Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Implementation support

    Also controls for ISO 27018 A.1.1, A.2.2, A.4.1, A.5.1, A.5.2, A.7.1, A.9.1, A.9.2, A.9.3, A.10.2, A.10.3, A.10.4, A.10.5, A.10.6, A.10.7, A.10.8, A.10.9, A.10.10, A.10.11, A.10.12, A.10.13, A.11.1, A.11.2.
    It would be great if you provide templates or dashboard. Looking forward to hearing from you.

    Answer:

    First it is important to note that for each template you have there is a specific version to be used with cloud environments (the version has the word "cloud" in the file name). The controls you want to implement are covered by the following templates you have:

    ISO 27017
    - CLD.6.3.1: Cloud Security Policy and Security Clauses for Clients, Suppliers and Partners
    - CLD.8.1.5: Supplier Security Policy and Security Clauses for Clients, Suppliers and Partners-
    - CLD.9.5.1: Cloud Security Policy
    - CLD.9.5.2: Cloud Security Policy
    - CLD.12.4.5: Cloud Security Polic y
    - CLD.13.1.4: Cloud Security Policy

    ISO 27018
    - A.1.1: Policy for Data Privacy in the Cloud and Security Clauses for Clients, Suppliers and Partners
    - A.2.2: Policy for Data Privacy in the Cloud
    - A.4.1: Specification of Information System Requirements
    - A.5.1: Policy for Data Privacy in the Cloud and Security Clauses for Clients, Suppliers and Partners
    - A.5.2: Policy for Data Privacy in the Cloud
    - A.7.1: Policy for Data Privacy in the Cloud
    - A.9.1: Policy for Data Privacy in the Cloud and Security Clauses for Clients, Suppliers and Partners
    - A.9.2: Procedure for Identification of Requirements, Information Security Policy, Cloud Security Policy, Policy for Data Privacy in the Cloud, Bring Your Own Device (BYOD) Policy, Security Procedures for IT Department, Change Management Policy, Secure Development Policy, and Supplier Security Policy
    - A.9.3: For this one you need the Information Transfer Policy template (https://advisera.com/27001academy/documentation/information-transfer-policy/)
    - A.10.2: Policy for Data Privacy in the Cloud
    - A.10.3: Security Clauses for Clients, Suppliers and Partners
    - A.10.4: Security Clauses for Clients, Suppliers and Partners, Information Transfer Policy template, and Security Procedures for IT Department
    - A.10.5: Security Clauses for Clients, Suppliers and Partners, Information Transfer Policy template, and Security Procedures for IT Department
    - A.10.6: Security Clauses for Clients, Suppliers and Partners, and Security Procedures for IT Department
    - A.10.7: For this one you need the Disposal and Destruction Policy template (https://advisera.com/27001academy/documentation/disposal-and-destruction-policy/)
    - A.10.8: For this one you need the Access Control Policy template (https://advisera.com/27001academy/documentation/access-control-policy/)
    - A.10.9: Access Control Policy
    - A.10.10: Access Control Policy
    - A.10.11: Security Clauses for Clients, Suppliers and Partners
    - A.10.12: Security Clauses for Clients, Suppliers and Partners
    - A.10.13: Disposal and Destruction Policy
    - A.11.1: Security Clauses for Clients, Suppliers and Partners, and Procedure for Identification of Requirements
    - A.11.2: Security Procedures for IT Department

    Additionally, included in the templates you bought there are several comments included that can help you customize you documents. When customizing the documents if you have any specific doubt regarding how to make the customization please contact us.

    Regarding the order on which to implement the documents, you can follow the order presented in the List of documents file for ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit (which can be found at this link: https://advisera.com/27001academy/iso-27001-iso-27017-iso-27018-cloud-documentation-toolkit/). The order of documents in this file was designed to provide the easiest way to implement the documents.

    For further information about the implementation process, please see:
    - ISO 27001: An overview of the ISMS implementation process [free webinar] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
  • Documents referenced in the Quality Manual


    Answer:
    ISO 9001:2015 does not require a Quality Manual. So, organizations that decide to develop and maintain a Quality Manual have a lot of freedom to include whatever they want. For example, many organizations use the Quality Manual just for presenting the organization at a higher level. So, it is quite possible that a document not referenced in the Quality Manual is still a usable, valid and even important document.
    The following materials will provide you more information about documenting a quality management system:
    - The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
    - Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book - Dis cover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
  • Access control policy and password policy

    I guess the Password Policy will be: A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3

    And the Access Control Policy?

    Answer: First is important to note that ISO 27001 allows flexibility for each company to decide how many documents they want to have, and what to include in those documents. Of course, you still need to have all mandatory documents, but you are free on how to create them. For further information, see: 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
    Additionally, controls must be kept in the documentation only if they are stated as applicable in the Statement of Applicability. The one that are not applicable on SoA must be deleted.

    Considering that, if Access Control Policy and Password Policy are separated documents for your organization, the section 2 (reference documents) of each policy, regarding ISO 27001 requirements will be like this:

    Section 2 of the Access Control Policy:
    - ISO/IEC 27001 standard, clauses A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6, A.9.4.1. (you need to delete controls A.9.2.4, A.9.3.1, and A.9.4.3)
    - All other references must be kept.

    Section 2 of the Password Policy:
    - ISO/IEC 27001 standard, clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3
    - All other references must be kept.

    As you noted, controls A.9.2.1, A.9.2.2 must be kept on both documents.
  • SOP's and mandatory documents


    Answer:
    Yes. ISO 9001:2015 has no mandatory documented procedures. Please check ISO 9001:2015 clause 4.4.2. It is up to each organization to evaluate “To the extent necessary” any need for SOP’s. Normally, that depends on people’s turnaround and tasks complexity.

    The following materials will provide you more information about documenting a quality management system:
    - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
    - Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
  • A formal documented QMS


    Answer:
    ISO 9001 is an international standard for a quality management system. ISO 9001:2015 has some mandatory documents like maintaining a quality policy. ISO 9001:2015 gives a lot of autonomy to organizations to determine which documents are needed (please see clause 4.4.2).
    The following materials will provide you more information about documenting a quality management system:
    - Article – What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
    - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
    - ISO 9001 Implementation diagram - Download a complimentary checklist (PDF) - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
    - Clause-by-clause explanation of ISO 9001:2015 - Download a complimentary white paper (PDF) - https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
    - Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
    - Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - If you need help or want to develop documentation faster, check - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
  • Cyber attack security controls


    Answer:

    I'm assuming that your doubt is which standard can provide better guidance in the identification of cyber attack security controls and precaution measures.

    Considering that, the standard of choice is the ISO 27001, which provides general recommendations for information security that can be adapted for cyber security.

    Regarding definition of responsibilities, business continuity related to ISO 27001 is focused on disaster recovery of IT infrastructur e, so if your organization's needs for business continuity go beyond that (i.e., the potential impacts go beyond information-related issues), probably the responsibility should remain with BCM.

    For further information, please see:
    - How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
  • Templates content for risk assessment and treatment


    Answer:

    Please note that while risk analysis results are recorded in the Risk Assessment Table template, the defined controls and residual risks are recorded in the Risk Treatment Table template, which can be found at this link: https://advisera.com/27001academy/documentation/risk-treatment-table/

    So, you will need both templates to record the results of the risk assessment and treatment.

    To see how to completely cover the risk assessment and treatment process I suggest you to take a look at our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    For further information, please see:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - The basics of risk assessment and treatment accord ing to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  • SoA classification level


    Answer:
    Because SoA has many information about how the organization approaches information security, it is a sensitive document and access to it should be restricted to personnel that requires it to perform their activities (e.g., top and middle management, and the security officer) and in most cases this does not cover all employees. Considering that, in most classification frameworks the lowest level which has this kind of restriction is the "Restricted" level, but you have to check your own framework to confirm that. You should avoid to use the highest classification level you have because in most scenarios the highest classification level will demand controls that will be too much to protect in the SoA.

    For further information see: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
  • Anti-spam regulations

    We have received an additional question:

    >The GDPR does not directly regulate spam but it places consent as a condition for direct marketing in certain situations?

    Answer:

    The GDPR establishes the rules around consent and those rules need to be respected whenever using consent as your lawful grounds for sending the advertisement. The GDPR also allows for direct marketing based on legitimate interest.

    However the GDPR does not say that direct marketing always constitutes a legitimate interest, and whether your processing is lawful on the basis of legitimate interests depends on the particular circumstances. Some forms of marketing may not be legitimate if they do not comply with other legal or ethical standards or with industry codes of practice. However, as long as the marketing is carried out in compliance with e-privacy laws I mentioned previously and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest.
  • AS9100: Audit questions

    This is a question best asked of your certification body as they will have some better insight into what they can and cannot accept for their own internal rules, however, generally these clauses are not possible to exclude from the QMS. Unless your QMS scope is design only, and you never will build anything, the certification body will need to have something to audit if build and test is part of your scope.

    I do understand that you are not yet using these processes as you are still in the design phase, but I believe the certification body will expect you to at least have the plans in place on what will be done for these clauses for your initial build, including having the procedures (clause 8.7 procedure is mandatory) and have identified the format of the required records for these processes. You may not have used them yet, so you will not have records created yet, but having them in their initial stages will be needed.

    Of course, it will be understood that these processes are expected to be updated and improved as you begin to use them, but having them in place will be necessary to include build and test in your QMS scope.

     

    You can learn a bit more from this related ISO 9001 article: Understanding product & service provision in ISO 9001, http://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/

Page 536-vs-13485 of 1130 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +