Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Toolkit content
1. Information Security Policy: Can we summarize a couple of aspects in the concepts of Annex A, such as Organization, HR Security, Asset Management, Access Control, Cryptography, ...
Answer: The Information Security Policy is a top level document, created before the identification of controls, so we do not recommend such summarize because:
- It will make the document overly complex and difficult to understand
- The risk of rework, if after risk assessment you identify there are not relevant risks the can justify the text included in the Information Security Policy like you are proposing
For further information please read:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
2. Inventory of assets: Description of asset: What do we have to write here? Are we supposed to write what this asset is being used for?
Answer: If ISO 27001 control A.8.1.1 (Inventory of assets) is applicable to your organization you should consider at least the name of the asset, its owner and its classification level. Of course you can add more information to fulfill additional needs from other requirements you have, or you understand it will help you manage the ISMS (e.g., what the asset is being used for).
This article will provide you further explanation about Inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
3. Inventory of assets: Impact: Which impact do we have to list here in case there are more risks which are related to the specific asset?
Answer: You have to consider the highest impact identified among the list of risks related to a specific asset.
For further information, please read:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
4. Risk Treatment Table: What if there is more than one control which could be bound to a specific risk? Let us say: losing your work laptop is the risk, controls: regarding Mobile Device & Teleworking (A.6) and Business Continuity (A.17), so there is more than one option.
Answer: ISO 27001 does not prescribe how many controls you need to adopt to treat a risk, so you can adopt as many controls as you see necessary to reduce risks to acceptable levels in a cost effective way.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
5. We must be certified by June, is there any advice that you could give me on how to get this sorted out as soon as possible?
Answer: Without details about your context (e.g., company size, ISMS scope, business objectives, etc.) it is not possible to provide detailed guidance, but in general you should work to maintain top management commitment on the project (to prioritize tasks and resources), and keep controls and documents as simple as possible (you should worry about refinements at a later stage).
By the way, included in your toolkit you have access to several tutorials that can help you with tasks like filling the risk assessment and risk treatment tables, developing the information security policy, etc. -
Policy for sharing files externally
Answer:
ISO 27001 controls which can be related to protect file exchange, including exchanges with external parties, belongs to section A.13.2 Information transfer, and the following templates from ISO 27001 toolkit cover these controls:
- Bring Your Own Device (BYOD) Policy, covering control A.13.2.1, located on folder 08 Annex A Security Controls ==A.6 Organization of Information Security
- Confidentiality Statement, covering control A.13.2.4, located on folder 08 Annex A Security Controls ==A.7 Human Resource Security
- IT Security Policy, covering control A.13.2.3, located on folder 08 Annex A Security Controls ==A.8 Asset Management
- Information Classification Policy, covering control A.13.2.3, located on folder 08 Annex A Security Controls ==A.8 Asset Management
- Security Procedures for IT Department, covering control A.13.2.1 and A.13.2.2, located on folder 08 Annex A Security Controls ==A.12 Operations Security
- Information Tra nsfer Policy, covering control A.13.2.1 and A.13.2.2, located on folder 08 Annex A Security Controls ==A.13 Communications Security -
Training records
Answer:
There is no specific requirement for training records, however, the clause that refers to this question is 7.2 Competence.
We suggest that there should be a responsible person who is in charge of managing all training records and doing a competency check for an employee according to the attended training.
For more information please read the following article:
-How to ensure the competence of your employees according to IATF 16949: https://advisera.com/16949academy/blog/2017/10/04/how-to-ensure-competence-of-your-employees-according-to-iatf-16949/ -
Management review - how long?
Answer: I do not know the dimension of your organization, but at least half a day seems to be the minimum time to perform an acceptable management review. If attendants study the documentation in advance, the management review timing can be focused on the discussion of topics and making conclusions and decisions.
The following material will provide you information about management review:
- How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
- How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
- Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2 015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Auditing the Plant Manager
Answer:
I would concentrate on the interactions of the Plant with the environment:
What are the significant environmental impacts?
What is planned to control or improve those impacts?
Are those action plans being followed?
Are those action plans being effective?
Are procedures and or practices being followed?
Are potential emergency situations being prevented? Are there procedures for answering to those emergency situations? Were those procedures tested?
Is environmental performance improving?
The following material will provide you information about the assessment of environmental interactions:
- Defining and implementing operational control in ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/
- Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
- Free online training ISO 14 001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Scope of clauses
Of courses these clauses are not requirement, but they are still clauses which need accurate information such as operation's address, provision/exclusion and scope of standard.”
Answer:
These clauses are not subjected to audit. If you check the templates that certification bodies use to report an overview of the audit, a number of observations and non-conformities per clause, you will see that clauses 1 to 3 are not included.
The following material will provide you information about ISO 9001:2015:
- Article - ISO 9001 – How to prepare for an internal audit - https://advisera.com/9001academy/blog/2017/09/26/iso-9001-how-to-prepare-for-an-internal-audit/
- Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Mandatory policies for ISO 27001
Answer:
Regarding the main clauses of ISO 27001, only the Information Security Policy is required (to fulfill clause 5.2). Regarding Annex A controls, you must consider these policies as mandatory if there are risks which would require their implementation (i.e., controls related to these policies are stated as applicable on the Statement of Applicability):
- Access control policy (if clause A.9.1.1 is applicable on SoA)
- Supplier security policy (if clause A.15.1.1 is applicable on SoA)
The document "11.A. 16_Data_Breach_Response_and_Notification_Procedure_Integrated_EN" is in fact a procedure (its ISO 27001 equivalent is the Incident Management Procedure). It is im portant to note that in the context of ISO 27001 the division between policies and procedures is not very important. -
Risk control and risk mitigation
Answer:
These are two terms with the same meaning, referring to the decision about how to treat a risk, and the most common options are:
- Decrease the risk
- Avoid the risk
- Share the risk
- Retain the risk
This article will provide you further explanation about risk treatment options:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
These materials will also help you regarding risk treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Toolkit updates
Answer:
Current customers, within 12 months of purchase, together with any upgraded documents we send information about what was changed and what should be considered when updating your own documents. -
ISO 27001 clause 6.1.2.c.1
6.1.2 The organization shall define and apply an information risk assessment process that: c) identifies the information security risks
1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for Information within the scope of the information security management system
This is the only clause in the ISO 27001 which I absolutely do not understand. Could you be so kind and give me a hint or explanation in ‘ human English ‘ 😄. My problem is that, for internal auditing purposes, I want to draft some ‘ audit-questions ' with reference to this clause but as I do not understand that ‘ beyond human imagination english of the ISO-guys ‘ I don’t manage to formulate the right audit question(s) with reference to subclause 6.1.2.c.1.
Answer:
Translating this clause to plain English, what you should question is:
1 - were information security risks identified?; and
2 - are the identified information s ecurity risks related to the information your organization want to protect?
For example:
- if you do not find a Risk Assessment Table, or similar document, then you would have a non-compliance here, since there is no evidence that risks related to the ISMS scope were identified.
- if you find a Risk Assessment Table with risks related to a software development process, and your ISMS scope is about your Customer Management process, then you would have a non-compliance here, since the identified risks are not related to the defined ISMS.
By the way, included in your toolkit there is an Internal Audit Checklist where you can find questions which cover clause 6.1.2.
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/