Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
BIA and risk analysis
Thank you so much for your response it was really helpfull -
Certification ISO 27001
Answer:
ISO 27000 and ISO 27002 aren't certifiable standards, they are support standards to implement ISO 27001, so you only need to fulfill requirements of ISO 27001 to certify an ISMS.
These articles will provide you further explanation about ISO 27001 and ISO 27002:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Questions to top management
Answer:
In fact you do not need 10 questions for top management regarding information security, because they do not need to have deep knowledge of information security to properly support it. These are the main questions you should consider asking them:
- Which benefits you understand information security management brings to your company?
- How information security objectives support business objectives?
- By which means do you support information security practices in your company?
Of course you can expand these questions to fulfill your needs (e.g., specific questions about communicating the information security policy and the realization of management review).
These articles will provide you further explanation about top management and ISO 27001:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in- iso-27001-and-iso-22301/
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/ -
Customer-facing Acceptable User Policy
Answer:
Included in your toolkit there is an "IT Security Policy" template, located on folder 08 Annex A ==A.8 Asset management, that define clear rules for the use of the information system and other information assets. -
SWOT, context, interested parties and risks
Answer:
So, you want to link:
* internal context;
* external context;
* interested parties and their needs and expectations;
* SWOT analysis;
* risk analysis.
I would start by your SWOT analysis and made a “retro-engineering” exer cise:
Your Strengths and Weaknesses are internal issues with positive and negative connotations.
Your Opportunities and Threats are external issues with positive and negative connotations.
Not all those issues have the same weight or the same impact for your organization. Use the needs and expectations of interested parties to evaluate which issues are more relevant.
Then, pick those relevant positive issues (internal or external) and see if you can find relevant opportunities to evaluate and act upon.
Then, pick those relevant negative issues (internal or external) and see if you can find relevant risks to evaluate and act upon.
You can find more information in the following links:
- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
ISO 45001 legal requirements and risks
Answer:
Strictly speaking, clause 6.1.3, determination of legal requirements and other requirements, talks about having a process to determine what laws and other requirements apply to your OHSMS, how they apply, and what you need to do about them. This section does not necessarily link to the previous clauses about risks and opportunities. They are only together in clause 6.1, actions to address risks and opportunities, because the final sub-clause 6.1.4, planning action, applies to everything in the clause (hazards, risks, opportunities and legal requirements). Plans need to be made for all four of these things which have been determined.
That being said, it is possible that legal requirements could result in risks and opportunities. For instance, if you found out that a legal requirement was changing that would make a chemical that was critical to your operations impossible to use this could be a risk or opportunity for you r company. If the easy replacement chemical is more hazardous to use, this is a risk for your organization. Likewise, finding a less hazardous chemical to use would be an opportunity to improve your OH&S performance, and this opportunity may only have come around due to the change in legal requirements.
For a better understanding of all the ISO 45001:2018 requirements, see the whitepaper; Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001 -
Scope of ISO 27001 and ISO 9001
Answer:
This article, How to define the ISMS scope - https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/, starts with this: “The main purpose of setting the ISMS (information security management system) scope is to define which information you intend to protect. Therefore, it doesn’t matter whether this information is stored within your company offices, or somewhere in the cloud; it doesn’t matter whether this information is accessed from your local network, or through remote access. The point is that you will be responsible for protecting this information no matter where, how, and by whom this information is accessed.”
So, if you only intend to protect the information around the scope of your QMS (quality management system) you could use the same scope.
The following material will provide you more information about ISMS scope and about ISMS and QMS integration:
Problems with defining the scope in ISO 2700 1 - https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Defining the ISMS scope if the servers are in the cloud - https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
Using ISO 9001 for implementing ISO 27001 - https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
How to integrate ISO 9001 and ISO 27001 - https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/
Free online ISO 27001:2013 Foundations Course - https://advisera.com/training/iso-27001-foundations-course/
Book – Secure & Simple - A Small-Business Guide to Implementing ISO 27001 on Your Own - https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
ISO 27001 controls and ISO 20000
Answer:
ISO 20000, different than in ISO 27001, does not have defined (explicit) security controls, like Annex A in ISO 27001. However, There is Information Security Management process in ISO 20000 and that process requires that risk assessment has to be performed and controls should be determined, implemented and operated. But, it doesn't define any particular controls, yet it refers to ISO 27001 for further details.
Meaning, if you have ISO 27001 in place, you can use controls applied in scope of the implementation.
See more details about relation between ISO 20000 and ISO 27001 in the article "Similarities and differences between ISO 27001 and ISO 20000" https://advisera.com/20000academy/blog/2018/05/09/similarities-and-differences-between-iso-27001-and-iso-20000/ -
Reports Date
The date of the audit report can be after the final date of the audit process, but you should not take too long to deliver the report, because there is the risk the scenario changes and the results of the audit cannot be used to correct or improve the audited process (in your example the time difference is one month, and normally it should not take more than 5 days).
This material will provide you further explanation:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 9001 and complaints handling
Answer:
In ISO 9001:2015 you can find mention to complaints in clauses 8.2.1 c); 9.1.2 (in a note) and 10.2.1. There is no reference to a mandatory procedure, but an organization with a quality management system:
must plan how to communicate with customers when handling complaints;
can include complaints as an input to the customer satisfaction assessment methodology; and
should evaluate the need for corrective action after receiving a complaint
The following material will provide you more information:
ISO 9001 – Effective complaints management in a QMS - https://advisera.com/9001academy/blog/2014/09/16/effective-complaints-management-qms/
Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/