Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Developing documents
Answer:
ISO 27001 does not prescribe how documents should be developed, so you can chose the approach that best fits your needs.
The main criteria to decide to merge documents or not are if they have similar purposes and if by merging them they would not become a document too big to understand and read. So, in this particular case, if your single document does not become to big to use and manage it may be best to merge them, so you have one less document to manage in your ISMS.
These articles will provide you further explanation about developing policies:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/ -
Implementing BIA
Answer: The Business Impact Analysis related to ISO 22301 focuses not only on IT aspects that may affect a business during disruption, but on every organizational aspect that may impact business (e.g., a disaster hitting most of the staff of a critical process, supplier failure, etc.). Considering that, you should fill one questionnaire for each activity you consider critical to business, and after that you will have identified all IT services that are essential f or those activities, and proceed with proper treatment.
2. Besides, I had try to access https://www.iso27001standard.com/how-to-implement-business-impact-analysis-according-to-iso-22301-bs-25999 but fail.
Answer: First of all, sorry for this inconvenience. Here is the right links:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
3. Would you mind share with me a sample filled enclosed questionnaire for reference? Meanwhile, I had study your “Becoming resilient – The definitive guide to ISO 22301 implementation” as well. Refer to the P.123 Figure 10 mention an example of BIA Questionnaire – determining the Maximum Data Loss/RPO. This sample is quite suit for me looking for. Is it can fit in to the enclosed questionnaire or it have another simply version of questionnaire?
Answer: Unfortunately we do not have such detailed document samples to offer. But included in your toolkit you have access to a tutorial that can help you fill your BIA, using real data as example.
Also, the blog post on previous corrected link has an example on how fill in the BIA. -
Mock recall exercises as a requirement
We've received another question:
> Clause 8.6 reads, “…documented information shall include evidence of conformity with acceptance criteria”. We have several items (width, length, outer diameter, flatness, visuals) that are inspected at one point in our operation. These items have defined specifications; however, the results of the checks are not recorded anywhere. Operations says the record is the ‘G’ grade in the system. I am interpreting that clause (and in consultation to my well-worn ISO 9001:2015 in Plain English) to mean we have to record evidence of both the check and its associated result. What are your thoughts?
Answer:
If your acceptance criteria are a variable, then the associated results should be recorded as evidence. If your acceptance criteria are an attribute, then the result is OK or NOK. I have another issue to mention here: your organization inspects 5 items, imagine that 4 are OK and one is NOK, what is the final decision, is the product as a whole OK or NOK? As auditor I find that some organizations left cases like this in a limbo. That is not ac ceptable, there should be a clear final decision about the conformity or not conformity of the product.
The following material will provide you information about quality control:
- ISO 9001 – ISO 9001: Requirements for the release of the product or service - https://advisera.com/9001academy/blog/2017/03/28/iso-9001-requirements-for-the-release-of-the-product-or-service/
- Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- free course - ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/ -
Sharing information
Answer:
Common documents required by customers are the Information Security Policy, Statement of Applicability, and Audit Report. Other documents can be asked depending upon what customers need.
To share such documents (some of them may have sensible information about your organization) you first should evaluate if the risks are worthy (e.g., the audit report has very sensitive information about your ISMS status, but the requester is your biggest customer or a potential customer you want to include in your portfolio). If you consider that the risk of sharing this information is acceptable , them you should provide a Non Disclosure Agreement with these customers to formalize the required conditions for protection of this information -
Questions about toolkit documents
Answer: Special interest groups covered by A.6.1.4 refer to manufacturers, specialized forums, professional associations and other groups that can help you with information security issues, while a Data Protection Authority is more related to A.6.1.4 Contact with authorities. So, to fulfill GDPR regarding Data Protection Authority control A.6.1.4 would be more appropriated.
For further information see:
- Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
2. Is it okay to write the same name in "Author" and "Approved by" in the Document Control Table at the start of the document?
Answer: For small companies the author and the approver of a document may be the same person, but normally these roles are performed by different persons, so the approver can verify if the document was properly written and does not rise unacceptable risks.
For further information see:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
3. A.9.2.5 Review of user access rights Records: ISO 27001 probably does not describe which records must be included, is it okay to have 4 fields: Name of system / network / service / physical area & Type & Date & Results with the following records as an example:
Datacenter & Physical area & 24 April 2019 & Only the appropriate personnel have access rights.
Answer: To be effective, an access review record must contain at least these information: the asset (system / network / service / physical area, etc.), the asset owner, the list of people who can have access to the asset, the activities authorized to be performed by them, by the asset owner, the actual activities these people can perform, any decision made regarding found discrepancies, and the date the review was performed. Of course you can include more information, but these are the minimum to ensure the review process was properly performed.
4. Let us say that Control A and Control B both have an unacceptable risk, but this unacceptable risk is already reduced to acceptable by Control A. Does this mean that control B does not have any unacceptable risks (anymore) ?
Answer: Your understanding is correct (if the risk is reduced to acceptable level only by implementing one control (A or B), there is no need to implement the other), but you have to think in terms of risks that may be treated by several controls, not controls that have risks in common.
5. If the unacceptable risks for a particular control are being transferred to a third party, what do we write for this control in the "Implementation method" if we do not have enough information about how they have implemented this control?
Answer: In the implementation method column you can either write a brief description of how the control is being implemented by the third-party or refer to a document which contains this information (e.g., a service agreement or a contract). It is important to understand that you have to have minimal information about how the third party implements the control, because on the contrary you cannot manage the risk.
6. Do values after treatment have to be filled in, in case of other risk treatment options than "1. Selection of controls ?"
Answer: For any risk option selected for risk treatment you have to fill in the values after treatment, because these are used to define residual risk.
By the way, included in your toolkit you have access to a video tutorial that can help you fill in the Risk Assessment and Risk Treatment tables, using real data as examples.
For further information about residual risks see:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/ -
Documentation and audit
Answer: For certification purposes, you should wait until all mandatory policies and procedures have been implemented, and at least a couple of mandatory records had been generated, so you can have enough evidences to verify if the ISMS is properly implemented and working. The precise time frame will depend on the duration of the cycles of the process included in the ISMS scope.
2. I have documented the policy. Am I eligible to perform internal audit? I am pursuing my mba in information security.
Answer: The main criteria to perform internal audit is compete, by means of knowledge (e.g., certificates), education (e.g., training) or experience (e.g., records of previous performed audits), and impartiality (an auditor cannot audit his own work). Considering that, if you can demonstrate that you have the necessary competence, and you do not audit your own work, you can perform internal audit.
This article will provide further information:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
3. Do I need to document Access control policy separately from ISMS policy(A.9.1.1) or do I just need to mention it in ISMS itself? What are the mandatory operating procedure apart from incident management, change management?
Answer: Although ISO 27001 allows merging documents, the ISMS Policy is a high level document (to be used for all organization), while the remaining policies, like Access Control Policy, are considered operational policies (to be used by specific areas or processes), so we do not recommend to merge them in a single document, because this document would become unnecessarily big and difficult to read and manage.
The same applies for procedures which have different purposes (if they will become to big they should be created as separated documents).
These articles will provide you further explanation about developing policies:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/ -
Certification body
Answer:
The main certification bodies for ISO 27001 are:
- BSI: https://www.bsigroup.com
- Bureau Veritas: https://www.dnvgl.com/
- DNV: https://www.dnvgl.com/services?ServiceTypes=136423
- SGS: www.sgs.com/
- TUV: www.tuv.com
You also can find a proper certification body from this link: https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
You can use this link to enter your profile, and we will find the certification body that best fits your needs.
Regarding QAS, it is our policy not to issue opinions about specific organizations.
This article will provide you further explanation about selecting a certification body:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Subcontractor evaluation, selection or termination
Answer:
There is no universal formal process for dealing with subcontractor evaluation, selection or termination. Each organization has to design its own process as long as it is useful and effective.
I like to start my conversation with organizations with this drawing:
Can your organization work will all subcontractors? Does your organization have some basic requirements? For example, Subcontractors must:
Be ISO 9001 certified;
Have certain kind of machines;
Have certain kind of experienced workers;
Have a production capacity above a certain level.
After that evaluation, subcontractors that passed belong to a pool of approved subcontractors.
When your organization has a specific order that must be fulfilled, checks the pool of approved subcontractors and request quotation to two or three. As approved subcontractors they have enough quality. Now, what is relevant is knowing who ha s the best price, who is available, who can deliver on time.
Subcontractors worked for your organization. It is important, from time to time, to evaluate actual performance to check if the initial evaluation was a good predictor of performance, to find if any of the subcontractors should invest more in improving performance, and if any of the subcontractors due to bad performance is really not a good partner for your organization.
The following material will provide you information about treating subcontractors:
- ISO 9001 – How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
- How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- Free course – ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Writing an EMS Manual
Answer:
ISO 14001:2015 does not require an EMS manual. So, this is great news, you are free to design the content of your EMS manual. I like to consider an EMS Manual as a kind of ID card: Who are we? What do we do? How do we interact with the environment? What are our environmental priorities? How do we work in our EMS? What is the scope of our EMS?
The following material will provide you information about an EMS Manual:
- ISO 14001 – What is an environmental management system manual? - https://advisera.com/14001academy/knowledgebase/what-is-an-environmental-management-system-manual/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:201 5 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
GDPR compliance
Answer:
The EU GDPR is the most complex piece of regulation up to date and one of the few that have extra territorial reach. The requirements for both controllers and processors go beyond other pieces of legislation across the world. Also the fines that can go up to 4% of a company turnover are one of the heftiest out there.
2. Others you are familiar with that are tough?
Answer:
The only one that I can think of because is similar to the GDPR is the California Consumer Privacy Act (CCPA) – a first-of-its-kind US law – passed in California in 2018 and takes effect January 1, 2020.
3. Any multi-country comparison doc or docs on the web you have come across?
Answer:
We have run a comparison between the GDPR and the German Bundesdatenschutzgesetz https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-vs-german-bundesdatenschutzgesetz-similarities-and-differences/
You can find all sort of interesting articles in our Knowledgebase (https://advisera.com/eugdpracademy/knowledgebase/).