Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Emergency change


    Answer:
    Emergency changes are specific to the organization and need to be defined on case-by-case basis. Meaning, they depend on the organization, services, processes in place, roles and responsibilities, etc. Therefore, it's not realistic to have common procedure for all possible cases.
    However, what we have in our toolkit is definition of Emergency Change authority and respective roles (e.g. ECAB and its members).
    Also, following article can provide you more information „How to manage Emergency Changes as part of ITIL Change Management“ https://advisera.com/20000academy/blog/2016/01/19/how-to-manage-emergency-changes-as-part-of-itil-change-management/

  • Rework or repair and ISO 9001


    Answer:
    Rework or Repair are possible ways of treating product or service non conformities. Product or service non conformities is the subject of ISO 9001:2015 clause 8.7.

    Repair may also be used in the context of after sales service, for example, because the customer made a bad use of the product and broke it. After sales service is the subject of ISO 9001:2015 clause 8.5.5 as post-delivery activities.

    The following material will provide you information about treating non conformities:
    - ISO 9001 – Five Steps for ISO 9001 Nonconforming Products - https://advisera.com/9001academy/blog/2014/01/13/five-steps-iso-9001-nonconforming-products/
    - Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Several questions about documents


    Answer: If the alternative controls chosen to be implemented have reduced the risks to acceptable levels, then controls A.10.1.1 and A.10.1.2 are not applicable and for justification you can state that there are no risks demanding control implementation.

    On the other hand, if the alternative controls chosen to be implemented have not reduced the risks to acceptable levels, and you still decided not to implement controls A.10.1.1 and A.10.1.2 (e.g., because the costs related to the implementation are greater than the expected impact of risk occurrence), then you can state that related risks (IDs xxx, yyy, zzz, etc.) are accepted by top management decision.

    2. If two controls have the same risk, what do we write at the justification for selection/non-selection at the second control if we implemented the first one and ther e are no other unacceptable risks?

    Answer: If the first control applied has reduced the risk to acceptable levels, for the second one you can state that there are no risks demanding control implementation.

    3. Do we really have to restrict access in case we'd like to access the information systems in the datacenter? We do have a Mobile Device and Teleworking Policy and Clear Screen and Clear Desk Policy which is being implemented.

    Answer: If there are no unacceptable risks related to unrestricted access to information (not only by employees, but by customers, suppliers, contractors, external parties, etc.), nor legal requirements demanding access control, you do not have to restrict access to information, but this is almost an impossible situation, because any organization has in some degree some information it wants to restrict access to. Additionally, Mobile Device and Teleworking Policy and Clear Screen and Clear Desk Policy implement some degree of access control (e.g., by defining who is eligible for teleworking an by requiring screen lock when user is absent of his workstation).

    4. Besides the GDPR, is there anything else that may be relevant to document in the 'List of Legal, Regulatory, Contractual and Other Requirements' ? Perhaps eventual NDA's with stakeholders (e.g. customers) that are very sensitive to security, data, etc. ?

    Answer: GDPR is an example of legal requirement related to laws, and your business probably will have some other laws or regulations related to its business that it must comply with. Other examples may be contracts with bug customers and SLA with suppliers. Since we are not legal experts, in these cases we recommend that organizations hire local legal advisers to guide them in this requirements identification.

    5. If we implement control A.9.2.5 (Review of users access rights), what should we as a webhosting company review for sure (systems, networks, services and physical access) ?
    We definitely have to review the physical access to the datacenter. I think we have to review access to Jelastic (server management) as well. Aside of that I wouldn't know anything else. I don't think we'd have to review access to more than 90 servers, right?

    Answer: What you should review will depend on the results of risk assessment and the identified legal requirements (without these information we cannot provide a more precise answer). For example, why are you sure you have to review physical access (e.g., because of risks, or because of legal requirements)?

    Regarding the review of your servers, the same concept applies. If you have risks or legal requirements that demand the review of 45 servers (because of information stored or processed by them), then you only have to review these 45.

    6. If we implement control A.12.3.1 (Information backup), we must test backup copies. If we are going to test these manually, it will take a very long time (since there are only 4 employees which are doing the webhosting services), is there a more 'achievable' way to test these backup copies?

    Answer: Besides automatic tests (which require investment on equipment and software), an alternative you could use is to define a sample size with an acceptable degree of confidence and perform the tests only on the samples, changing the samples every time you perform the test (for sample size definition statistical knowledge is required). This is a way to ensure the backup process is working without a 100% test.

    For example, you may find that for a 98% of confidence your backup process is working, you need to test 8 of 100 backup units, and only 1 can fail (if more that 1 fail you will have to test all units). This way, if your process is working properly you have to work on only 8 backups each time you have to test your process (of course, each time you perform the test you have to use a different set of backup units).

    7. Records of testing backup copies: Which fields are mandatory?

    Answer: ISO 27001 does not prescribe mandatory fields for backup record, but as good practice you can consider at least these fields: which information was requested to be backed up, the requester, the date of request, the date when the backup was performed, the result of the backup procedure (successful / fail) and where the backup was stored.

    8. Records of log reviews: Which fields are mandatory?

    Answer: Also for this one ISO 27001 does not prescribe mandatory fields for log reviews, but as good practice you can consider at least these fields: Source of log information (e.g., access control server), purpose of the log (e.g. identify unauthorized access, attempts of unauthorized access), expected results (e.g., no login attempts on non working hours) recorded results (success/fail logins), decisions taken (e.g., situation ok, open an incident, etc.).

  • Certification coverage


    Answer:

    The certification coverage will depend on the ISMS scope definition. If it is issued to corporate X, then we need to verify which locations (i.e., addresses) where included. If the address of any subsidiary or affiliated entity is included, then it is covered by the certificate (of course this entity will have to go through all certification process together with the main Corporate X)

    Adopting a single certificate for all units or separated ones for each unit is a business decision, depending on their objectives and strategies, but in general organizations like these adopt the model of one certification for each unit, because a change on an unit does not impact the certification of other units.

    These articles will provide you further explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  • Results description


    Business Continuity Management Policy – sets a basic framework for the BCMS, determines the scope and responsibilities
    Business Impact Analysis (BIA) questionnaires – analysis of qualitative and quantitative impacts on business, of necessary resources, etc.
    Business Continuity Strategy – defines critical activities, interdependencies, recovery time objectives, strategy for managing and ensuring business continuity, strategy for recovering resources, strategy for individual critical activities
    Business Continuity Plan – a detailed description of how to respond to disasters or other business disruptions, and how to recover all critical activities
    Training and Awareness Plan – a detailed overview of how employees will be trained to execute planned tasks, and how they will be made aware of the importance of business continuity
    Business Continuity Exercising and Testing Plan – describes how plans will be exercised and tested with the objective of identifying necessary corrective actions and improving the plan
    BCMS Maintenance and Review Plan – a detailed overview of how plans and other BCMS documents should be maintained to ensure their functioning in the case of business disruption
    Post-incident Review Form – a form used for reviewing effectiveness of plans after an incident

    I need to add the following for BCMS but there are no descriptions included. Do you have them?
    Document and record control, Procedure for Identification of Requirements, Internal audit management, Management of Procedure for corrective and preventive actions,Form for Management Review Minutes

    Answer:

    You may consider these descriptions:
    - Document and record control: a procedure to ensure control over creation, approval, distribution, usage and updates of documents and records used in the Business Continuity Management System (BCMS).
    - Procedure for Identification of Requirements: a procedure to define the process of identification of interested parties, as well as statutory, regulatory, contractual and other requirements related to business continuity, and responsibilities for their fulfillment.
    - Internal audit management: a procedure to describe all audit related activities – writing the audit program, selecting an auditor, conducting individual audits and reporting.
    - Management of Procedure for corrective and preventive actions: a procedure to describe all activities related to the initiation, implementation and keeping of records of corrections, as well as corrective and preventive actions.
    - Form for Management Review Minutes: a form used to document the results of management review.

  • Corrective action and root cause


    Answer:
    I would consider a correction and a corrective action.
    What is the NC? Lack of understanding of the standard. How can we eliminate the NC? Correction: Identify all functions and roles with lack of understanding of the standard and provide a training action, or a workshop, or any other way of removing that lack of understanding.
    What is the cause of the NC?
    For example (clause 1): That requirement was not included in the job description. Corrective action: Update the job descriptions where that requirement is missing.
    For example (clause 2): People had training, but it was not effective.
    Corrective action: Update training requirements to be able to remove bad trainers from future training opportunities.

    The following material will provide you information about root cause analysis:
    - ISO 9001 – How to use root cause analysis to support corrective actions in your QMS - https://advisera .com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
    - Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • About the life cycle perspective


    Answer:
    By life cycle consider the consecutive and interconnected stages of a product (or service) system, from obtaining of raw materials, or its production from natural resources, to the final disposal like in the picture below.

    https://www.screencast.com/t/R5xkVmmHx2

    An organization should think about the life cycle stages that can be controlled or influenced by the organization. For example, an organization in the furniture business can develop actions to minimize the possibility of using illegal timber shoot down from protected forests, or an organization can take measures to inform customers about the correct ways of disposing the product at the end of life, like with toy batteries.

    The life cycle perspective implies consideration of the material life cycle associated with the products and services and does not require a detailed evaluation.
    The organizatio n should evaluate and determine which stages of the lifecycle it can control or influence, which can vary greatly depending on the context.

    The following material will provide you information about life cycle:
    - ISO 14001 – Lifecycle perspective in ISO 14001:2015 – What does it mean? - https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
    - How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Certificación de varias sedes


    Respuesta:

    Si decide integrar varias sedes en un único sistema de gestión, esto deberá ser reflejado en el alcance del SGC, es decir cuántas empresas incluye y cuáles son las actividades de cada empresa.

    En cuanto a la codificación, debería de compartirse, ya que formaría parte del mismo sistema de gestión, ya que el objetivo es la integración de todo el sist ema. Puede decidirse mantener el sistema de la casa matriz o elegir cualquier otro que se adapte mejor a las necesidades de la organización.

    En caso de que todas las sedes no proporcionaran los mismos servicios, no habría problema ya que podrían existir procedimientos que sólo serán aplicables para algunas de las sedes, mientras que para otras no. Y en cuanto al mapa de procesos cada sede podría desarrollar su propio mapa, al igual que el organigrama del personal, que podría ser independiente para cada sede o conjunto.

    Las auditorías internas se podrían llevar a cabo estableciendo un programa de auditoría para cada una de las sedes o por el contrario un programa de auditoría para el conjunto de la empresa.

    Para más información, puede ver estos materiales:
    - Artículo - Certifying different legal entities under one certification scope: https://advisera.com/9001academy/blog/2018/03/27/certifying-different-legal-entities-under-one-certification-scope-in-iso-9001/
    - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Curso gratuito en línea - Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • Questions about scope


    Answer: First it is important to note that the objective of ISO 27001 is to protect information, so the main question is to identify which information you want to protect. Where this information is, is a secondary question.

    Considering that, if your scope is the information stored and processed in the datacenter, and the information used by WHMCS is not stored in, or processed by, the datacenter, then you do not have to ensure its confidentiality, integrity and availability. Please note that there is a difference between where a system is used (e.g., by WHMCS operators in the main office) and where are the data used by the system(e.g., in the datacenter, or other place different from the main office).

    2. Since we do have to limit access to the assets in the datacenter, is it enough that we cannot access them physically (since they are in another physical protected location) ?

    Answer: You also have to consider the risks related to remote access (e.g., admin administrators remotely accessing services for maintenance, or users and systems remotely accessing the data). If an unauthorized user has remote access to servers or data he can make almost as damage as if he had physical access to assets.

    3. You agreed on the fact that laptops do not "have to" be encrypted in case that the datacenter is the only location which is included. Does this mean that we also do not have to document these in the 'Inventory of assets'?

    Answer: If no laptop is used inside the datacenter (e.g., some datacenter configurations rely on laptops as central maintenance hub, so you do not have to access servers individually, and these may need to be taken of for maintenance or other purpose), nor none of them have access to information inside the datacenter (by means of remote access as described in answer 2), then there is no need to include them in an 'Inventory of assets'.

    4. We have the CTO, Technical Director and 2 Support Engineers who are doing the webhosting services. However the other two owners of the company besides the CTO do have access to some of the systems (just because they are the owners of the company). They do only have access to the WHMCS tool (which is being used for support tickets and sales), so they cannot take servers down or such. Is it relevant to keep these in mind if we are limiting our scope to the datacenter?

    Answer: As mentioned in answer 1, if information handled by the WHMCS is inside the datancenter, then you have to consider these two owners when planning the security of your scope. For example, if their access to WHMCS is not ready only, if their accounts are compromised, an attacker can use them to delete, or tamper with, sensitive data.

    5. Customer data that is involved in sales and for business purposes (such as name, address, etc..) is this something that we have to keep in mind (as for controls A.13.2.1. A.13.2.2, A.13.2.3 as an example) if we are only including the datacenter in the scope?
    Answer: Please consider where this information is stored or processed. If it is stored or processed in the datacenter then you have to consider them when planning the security of your scope.

    6. (This last question is not directly related to the scope) Records of log reviews: In a webhosting company which is doing customer support on a daily basis 8 hours per day minimum this is not achievable, it would cause too much disruptions to the business. We are reviewing logs for (nearly) each customer that has a problem.

    Answer: First it is important to note that ISO 27001 does not prescribe how to perform log review, so you can perform it every time you have an entry, generating a review record for each entry, or you can define a verification period, when you verify all entries made during that period, generating only a single review record covering all entries reviewed. If this control is applicable to your organization, then you should consider if this second option can be implemented for your business. If this is not possible, maybe the cost of the control is higher then the impact if the risk occurs, and the organization should accept the related risks.

    6. I'm aware that the scope is the primary document that I have to fill in, but the problem is that each expert that I talk to (I also speak with experts outside Advisera) are telling me something different, it is very hard for me as a student to sort this out in that case. I have to sort this out in the upcoming week, since there is a pre-audit on Friday.

    Answer: Information is primarily built upon understanding of the organizational context and perceived risks, and since we and other experts have not the same point of view, experience, and knowledge of your business, it is natural that divergences will arise. That's why it is important for the person responsible for the implementation to have some understanding of basic concepts of information security (and for that we always suggest users our ISO 27001 foundations course - https://advisera.com/training/iso-27001-foundations-course/), so this person can filter and adjust the answers provided by the experts considering his view of the business. This way, each time he interacts with the experts he can better guide them to provide answers to help him.

  • Reference documents

    How can we estimate which documents are connected to the information security guideline? The ones I would guess (document about the scope; methodology for risk assessment and risk treatment; SoA; list of legal, official, contractual and other requirements etc.) are already named above.
    Would you mind giving me some key documents we have to add (beside the already named ones); only for ISO 27001; ISO 22301 excluded. I got the feeling the comment (I talked about before) described it for ISO 27001 and ISO 22301.

    Answer:

    The best way is to ask to the heads of each unit, and the key users of the processes, included in the ISMS scope. After you brief them on the purpose of ISMS, and show them which documents you already had identified, they would be able to tell you if any necessary document that can be used to define requirements for information security is missing (most probably, all necessary documents will be already on your list of legal and other requirements).
    Without knowing details of your ISMS scope, the established security objectives, and the list of documents you already have, we cannot provide insights on what you have to add without the risk to induce you in an error, but as an example, you may consider a methodology for project management (if there is one different to the used for implementing the ISMS).

    And you are right in the assumption that the comment applies both to ISO 27001 and ISO 22301.
Page 580-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +