further explanation about document control:
    - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
    This material will also help you regarding document control:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Page 513-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +