Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
SOA question
Answer:
By our experience, an ISMS based on ISO 27001 implements something around 100 from the 114 controls from Annex A, and the results of risk assessment are just one of three general justifications to implement a control. The other two are:
- Legal requirements (e.g., contracts, laws, regulations, etc.) demand the implementation of a control
- Top management decisions demand the implementation of a control (e.g., by considering it a good practice)
If none of the above situations occurs, then you can justify not implementing a control with a text something like : "There are no un acceptable risks nor legal requirements that would demand this control."
These articles will provide you further explanation about SoA and selection of controls :
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Aspects, impacts and risks
Answer:
Please consider this example:
At the maintenance warehouse, lubricating oils are handled to apply in preventive maintenance activities. Because people handle lubricating oils there is the possibility of spillages or leakages. If a spillage or leakage occurs, there is the possibility of contamination of soil or water.
The potential spillage or leakage is an environmental aspect, an element of an organization’s products, services and activities which can interact with the environment. Other examples of environmental aspects are, for example, discharges to water, emissions to air, use of natural resources and materials, or generation of wastes. Environmental impacts are the consequences of the environmental aspects.
At the example above, the environmental aspect is permanent but the environmental impact depends of the context, depends on the use of preventive and responsive measures.
How can a bu siness assess the risks of its environmental impacts?
Answer:
Some environmental impacts are more or less predictable. For example, if an organization cuts metal sheets it will always generate metallic waste. Other environmental impacts have more uncertainty associated, like in the example above the contamination of soil or water.
Risks are about uncertainty. For example, is there any risk (any possibility) of extraordinary inefficient metal cutting, generating more metallic waste? Is there any risk of contamination of soil or water because of the handling of lubricating oils?
The organization can evaluate those risks considering the actual situation. For example, if there are preventive measures and responsive means in place perhaps the probability of occurrence and consequences of occurrence make the risk less relevant.
The following material will provide you information about assessment of environmental interactions:
- ISO 14001 – 4 steps in identification and evaluation of environmental aspects – https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
- Risks and opportunities in ISO 14001:2015 – What they are and why they are importante - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
- free online training ISO 14001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/
- book – THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Controls in SoA
Answer:
First it is important to understand that any control from ISO 27001 Annex A is mandatory only if at least one of the following occurs:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
- There is a management decision to implement the control, by considering it as good practice.
If none of the above conditions happen, there is no need to implement a control, and based on this situation the auditor will consider the SoA acceptable for certification.
By the way, by our experience a certified ISMS generally implements up to 100 from the 114 controls listed on ISO 27001 Annex A.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
List of legal requirements
Answer:
Contracts with employees are in general a response to external legal requirements (e.g., labor legislation, contract with customers, etc.), as a way to implement control A.7.1.2 (Terms and conditions of employment), so there is no need to include them in the list of legal requirements.
It is important to note that it is not needed to list those requirements in our template if they are already listed with other source document.
This article will provide you further explanation about employment conditions:
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.c om/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/ -
Auditing BCP and DRP
Answer:
First of all you must select competent and independent auditors to perform the audit (by independent you must understand people that are not involved with these plans). After that you must identify which requirements are applicable to your Business Continuity and Disaster Recovery Plan, by means of identifying legal requirements, and business objectives. Once these issues are identified you should elaborate a checklist to help you cover these issues with proper questions and evidences to be verified.
These articles will provide you further explanation about preparing for an audit (they focuses on ISO 27001, but the concepts are applicable to ISO 22301 as well):
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Additionally, this toolkit can help you plan and perform an audit compliant with ISO 22301: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
At this page you can download a free preview of the documents to see how they look like and if they can fulfill your needs. -
Management system integration
Answer:
Normally organizations start with ISO 9001 and then add the other standards. Some organizations start with the integrated system right from the beginning with all standards at the same time. Personally, when possible, I prefer to start with ISO 14001 before ISO 9001 because I believe it is easier to implement and start seeing real changes in the daily work. So, positive feedback from implementation is much more easier for all involved.
The following material will provide you information about implementing integrated systems:
- How to implement integrated management systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
- Free webinar – How to integrate ISO 9001:2015 and ISO 14001:2015 - https://advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/
- ISO 9001, ISO 14001 and ISO 45001 Integrated Documentation Toolkit - https://advisera.com/9001academy/iso-9001-iso-14001-iso-45001-integrated-documentation-toolkit/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Working from Home Monitoring
We potentially are looking to set up a number of employees for home working. From what I can tell from researching, the above monitoring from home options would not be legitimate and would be classified as intrusive on the employees privacy. Is this correct? Are there any forms of monitoring that would be legitimate under GDPR laws?
Answer:
This is a hot topic indeed. My advice to you is to perform a Data Protection Impact Assessment to she how much this activity will affect the rights and freedoms of the data subjects.
In order to be lawful such a processing activity would need to proportionate and transparent.
If you want to find out more about DPIAs check out this webinar “Seven steps o f Data Protection Impact Assessment (DPIA) according to EU GDPR” - https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/ -
ISO 20000 Tool
Answer:
In some of my recent implementation I used GLPI. But, there are also some other tools like described in the article "Free tools for ITSM – supporting IT Service Management for zero tool cost" https://advisera.com/20000academy/knowledgebase/free-tools-for-itsm/
Also, this article can help you choose appropriate tool "
5 things to beware of when selecting an ITSM tool" https://advisera.com/20000academy/blog/2016/03/08/5-things-to-beware-of-when-selecting-an-itsm-tool/ -
High Risk Apetite
Answer: Risk appetite does not depend ONLY on the nature of the business, because other aspects can affect it (e.g., cultural and technological issues).
The risk appetite can always be challenged, specially by the risk management officer, but you have to keep in mind that final decision is always up to top management (they set where the line must be drawn, depending on their perception of the risks). If you do not agree with their decision, then you have to review the data you present to them, or try to understand how they perceive risk, so you can adjust your approach or change your mind. In any case you have to be careful not to try to push your opinion too much (remember that the final decision is up to them). -
What standards or procedures to follow for medical mobile app?
Answer:
Design and development of medical mobile apps should follow the local regulatory requirements in the country where you will be producing these mobile apps, and should also follow some guidance from the ISO 13485 standard. You can look at clause 7.1 Product Realization and 7.3 Design and Development for some basic guidance on the documentation. As for design specification of the UI/UX of these mobile apps, there are no standards nor other requirements, so you have to tailor them towards the intended use of the mobile apps.
For more information, please read article:
How to manage design and development of medical devices according to ISO 13485:2016
https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/