Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 toolkit content

    - A.6.1.1 – A.6.1.6
    - A.7.3
    - A.8.1.3 & A.8.1.4
    - A.9.4
    - A.11 is also somewhat incomplete
    - A.12.1.3 and 12.1.4
    - A.12.4 – A.12.7
    - A.18 is missing completely

    I previously thought, that the missing parts may be part of an update. Can you tell me more about the missing parts of the ISO?

    Answer:

    First of all, sorry for this confusion. It is important to note that every control does not need to be documented, and to avoid unnecessary administrative work the toolkit includes only all the mandatory + all most common documents.
    In the root folder of the toolkit you'll find a document called “List of Documents” that explains which control/clause is covered by which document, and which documents are mandatory.

    Documents which cover some of controls you mentioned can be found here:
    - A.6.1.2 - this control is covered by document "Incident Management Procedure", located in Folder "08 Annex A – Security Controls" sub-folder "A.16 Information Security Incident Management"
    - A.8.1.3 & A.8.1.4 - these controls are covered by documents "IT Security Policy", located in Folder "08 Annex A – Security Controls" sub-folder "A.8 Asset Management" and "Supplier Security Policy", located in Folder "08 Annex A – Security Controls" sub-folder "A.15 Supplier Relationships"
    - A.9.4.1 this control is covered by documents "Information Classification Policy", located in Folder "08 Annex A – Security Controls" sub-folder "A.8 Asset Management" and "Access Control Policy", located in Folder "08 Annex A – Security Controls" sub-folder "A.9 Access Control"
    - A.9.4.3 this control is covered by documents "Password Policy", located in Folder "08 Annex A – Security Controls" sub-folder "A.9 Access Control" and "Access Control Policy", located in Folder "08 Annex A – Security Controls" sub-folder "A.9 Access Control"
    - A.12.4 - these controls are covered by document "Security Procedures for IT Department", located in Folder "08 Annex A – Security Controls" sub-folder "A.12 Operations Security"
    - A.18 – controls from this section are covered in the toolkit in folder "02 Procedure for identification of requirements”

    In case your implementation requires controls not included in mentioned documents covered by the toolkit, you can contact us by email or schedule a meeting and we can provide the support to develop these documents.

  • SWOT Analysis and ISO 27001


    Answer:

    First it is important to note that a SWOT analysis is not mandatory for ISO 27001, but it can help for the identification of organizational context and requirements of interested parties.

    Considering that, the SWOT analysis used for ISO 9001 certification can be used for ISO 27001, provided that you now include an information security perspective on the information already gathered.

    These articles will provide you further explanation about organizational context and requirements of interested parties:
    - How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
    - How to identify ISMS requirements of interested parties in ISO 2 7001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

  • Cumplir con el contexto de la organización


    Respuesta:

    La norma no exige ningún tipo de formato, es más no respecto al Contexto de la organización no requiere conservar ningún registro o documento. Dicho esto, le aconsejo que al menos guarde un acta de reunión donde se lleve a cabo algún análisis para determinar el contexto de la organización , como el análisis DOFA (debilidades, oportunidades, fortalezas y amenazas). También puede desarrollar un procedimiento para definir de manera sistemática cómo se aborda el contexto de la organización, aquí puede ver un ejemplo - Procedimiento para determinar el contexto de la organización y partes interesadas: https://advisera.com/9001academy/es/documentation/procedimiento-para-determinar-el-contexto-de-la-organizacion-y-partes-interesadas/

    Estos materiales pueden ayudarle a entender el contexto de la organización:
    - Artículo - Cómo identificar el contexto de la organización en ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/
    - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • Continual improvement programs


    Answer:

    CI program you have established can fulfill the first part of 10.3.1 clause because of performance indicators and their effectiveness, as Kaizen events and Just Do It initiatives, are typical Lean methods that lead to the increase of process effectiveness.

    Also, consider Improvements in the manufacturing process to reduce process variation. This can be achieved by using Six Sigma as methodology as it is the methodology used for reducing variation in the process.

    This clause additionally refers to risk analysis (such as FMEA) so please consider article: “What is FMEA and How to apply it in IATF 16949” https://advisera.com/16949academy/blog/2017/09/06/what-is-fmea-and-how-to-apply-it-in-iatf-16949/

  • Service Desk Manager


    Answer:
    Service Desk is related to many activities in scope of the organizations' ITSM (see the article about SD types: "ITIL Service Desk types" https://advisera.com/20000academy/blog/2014/05/06/itil-service-desk-types/).
    Therefore, you as a Service Manager have to consider services, people involved in SD activities, customers/users, internal organization, processes, tools in use, etc. So, as you can see, many (sometimes different) areas have influence on your activities. You can find more details in following articles:
    "Service Desk: Single point of contact" https://advisera.com/20000academy/knowledgebase/service-desk-single-point-contact/
    "What is the job of the Service Desk Manager?" https://advisera.com/20000academy/blog/2016/09/20/what-is-the-job-of-the-service-desk-manager/ e-job-of-the-service-desk-manager/
    "Service Desk staff – a window to the IT organization" https://advisera.com/20000academy/blog/2014/02/18/service-desk-staff-window-organization/

  • ISO 27001 implementation


    Answer:

    Although knowledge on PM and BA can make easier the ISO 27001 implementation, this knowledge is not mandatory, because there are at least three approaches for an ISMS implementation:
    - Use your own staff to implement the ISMS (this is the case where knowledge on PM and BA is most needed)
    - Use a consultant to perform most of the effort to implement the ISMS
    - Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

    Each one of them has their advantages and disadvantages. For more information, I suggest you the following ma terials:
    - 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
    - Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

    These materials will also help you regarding ISO 27001 implementation:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
    - ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  • Information Security Objectives


    Answer:

    ISO 27001 does not prescribe a minimum amount of information security objectives, so each organization can define as many objectives as they see fit for their business. Normally 3 to 4 objectives allow an ISMS to support properly the business (e.g., one operational objective, one financial objective, one business objective, and one compliance objective).

    This article will provide you further explanation about information security objectives:
    - ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  • Toolkit content


    Answer: This 2017 version refers to the British version of ISO 27001 (the BS EN ISO/IEC 27001:2017), which does not include any change that impacts requirements defined by the ISO 27001:2013, so the need for updating the toolkit is not necessary.

    This article will provide you further information:
    - European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/

    2. In particular, I miss, of course, Chapter 18 of Appendix 27002.

    In addition I miss further documents, which are requested in the appendix of the ISO, as example fall to me ad hoc first:
    · Contact with authorities
    · Contact with special interest groups

    I will continue to look at the package. Maybe then I have more questions.

    Answer: First of all, sorry for this confusion.

    The documents from section A.18 are not missing from the toolkit – you can find them here:
    - A.18 – these documents are covered in the toolkit in folder "02 Procedure for identification of requirements”

    Every control does not need to be documented, and to avoid unnecessary administrative work the toolkit includes only all the mandatory + all most common documents.

    In the root folder of the toolkit you'll find a document called “List of Documents” that explains which control/clause is covered by which document, and which documents are mandatory.

    In case your implementation requires the mentioned controls, or other controls not covered by the toolkit, you can contact us by email or schedule a meeting and we can provide the support to develop these documents

  • Objectives, risks and opportunities and the HR department


    Answer:

    1. What kind of outcomes does your organization’s top management expect from the HR department? This will most likely depend on your context. I can imagine things like:

    No problems with compliance obligations;
    Ability to find skilled candidates;
    Contract people that will stay with the organization;
    Contract a diversified set of persons;
    Provide timely and effective training;
    Promote the right people;
    Getting a certain people turnover;


    Now you can choose which topics are more relevant and translate them into objectives that could be used to monitor and evaluate HR department performance.

    2. Risk is about possible conditions that can affect an organization’s ability to meet expected, desired results or that can promote undesirable results.

    Picking the list of desired outcomes above what can happen that affect, positively or negatively each one?

    Insufficient awareness of compliance obligations changes;
    A strong economy is starving the number of skilled candidates;
    A good reputation can help find skilled candidates;
    Using the lowest price as criteria to contract trainers can affect training effectiveness rate;


    The following material will provide you more information about quality objectives and risks and opportunities:
    - How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
    - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - White paper - Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISMS


    (The IT mission of a company is managed (development, operations, support) by a third party, for which this operation means 90% of its business. The decision has been taken to acquire that company, which is certified ISO 27001. The main company has its own ISMS, but with different criteria, methodologies, procedures. It is necessary to "keep" the current certificate. What could be the alternatives to adopt / adjust / integrate the ISMS? Which may require less effort? Which could be less ris ky (lose the certificate)?)

    Answer:

    First it is important to note that if both, the main organization and the acquired organization are ISO 27001 certified, then in the first moment the best strategy is to keep both certificates (i.e., work with two separated scopes), not to affect your current operation during transition period.

    Considering a second moment, the solution which requires the less effort regarding risk management is for you to identify how risks from one methodology can be translated to the other, so you can have comparable results. For example, if for methodology 1 the risks are valued from 1 to 3 and for methodology 2 they are valuated from 1 to 5, the risks identified by methodology 1 must be divided by 0.6 (3/5) to be compared to risks identified by methodology 2. For the reverse path the risks identified by methodology 2 must be multiplied by 0.6 (3/5) to be compared to risks identified by methodology 1.

    This way you do not need to change anything on existent frameworks, but the trade-off is that you will have more administrative effort to keep managing two different risk methodologies. You can adopt this alternative until you define a single approach for all risks (i.e., methodology and criteria).

    As for procedures, at a first moment you can keep all procedure and define a schedule to evaluate similar procedures and how to integrate them.

    You also should consult with your certification body(s) about how to integrate the ISMS from the certification perspective.
Page 546-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +