Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 / ISO 22301 Implementation Project Plan

    Can you please explain more on the certification process after using your toolkit?

    Answer:

    This project plan is a guidance to make your challenge easier, but this document itself does not guarantee certification. You have to count with top management commitment, resources, and a competent and compromised project team to follow what is planned.
    Regarding the certification process, certification audits are conducted according these stages:
    - Documentation review: at this stage the auditor checks if all mandatory policies, procedures, plans and records are in place.
    - Main audit: at this stage the auditor, by means of techniques such as observation, interviews and log review, checks if processes and personnel are performing according what is documented. It is at the end of this stage that any identified non compliance is raised.
    - Surveillance visits: once you get certified, you have to keep the system working during the three-years certification p eriod. To ensure that, an auditor will come periodically to check if the system is in place and ask for adjustments when needed.

    This materials will provide you further explanation about certification process:
    - ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
    - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

  • Implementation support

    Also controls for ISO 27018 A.1.1, A.2.2, A.4.1, A.5.1, A.5.2, A.7.1, A.9.1, A.9.2, A.9.3, A.10.2, A.10.3, A.10.4, A.10.5, A.10.6, A.10.7, A.10.8, A.10.9, A.10.10, A.10.11, A.10.12, A.10.13, A.11.1, A.11.2.
    It would be great if you provide templates or dashboard. Looking forward to hearing from you.

    Answer:

    First it is important to note that for each template you have there is a specific version to be used with cloud environments (the version has the word "cloud" in the file name). The controls you want to implement are covered by the following templates you have:

    ISO 27017
    - CLD.6.3.1: Cloud Security Policy and Security Clauses for Clients, Suppliers and Partners
    - CLD.8.1.5: Supplier Security Policy and Security Clauses for Clients, Suppliers and Partners-
    - CLD.9.5.1: Cloud Security Policy
    - CLD.9.5.2: Cloud Security Policy
    - CLD.12.4.5: Cloud Security Polic y
    - CLD.13.1.4: Cloud Security Policy

    ISO 27018
    - A.1.1: Policy for Data Privacy in the Cloud and Security Clauses for Clients, Suppliers and Partners
    - A.2.2: Policy for Data Privacy in the Cloud
    - A.4.1: Specification of Information System Requirements
    - A.5.1: Policy for Data Privacy in the Cloud and Security Clauses for Clients, Suppliers and Partners
    - A.5.2: Policy for Data Privacy in the Cloud
    - A.7.1: Policy for Data Privacy in the Cloud
    - A.9.1: Policy for Data Privacy in the Cloud and Security Clauses for Clients, Suppliers and Partners
    - A.9.2: Procedure for Identification of Requirements, Information Security Policy, Cloud Security Policy, Policy for Data Privacy in the Cloud, Bring Your Own Device (BYOD) Policy, Security Procedures for IT Department, Change Management Policy, Secure Development Policy, and Supplier Security Policy
    - A.9.3: For this one you need the Information Transfer Policy template (https://advisera.com/27001academy/documentation/information-transfer-policy/)
    - A.10.2: Policy for Data Privacy in the Cloud
    - A.10.3: Security Clauses for Clients, Suppliers and Partners
    - A.10.4: Security Clauses for Clients, Suppliers and Partners, Information Transfer Policy template, and Security Procedures for IT Department
    - A.10.5: Security Clauses for Clients, Suppliers and Partners, Information Transfer Policy template, and Security Procedures for IT Department
    - A.10.6: Security Clauses for Clients, Suppliers and Partners, and Security Procedures for IT Department
    - A.10.7: For this one you need the Disposal and Destruction Policy template (https://advisera.com/27001academy/documentation/disposal-and-destruction-policy/)
    - A.10.8: For this one you need the Access Control Policy template (https://advisera.com/27001academy/documentation/access-control-policy/)
    - A.10.9: Access Control Policy
    - A.10.10: Access Control Policy
    - A.10.11: Security Clauses for Clients, Suppliers and Partners
    - A.10.12: Security Clauses for Clients, Suppliers and Partners
    - A.10.13: Disposal and Destruction Policy
    - A.11.1: Security Clauses for Clients, Suppliers and Partners, and Procedure for Identification of Requirements
    - A.11.2: Security Procedures for IT Department

    Additionally, included in the templates you bought there are several comments included that can help you customize you documents. When customizing the documents if you have any specific doubt regarding how to make the customization please contact us.

    Regarding the order on which to implement the documents, you can follow the order presented in the List of documents file for ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit (which can be found at this link: https://advisera.com/27001academy/iso-27001-iso-27017-iso-27018-cloud-documentation-toolkit/). The order of documents in this file was designed to provide the easiest way to implement the documents.

    For further information about the implementation process, please see:
    - ISO 27001: An overview of the ISMS implementation process [free webinar] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/

  • Documents referenced in the Quality Manual


    Answer:
    ISO 9001:2015 does not require a Quality Manual. So, organizations that decide to develop and maintain a Quality Manual have a lot of freedom to include whatever they want. For example, many organizations use the Quality Manual just for presenting the organization at a higher level. So, it is quite possible that a document not referenced in the Quality Manual is still a usable, valid and even important document.
    The following materials will provide you more information about documenting a quality management system:
    - The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
    - Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book - Dis cover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Access control policy and password policy

    I guess the Password Policy will be: A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3

    And the Access Control Policy?

    Answer: First is important to note that ISO 27001 allows flexibility for each company to decide how many documents they want to have, and what to include in those documents. Of course, you still need to have all mandatory documents, but you are free on how to create them. For further information, see: 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
    Additionally, controls must be kept in the documentation only if they are stated as applicable in the Statement of Applicability. The one that are not applicable on SoA must be deleted.

    Considering that, if Access Control Policy and Password Policy are separated documents for your organization, the section 2 (reference documents) of each policy, regarding ISO 27001 requirements will be like this:

    Section 2 of the Access Control Policy:
    - ISO/IEC 27001 standard, clauses A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6, A.9.4.1. (you need to delete controls A.9.2.4, A.9.3.1, and A.9.4.3)
    - All other references must be kept.

    Section 2 of the Password Policy:
    - ISO/IEC 27001 standard, clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3
    - All other references must be kept.

    As you noted, controls A.9.2.1, A.9.2.2 must be kept on both documents.

  • SOP's and mandatory documents


    Answer:
    Yes. ISO 9001:2015 has no mandatory documented procedures. Please check ISO 9001:2015 clause 4.4.2. It is up to each organization to evaluate “To the extent necessary” any need for SOP’s. Normally, that depends on people’s turnaround and tasks complexity.

    The following materials will provide you more information about documenting a quality management system:
    - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
    - Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • A formal documented QMS


    Answer:
    ISO 9001 is an international standard for a quality management system. ISO 9001:2015 has some mandatory documents like maintaining a quality policy. ISO 9001:2015 gives a lot of autonomy to organizations to determine which documents are needed (please see clause 4.4.2).
    The following materials will provide you more information about documenting a quality management system:
    - Article – What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
    - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
    - ISO 9001 Implementation diagram - Download a complimentary checklist (PDF) - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
    - Clause-by-clause explanation of ISO 9001:2015 - Download a complimentary white paper (PDF) - https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
    - Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
    - Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - If you need help or want to develop documentation faster, check - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Cyber attack security controls


    Answer:

    I'm assuming that your doubt is which standard can provide better guidance in the identification of cyber attack security controls and precaution measures.

    Considering that, the standard of choice is the ISO 27001, which provides general recommendations for information security that can be adapted for cyber security.

    Regarding definition of responsibilities, business continuity related to ISO 27001 is focused on disaster recovery of IT infrastructur e, so if your organization's needs for business continuity go beyond that (i.e., the potential impacts go beyond information-related issues), probably the responsibility should remain with BCM.

    For further information, please see:
    - How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/

  • Templates content for risk assessment and treatment


    Answer:

    Please note that while risk analysis results are recorded in the Risk Assessment Table template, the defined controls and residual risks are recorded in the Risk Treatment Table template, which can be found at this link: https://advisera.com/27001academy/documentation/risk-treatment-table/

    So, you will need both templates to record the results of the risk assessment and treatment.

    To see how to completely cover the risk assessment and treatment process I suggest you to take a look at our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    For further information, please see:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - The basics of risk assessment and treatment accord ing to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • SoA classification level


    Answer:
    Because SoA has many information about how the organization approaches information security, it is a sensitive document and access to it should be restricted to personnel that requires it to perform their activities (e.g., top and middle management, and the security officer) and in most cases this does not cover all employees. Considering that, in most classification frameworks the lowest level which has this kind of restriction is the "Restricted" level, but you have to check your own framework to confirm that. You should avoid to use the highest classification level you have because in most scenarios the highest classification level will demand controls that will be too much to protect in the SoA.

    For further information see: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  • Anti-spam regulations

    We have received an additional question:

    >The GDPR does not directly regulate spam but it places consent as a condition for direct marketing in certain situations?

    Answer:

    The GDPR establishes the rules around consent and those rules need to be respected whenever using consent as your lawful grounds for sending the advertisement. The GDPR also allows for direct marketing based on legitimate interest.

    However the GDPR does not say that direct marketing always constitutes a legitimate interest, and whether your processing is lawful on the basis of legitimate interests depends on the particular circumstances. Some forms of marketing may not be legitimate if they do not comply with other legal or ethical standards or with industry codes of practice. However, as long as the marketing is carried out in compliance with e-privacy laws I mentioned previously and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest.
Page 534-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +