Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 implementation tips
Answer: The implementation of ISO 27001 is quite similar regardless the industry and size (what differs is the quantity of resources and complexity of deliverables), and the general steps are:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk tent plan;
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27 001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding implementation approaches, the most common are:
- Use your own staff to implement the ISMS
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.
Each one of them have their advantages and disadvantages. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
- ISO 27001 Documentation Toolokit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
2. Is risk committee necessary?
Answer: ISO 27001 does not prescribe the specific need for a risk committee, only that relevant information security responsibilities are defined, so you can assign responsibilities for risk management the way it best fit your organization (e.g., you can adopt a risk committee, or this responsibility can be assigned to the CISO)
This article will provide you further explanation about responsibilities:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/ -
BIA for ISO 27001
Answer:
First it is important to note that BIA is not required by ISO 27001 and this approach will only help to identify which processes are critical to the organization concerning availability, and for information security you also have to consider the loss of confidentiality and integrity.
To perform BIA I suggest you to take a look at the free demo of our ISO 22301 Business Impact Analysis Toolkit at this link: https://advisera.com/27001academy/iso22301-business-impact-analysis-documentation-toolkit/
These materials will provide you further explanation about BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
AS9100 and ISO 9001 certification comparison
Answer:
Your statement is not exactly correct; a company does not need to be certified to ISO 9001:2015 before becoming certified to AS9100 Rev D, you can just be certified to AS9100 Rev D without going through the first step.
The AS9100 Rev D standard actually includes all of the ISO 9001:2015 requirements, plus additional aerospace specific requirements. So, by being compliant to AS9100 Rev D you are also entirely certified to ISO 9001:2015. In fact, some certification bodies include both standards on the certificate so as to make it clear that the requirements of both are satisfied. This being said, you do not need to have certification audits for both ISO 9001 and AS9100, the one certification audit is sufficient, and by being compliant to AS9100 you are also compliant to ISO 9001; separate certificates and audits are not required.
For a better understanding of everything included in AS9100 Re v D, see the whitepaper: Clause-by-clause explanation of AS9100 Rev D, https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d -
Estimation of timeline for ISO 13485 certification
Answer:
The implementation process will usually take between 3 months to 18 months depending on the size of the company. You can utilize this link to calculate the time that might be needed: https://advisera.com/9001academy/iso-9001-duration-calculator/ For the certificate stage, you should give yourself around 2 months to prepare.
For more information, please read article:
Checklist of ISO 13485 implementation and certification steps
https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/ -
Technology Risk Assessment
Answer:
To conduct Technology Risk Assessment aligned with ISO 27001 I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
It has the templates you need to define your risk assessment and treatment methodology and implement it according ISO 27001
These materials will provide you further explanation about risk assessment and treament:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Is medical device file require for a supplier ?
Answer:
Since the plastic injected molded clips are a part of the medical device components, you have to maintain a medical device file in order to be compliant with ISO 13485.
For more information, please read article:
How to meet ISO 13485:2016 requirements for medical device files
https://advisera.com/13485academy/blog/2017/06/28/how-to-meet-iso-13485-requirements-for-medical-device-files/ -
Elaborating documents
Answer:
ISO 27001 does not prescribe how documents should be developed, so you can chose the approach that best fits your needs.
The main criteria to decide to merge documents or not are if they have similar purposes and if by merging them they would not become a document too big to understand or read. So, in this case, if your single document does not become to big to use and manage it may be best to merge them, so you have one less document to manage in your ISMS.
These articles will provide you further explanation about developing policies:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ -
Software assessment
Answer:
Points to be considered are:
- Business needs
- License type (even for open source software)
- Know vulnerabilities (you can search on NIST vulnerability database)
- Software reputation on market
- Existence of periodic release of security patches
- Software private policy
This article can provide further information about risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Non-risk related reasons for undertake work
Answer:
In a general manner, security related actions can be driven by these reasons:
- the existence of unacceptable risks (as you already mentioned)
- the existence of legal requirements (e.g., contracts, laws and regulations), demanding a security action
- a top management decision, based on a business need or on a market best practice
The last two bullets do not have to be initially related to risks (but at some point you can identify some), neither do ISO auditors will require every action to be related to risks. -
Disaster recovery plan
Answer:
Your toolkit includes an template for Disaster Recovery Plan on folder 8 Annex A controls A.17 Business Continuity
It is important to note that to ISO 27001 a DRP aims to the recovery of IT infrastructure, and since your question refers to a cloud provider, you must align which activities you must to document in your plan, since most is the activities will be responsibility of the provider.