Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Application of control A.17.2.1
Answer:
Reference to Recovery strategy for IT infrastructure in the Statement of Applicability is needed only for companies that want to be compliant with ISO 22301 together with ISO 27001. If you are going for ISO 27001 only, we do not recommend you to do the Recovery strategy for IT infrastructure because it will complicate the whole process - instead, for the control A.17.2.1 we recommend that you refer to Disaster Recovery Plan - you can find it in your toolkit in the folder 08 Annex A - A.17 Business continuity..
If you decide to go for Recovery strategy for IT infrastructure, you can find the template here: https://advisera.com/27001academy/documentation/business-continuity-strategy/ -
Risk management
Answer: Risk management means polices, procedures, and practices for identifying, analyzing, evaluating, and treating risks, and this can be done through different approaches (e.g., ISO 27005 - a supporting standard for ISO 27001, ISO 31000, NIST Cyber Security Framework, etc.). Considering that, you should evaluate the approaches used on what you call usual Risk management and third party risk management to see if they are in fact different.
For example, if usual Risk management is based on ISO 27005 and third party risk management is based on ISO 31000 then they are very similar. In the other hand, if usual Risk management is based on ISO 27005 and third party risk management is based on NIST CSF, they have considerable differences.
These articles will provide you more information:
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
- Which one to go with – Cybersecurity Framework or ISO 27001? https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
2 - And how about taking a job in Risk management and taking a job of being an IT auditor, when you have these two offers in hand, what do you think which one to go with as per your advise?
About me -- I have 4 years experience in ITGC and SOX implementation and monitoring. Currently looking for better opportunities which help me in exploring myself into Cyber security domain.
Answer: Your choice will depend on your professional objectives. If you want to work establishing a secure environment, you should consider the risk management offer. On the other hand, if you want to work to ensure implemented controls are properly implemented and bringing expected results, then you should consider the IT auditor offer. Your background allows you to choose both ways.
This article will provide you further explanation about becoming an auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
This material will also help you regarding becoming an auditor:
- ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/ -
ISO 27001 in software development
Answer:
First it is important to note that ISO 27001 requirements and controls are not intended for products, but for the processes involved in their development. Considering that, you can apply ISO 27001 to your software development and maintenance processes, in the following way:
- Identification of security requirements and specifications your software must fulfill
- Definition of general and specific rules for secure software development and testing
- Change control
- Proper use of outsourced development
- Protection of testing data
These materials will provide you further explanation about securing software development:
- How to integrate ISO 27001 A.14 c ontrols into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
List of Legal, Regulatory, Contractual and Other Requirements
Answer:
The "List of Legal, Regulatory, Contractual and Other Requirements" template is a form where you can fill in the legal, regulatory, contractual and other requirements that are relevant to your ISMS, so it does not contain any information about specific requirements.
In the following article you can find a list of some laws and regulations required on United Kingdom:
- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
Unfortunately, this list is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations related to United Kingdom are listed (most of the mentioned ones are not sector-related, and those which are sector-related cover electroni cs and communication sectors). To make sure you have the latest list of laws and regulations, it would be best to hire a local legal adviser. -
ISO 20000:2011 -> ISO 20000:2018 transition
Answer:
First of all, investment made in ISO 20000 (according to 2011 revision of the standard) is not vested effort. Many elements are "recyclable". There are some parts that are simplified but there are also some new requirements.
First of all - new revision follows High Level Structure (HLS), so if you have any other management system in place, it will be very usable in ISO 20000 transition.
Documentation requirements are less than in 2011 revision. But, most of the documents can be reused although not directly required (e.g. Capacity Plan - it's not required to document it but you need to plan it).
Few new requirements (e.g. Context of the organization or Knowledge Management) will need to be addressed but experience with other management systems helps.
Process requirements - many of the m are simplified. That leaves more space for the implementation according to your own organizational setup (or some see it as - lowering bureaucracy).
Note that there are some items that are renamed, like CMDB - focus is on Configuration information.
You will also need to split some processes, like Incident and Service Request Management.
So, yes there are changes but nothing you that invincible. -
ISO 13485 for small companies
Answer:
The Standard is applicable to any companies dealing with medical devices. It does not take into account the size of the organization. For the case of smaller companies, it is very common for the founder and director to assume many roles in the QMS such as Management Representative and process owner. Your company is dealing with Medical Image management, there might be some clauses that can be not applicable to your case making it simpler for you to adopt the ISO.
For more information, please refer to:
Diagram of ISO 13485:2016 Implementation Process
https://info.advisera.com/13485academy/free-download/diagram-of-iso-134852016-implementation-process
List of mandatory documents require d by ISO 13485:2016
https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/ -
Design and development topics
Answer:
I like to see design and development as a journey.
At the beginning of that journey, your organization at step 1 collects all the requirements that a new product or service must comply with. These requirements can be performance specifications; compliance specifications; timing specifications; production or provision constraints, …
During step 3 your organization creates the product or service prototype, or the first samples. With that prototype or samples, a verification is made by comparing actual performance with all the constraints and performance established as inputs at step 4.
At step 5 the product or service is tested by the customer to val idate its performance in real life conditions.
Remember that in the end, your organization should have:
Product or service specifications;
Production process or service provision specifications and instructions;
Purchasing specifications; and
Documented information specifications.
The following material will provide you with more information about design and development:
- How to deal with design and development changes in the technology sector using ISO 9001 - https://advisera.com/9001academy/blog/2017/02/28/how-to-deal-with-design-and-development-changes-in-the-technology-sector-using-iso-9001/
- Specific use of ISO 9001 design and development in the machining process - https://advisera.com/9001academy/blog/2017/03/14/specific-use-of-iso-9001-design-and-development-in-the-machining-process/
- The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- About records required by ISO 9001 about design and development consider - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- About conducting design and development reviews consider - ISO9001 Design Verification vs Design Validation - https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
- ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ -
Change of data processor/GDPR compliance
Answer:
This depends whether or not you are a controller or a processor. If you are a processor and want to change one of your sub processors you will need to at least notify the respective data controllers about the change. If you are a controller you don't need to inform the data subjects about such a change.
If you want to find out more about the EU GDPR check out our EU GDPR Foundation Course (https://advisera.com/training/eu-gdpr-foundations-course//) -
Planning information security continuity
Answer:
We're sorry about this confusion - reference to Business Impact Analysis (BIA) in the Statement of Applicability is needed only for companies that want to be compliant with ISO 22301 together with ISO 27001. If you are going for ISO 27001 only, we do not recommend you to do the BIA because it will complicate the whole process - instead, for the control A.17.1.1 we recommend that you refer to Procedure for Identification of Requirements and List of legal, regulatory and other requirements.
If you decide to go for Business Impact Analysis, you can find the template here: https://advisera.com/27001academy/documentation/business-impact-analysis-questionnaire/ -
ISO45001 Context of the organization
Answer:
External issues that can affect your ability to achieve OH&S outcomes can take many forms. One example of an external issue that would qualify for this would be the knowledge that a supplier who gives you the least hazardous cleaning chemical is unable to supply you any longer and you will need to find another chemical to do your cleaning which will be more hazardous to your employees. The cause of this could be economical with the supplier going out of business, but it could also be political in that they are located in a country that no longer allows exports to your country.
These were only examples to think about, and the real thing to consider is what are the issues that affect our ability to safeguard worker H&S.
For a better understanding of the ISO45001:2018 context of the organization, see this article: Defining the context of the organization according to ISO 45001, https://advisera.com/45001academy/blog/2016/02/03/defining-the-context-of-the-organization-according-to-iso-45001/