Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Implementing ISO 27001 for outsourced SOC services


    I would like to know the following:

    1. What is the best practice (from ISO 27001 and Governance perspective) for ownership of processes. Should these be under the SOC team, Corporate IT or other role?

    Answer: In this case there is no definitive answer on how to implement an ISO 27001 ISMS, because depending on the organizational context, legal requirements and business objectives, one approach can be better than the other.

    The ownership of processes should be designated to the entity in the organization with the authority to make and enforce the changes and adjustments required to achieve the proper level of security. In some organizations the SOC team has this level of authority, but in others this authority remains with the head of IT department or even with the main executive (in small organizations) .

    For further information, please read:
    - Should information security focus on asset protection, compliance, or corporate governance? https://advisera.com/27001academy/blog/2017/03/13/information-security-focus-asset-protection-compliance-corporate-governance/

    2 . Traditionally the SOC team has done whatever they want and purchased assets (systems, applications, etc). What is the recommendation for ownership of assets? Should this be under the SOC team, Corporate IT or other role?
    Answer: About ownership of assets, it should be designated to roles that can be made accountable for the protection of the asset. Since this is an issue more operational, you can consider the SOC team as responsible for the assets.
    For further information, please read:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
    - Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

    3 . Since the scope is the services provided by the SOC, how should the ISO 27001 documents be handled? Should they be written in the context of applying controls on the systems used by the SOC or in the context of systems the SOC supports for the customers?

    Answer: The best approach would be integrating controls on existing documentation, since this way the security will be perceived as part of the process, and it will easier to be understood and used.
    For further information, please read:
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Incident and Recovery Plan

    Many thanks, now everything is clear :-)

  • Reviewing documentation


    Answer:
    Only if your organization make any changes. Please check the meaning of “review” in ISO 9000:2015, definition 3.11.2. The review is not necessarily about changes but also about evaluating the suitability, adequacy or effectiveness”

    2. How many NC category-1 are allowed in ISO audit to avoid reaudit or audit failure?

    Answer:
    Organizations should avoid major nonconformities during audits. Normally, major nonconformities during certification audits can imply re-audit. Sometimes, if an organization can show evidence that the major nonconformity was corrected, and an acceptable corrective action was implemented and effective a re-audit can be avoided.

    The following material will provide you information about audits:
    - Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
    - Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Risk assessment for ISO 22301


    Answer:

    Risk assessment for BCM must identify risks that can cause disruption of business operations and services, so together with Business Impact analysis you can more easily identify which risks to business you have to handle.

    Considering you already have a function responsible for risk management and risk data, you should verify if the existing Risk Register can help you.

    If at this moment the Risk Register can not help you, then you should talk to the responsible for risk management about ISO 22301 requirements and ask him for support to perform a risk assessment for the BCM. Since ISO 22301 does not prescribe any appro ach to perform risk management, you can adopt the current approach without compromising ISO 22301 requirements.
    This article will provide you further explanation about risk management for business continuity:
    - Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

    This material will also help you regarding risk management for business continuity:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Drawing control


    Answer:
    Yes, drawings that describe parts to be manufactured are very important specifications used for production and control. Also, due to design changes, after sales services normally, have to use simultaneously several different versions of drawings because different customers bought different versions of the same product.

    The following material will provide you information about documentation:
    - Although it is not about ISO 9001 this article seems useful - Understanding configuration management in AS9100 Rev D - https://advisera.com/9100academy/blog/2017/05/08/understanding-configuration-management-in-as9100-rev-d/
    - ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
    - Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/ urse/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Integrating management systems


    Answer:
    You can compare management systems standards and realize that they have a common structure with a lot of similar clauses. When I implement integrated management systems, I describe the organization as a set of processes that deliver the purpose, the mission of the organization. Then, after an initial environmental assessment, for example, I determine what processes or activities must be improved or standardized in order to eliminate or minimize significant environmental impacts. That translates into making changes in some of the processes. Concerning top management, the policy, objectives, context, interested parties and part of the risks are common.

    The following materials will provide you more information about integrating management systems:
    - Article - How to integrate ISO 14001 and ISO 9001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
    - How to implement integrated managem ent systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
    - Free webinar on demand – How to integrate ISO 9001:2015 and ISO 14001:2015 - https://advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/
    - Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Mandatory procedures and content


    Answer:
    No. ISO 9001:2015 has no requirement for mandatory procedures.

    2. For instance, we have documented that we conduct internal audits as per the audit schedule and notification of Internal Audits shall be given to the relevant parties with defined audit scope, identification of Auditor/s. Apart from this much information documented in our procedure, do we require to document each and every step on how the internal audits are carried out and what will be the timelines to complete corrective actions and etc.?”

    Answer:
    No. Your organization has all the freedom to define which procedures are needed and what degree of content should they include.

    3. My main focus is: do we need to document the steps that we follow to carry out any particular activity such as the activity mentioned in the example mentioned above?

    Answer:
    No. For example, in many procedures in different organizations, I just use flowcharts ins tead of written text.

    The following material will provide you information about documentation:
    - ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
    - Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Clause 4.4.2 and processes


    Answer:
    Clause 4.4.2 a) is about all processes included in the quality management system. Remember that ISO 9001:2015 gives a lot of freedom about considering procedures as necessary or not.

    The following material will provide you information about certification:
    - ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
    - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Documentation content

    I couldn't think of a vulnerability, so I assume I should not document this?

    Answer: In your example you have to document the risk because probably it is nearly impossible because of all controls you already have implemented (e.g., badge, security procedures, and authentication methods). These implemented controls should be included in the last column of the Risk Assessment Table.

    Included in your toolkit you have access to a video tutorial that can provide you guidance on hoe to fill in the Risk Assessment Table, using real dat a as examples.

    2. Regarding the tab 'Asset owner' and 'Risk owner' which is important in several documents: Let us take laptops as an example, each employee has received a laptop from the company but the legal owner of this laptop is the organization. Who shall I put as Asset Owner and Risk Owner? Asset Owner: CTO/Employer, Risk Owner: CTO/Employer?

    Answer: For ISO 27001, the asset owner is the person who is responsible for the asset, to ensure it is properly protected, not its legal owner. The risk owner is the person accountable for managing the risk, i.e., to reduce it to acceptable levels. In your example the asset owner can be the the employee responsible for the laptop, while the risk owner can be the CTO.

    3. Control A.12.1.3 Capacity Management, I'm trying to think of a possible risk but I wouldn't know what kind of information security risks there could be. I know that the budget for (potential) IT assets is a part of this control, but as for the rest it's not very clear to me. Could you possibly give me some more information about Capacity Management or at least about possible risks which are related to IT Security?

    Answer: Capacity management is related to planning resources to fulfill demand when required, ensuring agreed service levels, so risks related to capacity management are most related to information not being available when needed, e.g., due to a faulty equipment which has no redundancy, demands above implemented resources (e.g., during Denial Of Service - DOS - attacks), technology obsolescence, etc.

    For further information see:
    - Implementing capacity management according to ISO 27001:2013 control A.12.1.3 https://advisera.com/27001academy/blog/2016/02/22/implementing-capacity-management-according-to-iso-270012013-control-a-12-1-3/

  • Providing SoA to customers


    Answer:

    In fact customers can ask for your Statement of Applicability to have an overview of your information security posture and approach, but since it contains sensitive information about how you protect information, I'd recommend you to use some cost-benefit method or criteria to identify if providing this document would be worthy, considering the risks to the business regarding the confidentiality of the information provided, and the value of this customer to your business. In case you decide to provide the Statement of Applicability you should ask customer to sign a non disclosure agreement (NDA) before you send such confidential information.
Page 591-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +