Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Licensing for implementation
Other than buying the standard of course, do I need to get any special license from ISO/IEC? I am speaking about implementation not certification audits."
Answer:
Besides buying the related standard, there is no mandatory license of any kind required to perform an ISO management system implementation. Of course, having a Lead Implementer certification can help increase confidence of potential customers.
This article will provide you further explanation about lead implementer course:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
For more information about Lead implementer course see:
- ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/
This mat erial can be also helpful:
- How to sell consulting services https://advisera.com/27001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/ -
Responsible for personnel
In this document, you have to determine the inventory of assets, risk owner and owner of the asset.
I have identified the group of assets: People, which includes the following assets:
Steering committee
Internal staff
External people in internships and interns
External part-time employees
External people visiting the organization
In the case of people, for example, who would be responsible for the asset and who would be responsible for the risk?
Answer:
ISO 27001 does not prescribe who should be the asset owner, but in general:
- for personnel with contract with an organization, the asset owner is his/her superior in the organization.
- for personnel hired only for a defined time, or for a specific work, the asset owner should be the person with whom the contract is signed.
- for personnel like visitors, the owner is the person of the organization to whom this visitor will interact with .
As for the risk owner, this one should be someone related to physical security, since most of the related risks to personnel are related to physical access to assets and information.
This article will provide you further explanation about risk owners:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
Defining scope
I was wondering if you think it is possible to scope one department in one location? If possible, what do you see as the main challenges here?
Any advice or guidance is greatly appreciated, or even a reference to articles that may help me.
Answer:
The ISO 27001 scope can be limited to part of the organization (e.g., business unit, process, or location), but you have to note that an organization should evaluate first if this separation will not bring more additional effort than considering all the organization as part of the scope.
Many larger companies limit the scope of ISO 27001 implementation on IT department and/or one location, and in most cases this works well.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/ -
Asset register
If we would come to the asset „server“ on the asset inventory list - we've got over 6.000 of them. How should we list them?
Answer:
ISO 27001 does not prescribe any level of granularity, so you can adopt the levels you understand that will better fulfill your needs. Considering your examples, you should consider to split assets in details when t hey require different levels of protection and different number of applicable controls.
For example, managers will have access to a higher level of access to information than general employees, so you should consider them as a separate category of asset, to avoid implementing controls related only to them to all employees.
For the case of workstations, you can use categories related to their purpose. For example general workstation and development workstation, including as detailed information of the quantity of each type.
It is important to note that you can reference to other system(s) which contains more detailed information about each asset, so you do not need to replicate information unnecessarily.
This article will provide you further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Scope definition
It has been difficult for me to develop that point, since I do not quite understand it. I have investigated but it is not clear to me. I wish you could help me or show me some examples based on your knowledge and experience.)
Answer:
Without detailed information about your scope what we can do is provide general examples:
- In an e-commerce organization its website is considered the interface between the activities carried out by the organization and their customers. The web page of the Supplier Chain management software is the interface between the activities carried out by the organization and their suppliers
- Considering a data center, dependencies that must be considered are electrical and comm unication providers, as well as hardware manufacturers
This article will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
This material can also help you:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/ -
Documentar un SGC
Respuesta:
La información documentada que exige la norma ISO 9001:2015 incluye:
a) La información documentada requerida por la norma ISO 9001
b) La información documentada que la organización determina como necesaria para el correcto funcionamiento del Sistema de Gestión de la Calidad.
Dentro de ISO 9001 hay una serie de información documentada obligatoria, estos son documentos y registros necesarios para cumplir con los requisitos de la norma. Aquí puede encontrar más información - Lista de documentos obligatorios requeridos por la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
Además existen una serie de requisitos en cuanto al control de la información documentada que incluyen:
a) Acceso, distribución, recuperación y utilización.
b) Almacenamiento y preservación.
c) Control de cambios.
d) Conservación y disposición.
Para más información puede consultar los siguientes materiales:
- Artículo - New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Artículo - Cómo estructurar la documentción en el sistema de gestión de calidad: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-estructurar-la-documentacion-del-sistema-de-gestion-de-calidad/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Controls measurement
Especially what is in the Access Policy with level of confusion responsibility for the implementation of this document
meant?
Acceptable Use Policy:
Validity and document management
This document is valid as of [date].
The owner of this document is [job title], who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
of incidents related to unacceptable or unauthorized use of information assets
number of incidents related to inappropriate employee training or awareness programs
Access Control Policy:
Validity and document management
This document is valid as of [date].
The owner of this document is [job title], who must check and, if necessary, update the document at least once every six months.
When evaluating the effectiveness and adequacy of this document, the following must be considered:
number of incidents related to unauthorized access to information
delayed change of access rights in case of change or termination of employment / contract
number of systems not included in this document
level of confusion responsibility for the implementation of this document
Answer:
Examples of how to measure these items are:
- Number of incidents related to unacceptable or unauthorized use of information assets: this information you must gather from evaluation of recorded incidents (filled in the Incident Log).
- Number of incidents related to inappropriate employee training or awareness programs: this information you must gather from evaluation of recorded incidents (filled in the Incident Log), compared to attendance lists from training and performed awareness activities (this way you can verify if people involved in incident have participate or not in training and awareness).
- number of incidents related to unauthorized access to information: this information you must gather from evaluation of recorded incidents (filled in the Incident Log).
- delayed change of access rights in case of change or termination of employment / contract: for evaluating this situation you must identify changes or termination of employment / contract performed by the HR team and track if access changes were raised, and when they where implemented (this second information will be normally found on IT area and the area responsible for physical access.
- number of systems not included in this document: In this case you must compare the information in the inventory of access with the content of the access control policy.
- level of confusion regarding responsibilities for the implementation of this document: In this case you must meet with personnel involved with the implementation of this policy and ask for their feedback regarding the policy implementation (e.g., if users requiring access know who to contact to ask for access to specific systems). -
ITSCM and BCM
Answer:
IT Service Continuity Management (ITSCM) relates its activities to the inputs from Business Continuity Management (BCM). That also means that if have implemented ITSCM - you did not cover BCM.
This article can help you further: "IT Service Continuity Management – waiting for the big one" https://advisera.com/20000academy/blog/2013/09/24/service-continuity-management-waiting-big-one/
and, here you can learn more about ISO standard related to the BCM "What is ISO 22301?" https://advisera.com/27001academy/what-is-iso-22301/ -
GDPR Controllers and Processors of personal data records
Answer:
Yes, where necessary there are different documents. For example, there are two versions of Data Processing Agreements, one which is more Controller oriented and the other which is more Processor friendly. However, consider that very seldom an organization acts exclusively as a Processor. -
EU GDPR and Data Processing
Answer:
The email communication would not be a problem. The question is if the software application you are providing support for processed any personal data and if while provi ding support you may access such data? If the answer is yes then you need to comply with some GDPR provisions.
If you want to find out more about the EU GDPR and what constitutes personal data check out the EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).