Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Audit scope
We've received additional question:
>Just to mention the team is not part of the scope as reply to the answer .
Answer: In this case the auditor has no previous authorization to audit this provider. He must justify his intention and the organization can decide to authorize or not the audit at its own discretion, but his most probable action is to check how you are managing the relationship with this service provider, i.e., how you can assure that this service provider is fulfilling your security requirements.
This article can provide you further information:
- How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/ -
Need for AS9100 Rev D
Answer:
As with any management system standard the requirement to implement AS9100 Rev D comes down to your customer requirements. If your customer does not require that you implement AS9100, even if you are an aerospace company, then the choice is up to you if you implement this standard. I do not know of a percentage of businesses that this would apply to as you have suggested, but in reality, everything comes down to the requirements of the customer, and baring that the desire of the company to use this standard to their benefit.
For more information on the benefits of AS9100 Rev D, see this article: 7 Key benefits of AS9100 implementation, https://advisera.com/9100academy/knowledgebase/7-key-benefits-of-as9100-implementation/ -
ISO 27001 Roles and responsibilities
Answer:
The definition of general roles and responsibilities for information security is made on the Information Security Policy. You can see how this policy looks like at this link: https://advisera.com/27001academy/documentation/information-security-policy/
Regarding specific roles and responsibilities for information security, they are defined through all documents used in the ISMS implementation.
Regarding the Risk Treatment Plan, the responsibilities are defined on column "Responsible person". By the information you provided, it seems you are referring to the Risk Treatment Table, which is a different document.
These articles will provi de you further explanation about documenting roles and responsibilities:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/ -
BYOD and ISO 27001
Answer:
First of all, you have to perform a risk assessment to identify which risks related to BYOD practice you have to treat, and which legal requirements (e.g. clauses of contracts, laws or regulations) you have to fulfill. After that you have to identify proper controls to be implemented. In general, to secure BYOD practices you have to consider the following controls:
- A.6.2.1 Mobile device policy
- A.6.2.2 Teleworking
- A.13.2.1 Information transfer policies and procedures
- A.13.2.3 Electronic messaging
Normally these are implemented through a BYOD policy, which you can see how it looks like at this link: https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
This article will provide you further explanation about BYOD policy:
- How to write an easy-to-use BYOD policy complian t with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/ -
Roles and responsibilities
Answer:
The definition of general roles and responsibilities for information security is made on the Information Security Policy template, which you can find at folder 04 Information Security Policy of your ISO 27001 Documentation Toolkit.
Regarding specific roles and responsibilities for information security, they are defined through all documents in the toolkit. If you note, every time an activity is defined, it is also required the definition of a “Job Title” or person to perform that activity.
These articles will provide you further explanation about documenting roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/ es-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/ -
DPO role
Answer:
You can but you may find yourself in a potential conflict of interest as you as a CISO are in charge of keeping data assets safe and while doing that you will need to take some measures that may be intrusive. On the other hand, as a DPO you will need to ensure that those measures are not infringing the rights and freedoms of the data subjects.
If you want to find out more about the role of the DPO, check out our webinar “Role of the DPO according to EU GDPR” (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/) -
Acciones que surgen de la identificación de riesgos
Respuesta:
No existe ningún nombre específico para esas acciones, sino que se suelen denominar acciones para abordar los riesgos y las oportunidades.
Dentro de las acciones tomadas la organización puede decidir entre varias opciones:
- Evitar riesgos
- Asumir riesgos
- Eliminar la fuente de riesgo, cambiando por ejemplo procesos, materias primas, etc
- Cambiar la probabilidad de que ocurra el riesgo o las consecuencias del mismo
- Compartir el riesgo, por ejemplo con los proveedores
- Mantener el riesgo asumiéndolo ya que su eliminación o mitigación no compensa a la organización.
Para más información sobre acciones para abordar riesgos y oportunidades puede ver estos materiales:
- Artículo - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/ ooks/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Operational controls in ISO 14001:2015
Response:
An organization must decide how to develop processes to make sure that operational control of its environmental aspects is achieved. Among these controls could be included:
- building processes to get consistent outcomes
- analysing the life cycle of a product when putting controls in place
- using technology to ensure results
- ensuring employees are properly trained
- performing processes in a certain way
- monitoring and measuring of results
It is crucial that the organization also considers what parts of your operational control process are required to record as documented information. Controls can include engineering procedures and procedures.
You can see these materials to help you with the operational controls in ISO 14001:2015:
- Article - Defining and implementing operational control in ISO 14001:2015: https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/
- Book – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- Free on-line training – ISO 14001:2015 Foundations: https://advisera.com/training/iso-14001-internal-auditor-course/ -
How to control documented information
Response:
You can create a procedure to ensure the control over the the creation, approval, distribution, usage and updates of documented information (documents and records ) used in your Quality Management System. Here is an example of a procedure, you can download a free preview of it - Procedure for Document and Record Control: https://advisera.com/9001academy/documentation/procedure-document-record-control/
To learn more about the contrl of documented information in the QMS, see:
- Article - New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Book – Managing ISO documentation: a plain English guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Physical security
Answer: First is important understand that for ISO 27001 a "need" is based on results of risk assessment. Considering that, you only have to physically separate your scope if there are unacceptable risks related to keeping a single environment.
2. Our staff always have meetings and they always need to sit and discuss and collaborate on certain tasks and projects that happen between different departments. Shutting down the entrances and closing all the doors between the departments and limiting access will hinder the workflow and coherence of the company. Is there another way about that? Or is the policy very clear and very strict in terms of physical isolation of the departments that are in the scope from the rest of the company? In case it was very strict and isolation measures need to be implemented, would magnetic see throug h doors with swipe cards to isolate the departments who are in scope from the external of scope be sufficient enough? I found this article on your website:
https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
Answer: The same previous answer applies here, you only need to limit access to the scope if there are unacceptable risks that must be treated. In case you indeed have to limit access, you can use the alternative you mentioned (i.e., swipe cards) if it does lead to unacceptable risks.
3. But I would greatly appreciate it if there are more detailed articles about physical security that you might be able to share with me, especially for organizations that are only certifying part of their services.
Answer: First of all thanks for this feedback. In fact this answer may be a good idea for an article. If you kindly provide additional examples of what you would like to see we can verify this possibility. For other articles about physical security, please see:
- The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
- How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/