Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Physical access control
An organization is using an access control system via card authentication to control physical entry and exit to a location within ISMS scope. The software that drives this access control was found to be 8 years and outdated with inherent vulnerabilities since the OEM has released much newer version with added security and performance features. Should this not be a non conformity minor given that this access software that drives this physical entry control could be compromised or fail out-rightly since its been 8 years without any update and outdated.
Answer:
First it is important to note that a non conformity is based on evidences that something required was not planned or was not performed as planned.
Considering that, and your stated scenario, you have evidence that the software that drives this access control was not properly updated, and a minor nonconformity is more related to controls A.12.5.1 (Installation of software o n operational systems) and A.12.6.1 (Management of technical vulnerabilities), than the control A11.1.2 (Physical entry control).
A non conformity related to control A11.1.2 must be based on evidence of failure of the control (e.g., reported incidents of unauthorized access), and your stated scenario only mentions a possible access compromise (which in fact is an increase in the risk, not a non conformity).
These articles will provide you further explanation about access control and vulnerability management:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/ -
Inputs for risk assessment
>I understand this way but also have a question
>Step 1: List assets & the trigger from Internal and external issues (within ISMS Scope) – >Perform CIA is addressed High/Medium/VH
Answer: Internal and external issues are only part of the elements used to identify assets for the risk assessment. The best way to build asset inventory is to interview the head of each department, and list all the assets a department uses. The easiest is the “describe-what-you-see” technique – basically, ask this person e.g. to list all the software that he or she sees that are installed on the computer, all the documents in their folders and file cabinets, all the people working in the department, all the equipment seen in their offices, etc.
For further information, see: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
>Step Step 2: For Medium and High/VH from Step 1, list Threats & Vulnerabilities, the calculate probability & impact rating that has values (based on what we define)
>Question: where do we determine risk here. where do we write risk or do we need a column here for writing risk? As I see only threats, vulnerabilities, Probability impact and risk rating.
Answer: First it is important to note that when performing risk identification through asset-vulnerability-threat approach you do not write a risk text (e.g., risk of data loss due equipment failure). In this approach the identification of the relation asset-vulnerability-threat is the risk statement (e.g., paper report - single copy - fire, or electronic record - single copy - storage unit failure).
>Step 3: Input from Step 2 prioritized risks to address. Where do we write risks (I see only threat and vulnerabilities and risk ranking that we will further address.
>Step 3: Based on higher risk rating we Select controls. Find gaps and adress.
>Step 4: SoA
>Dejan, the explanation of First step to start with threat and vulnerabilities thereby aligning to assets within the ISMS scope is an interesting write. But lag in understanding how to define the overall definitions.
Answer: For better understanding of the overall risk assessment process I suggest you to see this webinar:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISO 45001: Procurement and contractors
Answer:
Clause 8.1.4 of ISO 45001:2018 is included in the standard to ensure that the process for procuring from external providers within your company includes controls so that the products and services you purchase meet the needs of your OHSMS, or in other words do your purchases consider occupational health & safety. The clause further discusses particular considerations for contractors and outsourcing separately, mainly because these are special types of procurement that require extra thought. Of course, the controls you will need to put in place will be dependant on not only your organization, but also the outsourcing or contracting you are using.
In general Outsourcing occurs at a supplier facility when they take on one of your processes, and this also requires you to ensure that these outso urced products and service meet your OH&S needs. Contractors will generally work within your facility, and need to understand your OH&S requirements as well as how they affect the OH&S of your facility. How do you ensure that contractors will not negatively affect your OHSMS when they are doing work, and how do you ensure that your do not negatively impact contractor safety when they are working? These two terms are defined more clearly, along with others, in the article: ISO 45001:2018 Glossary of terms, https://advisera.com/45001academy/blog/2019/06/27/iso-45001-glossary-of-terms-and-definitions/
For an explanation of the whole ISO 45001 standard, see the whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001 -
ISO 45001: How to get started
Answer:
One of the most beneficial aspects that I have found with the ISO 45001 format (just like all the other ISO management system standards), is that the document is written in the order that you would want to implement the requirements. So, starting at the beginning of the standard you want to first identify the context of the organization by identifying the internal and external issues, the interested parties and their needs, and documenting the scope. Following this you will want to put in place all of the leadership and worker participation processes, including documenting OH&S objectives, assigning roles and responsibilities, and putting in place the process for worker consultation and participation. You would then proceed through the standard, putting in place the processes and documentation required.
The one exception to this, is that it is helpful to implement the requirements of clause 7. 5 for creating, maintaining and storing documented information (procedures and records) at the beginning since this will be needed to document everything you need as you go along. The only other good advice I can give you is to split up the tasks and get started. You don’t seem to have a lot of time, and you just need to go through the standard and put in place the required documentation before the stage 1 audit so having more than one person working on this will be helpful.
For more information on the mandatory documentation required, see the whitepaper: Checklist of Mandatory Documentation Required by ISO 45001, https://info.advisera.com/45001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-45001 -
Management review and monitoring and measurement results
https://sl********** - Ehojvic Elebwa ixf.vrus.community.advisera.com.rlu.ad https://sl********** -
Aspects and impacts in the construction industry
Answer:
What kind of construction work does your organization perform? For each kind of construction work list raw materials used and activities performed. Then, for each raw material and activities think about how they interact, or potentially interact, with the environment. Consider the relevance of extending the aspect determination to suppliers’ activities. For example, is sand coming from a legal source?
You can build a library of basic aspect-impact determination for each kind of construction work.
The following material will provide you information about aspects-impacts determination:
- Using ISO 14001:2015 to identify environmental aspects in the construction industry - https://advisera.com/14001academy/blog/2015/11/10/using-iso-140012015-to-identify-environmental-aspects-in-the-construction-industry/
- Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar/ -evaluation-of-environmental-aspects-free-webinar-on-demand/
- Free online course - ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
- Book - The ISO 14001:2015 Companion - A STRAIGHTFORWARD GUIDE TO IMPLEMENTING AN EMS IN A SMALL BUSINESS - https://advisera.com/books/the-iso-14001-2015-companion/ -
Not reacting to a nonconformity
Answer:
More than documentation, context is about reflection, about thinking in what is around and within an organization that can explain its presence and influences its future. ISO 9001:2015 does not require any documentation. You can record your organization’s context in a meeting minute, for example. See below an example at the white paper.
2. If the gap analysis of non-achievement of Quality objectives is not available during internal audit & NC has been given, is this NC goes to clause no 6.2 or clause no 9.1.3?
Answer:
Your organization-defined quality objectives and plans to meet them – clause 6.2 is OK.
Your organization monitored and evaluated performance against the quality objectives – clause 9.1.3 is OK
So, quality objectives were not met (a nonconformity by the way) and the organization has not reacted – clause 10.2.1 is NOK
Not reacting is the audit nonconformity and the clause is 10.2.1.
The following materia l will provide you more information about corrective actions:
White paper - Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
Free webinar – ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Licensing for implementation
Other than buying the standard of course, do I need to get any special license from ISO/IEC? I am speaking about implementation not certification audits."
Answer:
Besides buying the related standard, there is no mandatory license of any kind required to perform an ISO management system implementation. Of course, having a Lead Implementer certification can help increase confidence of potential customers.
This article will provide you further explanation about lead implementer course:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
For more information about Lead implementer course see:
- ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/
This mat erial can be also helpful:
- How to sell consulting services https://advisera.com/27001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/ -
Responsible for personnel
In this document, you have to determine the inventory of assets, risk owner and owner of the asset.
I have identified the group of assets: People, which includes the following assets:
Steering committee
Internal staff
External people in internships and interns
External part-time employees
External people visiting the organization
In the case of people, for example, who would be responsible for the asset and who would be responsible for the risk?
Answer:
ISO 27001 does not prescribe who should be the asset owner, but in general:
- for personnel with contract with an organization, the asset owner is his/her superior in the organization.
- for personnel hired only for a defined time, or for a specific work, the asset owner should be the person with whom the contract is signed.
- for personnel like visitors, the owner is the person of the organization to whom this visitor will interact with .
As for the risk owner, this one should be someone related to physical security, since most of the related risks to personnel are related to physical access to assets and information.
This article will provide you further explanation about risk owners:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
Defining scope
I was wondering if you think it is possible to scope one department in one location? If possible, what do you see as the main challenges here?
Any advice or guidance is greatly appreciated, or even a reference to articles that may help me.
Answer:
The ISO 27001 scope can be limited to part of the organization (e.g., business unit, process, or location), but you have to note that an organization should evaluate first if this separation will not bring more additional effort than considering all the organization as part of the scope.
Many larger companies limit the scope of ISO 27001 implementation on IT department and/or one location, and in most cases this works well.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/