Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Doubts about the package of documents to buy

    To comply with the point you listed you can use the ISO 27001 documentation toolkit (https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-27001/). Some documents in this toolkit that can help fulfill some of your points are:
    - Information Classification Policy (point 1 )
    - Security Procedures for IT Department (points 2, 3, 4, 5, and 6 )
    - IT Security Policy (points 2, 3, 6, and 9)
    - Access Control Policy (points 5 and 8)
    - Incident Management Policy (point 7 )
    - Statement of Acceptance of ISMS Documents (points 10 and 11)
    - Confidentiality Statement (points 10 and 11 )

  • Query on ISMS Scope

    You only need to include the implementation project team (i.e., yourself and the internal audit team) in the ISMS scope in case once the implementation is finished the project team will remain to perform other activities related to the ISMS.

    In your case, for example, since you are part of the IT Department, your role does not need to be explicitly included in the ISMS scope since the IT Department is in the ISMS scope. As for the Internal Audit Team, in case they will not perform the internal audit over the implemented ISMS, it does not need to be included in the ISMS scope.

    Regarding the offices, you only need to include them in the scope in case you consider that the information in the offices that are outside the scope of the outsourced services needs to be protected (e.g., printed information stored in the offices). 

    In case only information that is handed by the outsourced services is to be protected, then the offices do not need to be included in the scope.  

  • ISO 45001 and ISO 14001 in welding and fabrication shops

    Both ISO 45001 (Health & Safety management) and ISO 14001 (environmental management) allow your organization to go beyond simply meeting laws for the environment or health & safety, and instead have a coherent system that allows you to proactively manage these parts of your business. This is true for a welding and fabrication shop, just as it is for any other organization. The standards help to focus your efforts on identifying environmental interactions (called environmental aspects) and OH&S hazards with a focus on identifying the risk that is posed by each in order to apply controls to prevent environmental damage, injury or ill health.

    You can read a bit more on the benefits of ISO 14001 and ISO 45001 in the articles:

    • 6 Key Benefits of ISO 14001 https://advisera.com/14001academy/knowledgebase/6-key-benefits-of-iso-14001/
    • 4 key benefits of ISO 45001 for your business https://advisera.com/45001academy/blog/2015/09/30/4-key-benefits-of-iso-45001-for-your-business/

    • Performance Evaluation

      As an international standard, ISO 45001 is written to be used by any organization in any industry. As such, it will tell you what needs to be done in a process for OH&S, but not how to do it. So, ISO 45001 does not give details on how to conduct monitoring and evaluation, only providing requirements that you must determine what to monitor and evaluate and that you must ensure evaluation is adequate. As conducting monitoring and evaluation is something that will be specific to each organization, I cannot give you a specific procedure for M&E, nor what criteria to evaluate against as this will differ from industry to industry, as well as area of the world. The best I can recommend is to look at industry best practices that are in place where you are located and work with these to develop the M&E process that will be best for you. Remember, the reason that ISO includes monitoring, measurement, analysis, and performance evaluation into the standard is to collect data that can be used to make good evidence-based decisions. So, choosing the right data and the right evaluation method is critical for this to be effective. 

      You can read a bit more on how monitoring and measurement work in the article:

      • How monitoring, measuring, evaluation, and analysis in DIS/ISO 45001 works https://advisera.com/45001academy/blog/2016/03/09/how-monitoring-measuring-evaluation-and-analysis-in-disiso-45001-works/ 

      • Questions related to ISO 27001 Controls

        Please note that the controls you mentioned, as well as all controls from ISO 27001 Annex A, are applicable only in the following cases:

        • There are relevant risks that demand the implementation of controls
        • There are legal requirements (e.g., laws, regulations, or contracts) that demand the implementation of controls
        • There is a management decision to implement controls (e.g., by considering them a good practice)

        Considering that, according to ISO 27001, if none of the above conditions occurs, you do not need to implement a control.

        Regarding selection control criteria, a control must be selected considering its capability to reduce the likelihood and/or impact of a risk so the risk value decreases to an acceptable level.

        Regarding “mandatory controls” there is no such thing prescribed by the standard. During the audit, the certification auditor will look to see if the stated applicable controls make sense considering the results of the risk assessment and applicable legal requirements.  

         

        These articles will provide you with further explanation about risk management:

        This material will also help you regarding risk management:

      • Different companies in scope ISO 27001

        1 - I have some questions regarding ISO 27001- ISMS scope and organizational units. We are implementing the documentation in two of our companies (same corporate group). The whole Company X is within the scope but only the compliance office in Company Y. We include them both in the scope. Is this correct or do we have two sets of documentation? We are using the same equipment and facility at the moment.

        If I understood correctly, you have two legally separated companies using the same equipment and facility at this moment.

        Considering that, first you need to align with your certification body the possibility to have a single scope for two legally separated companies.

        In case this is acceptable by the certification body, you can have a single set of documents, but please note that when you start using different equipment and facility you will need to review the documents.

        2 - I also have a question regarding Risk assessment table. To be compliant with the ISO standard- should we change the risks in the risk assessment after the risk treatment? For example, if risk X has been reduced due to implementation of a policy, should we change the risk from e.g., 3 to 2 in the risk assessment? Or should we not change the risks after treatment at all?

         Risks identified during risk assessment must not be changed after risk treatment. What happens is that, after risk treatment, you need to assess the residual risk, i.e., the risk value after the applied treatment.


        This article will provide you with further explanation about residual risks:

      • Internal Audit Report Review

        Although it is acceptable, it is highly unusual that the results of an internal audit point out that everything was implemented correctly AND there are no opportunities for improvement (a certification auditor would certainly check a such report in more detail).

        If everything is consistently being performed as planned, then the next step in maturity could be an opportunity to be considered. For example:

        • Efficiency could be increased
        • Productivity could be increased
        • Rework could be decreased
        • Costs could be decreased

        This article will provide you with further explanation about improving processes maturity:

      • Certification process of sister company

        If I understood correctly, the scenario involves a parent company X, at least two sister companies Y and A, and company A has a branch company B.

         

                                                                    X (parent)

                                       Y(sister)                                               A(sister)

                                                                                                       B(branch)

         

        In this situation you should consider only Site A as the scope for the certification process, leaving the departments from the parent company, and the branch in site B, as third parties which interact with your certification scope.  

        This way your certification process will be restricted to Site A, and required security controls related to departments from the parent company, and related to the branch company, will be handled through security clauses in contracts and/or service agreements you will establish with them.

        This article will provide you with further explanation about the certification process:

        This material will also help you regarding the Information Security Management System scope definition:

      • Business Continuity Plan Testing Exercise

        1 - Can we include Risk assessment and BIA in the test exercise and ask questions on that? or in other words should we do both analyses during this testing exercise?

        Please note that the purpose of a BC Plan tabletop exercise is to assess the effectiveness of the devised plan (e.g., if people know what to do, if all required activities are included and well described, etc.), not to evaluate it against BIA and risks, so both analyses should not be performed together (this would only make the test unnecessarily complex).

        Considering that, the best course of action would be to ask for the information about BIA and risk assessment, and evaluate the BC Plan before the test, and if this information is not available you could explain that without a clear understanding of business impacts and associated risks, even though the BC Plan test is considered successful, it may not be fully aligned with the relevant impacts and risks related to the considered scenario.

        For further information about BC Plan tests, see:

        2 - Secondly, what are the most relevant questions we should be asking?

        A tabletop exercise means testing a plan by means of team interaction, so examples of relevant questions to be asked to people involved in the BC Plan would be related to:

        • the sequence of activities to be performed by each person in case of a Data Centre Power Outage
        • the means of communication to be used, who to communicate to, and what to communicate
        • the knowledge of each person about the activities other members will be performing

        Based on these questions, and the speed and confidence of response, you can evaluate if the involved personnel are familiar with the plan and can perform it in a satisfactory way.

      • 27001 Certification for Multiple Companies / Geographic locations

        1 - I'm struggling to get my head around how we can justify scoping out the IT Management side of the Company. The IT Management side will have complete control of our IT systems and potentially uncontrolled access to our servers. If we establish contracts or service agreements, won't the security requirements be the majority (if not all) of Site A's ISMS? If so, what's the benefit of scoping them out?

        Please note that security requirements defined for Site A can be also enforced on Site B by means of contracts/service agreements. The benefits of scoping out the IT management are related to decreasing the complexity of the scope and certification maintenance costs since you will have a smaller scope to manage.  

        Regarding control of the IT infrastructure by Site B, it can be legally defined (through contract/service agreement) that any decision it makes needs approval from Headquarters to be implemented, so even though it has operational control, it will not have the decision power to implement changes without HQ consent.

        Regarding the risk of uncontrolled access to your servers, controls such as encryption, logging, and monitoring of the user administrator’s activities can be used to decrease such risks.  

        For further information, see:

        • Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

        2 - Would considering Site A and Site B as one Company but Site B (still providing IT Management and Design services) scoped out of ISMS be an easier way to implement the ISMS? Site B will still implement the relevant ISMS policies but only Site A will be certified? I'm thinking this might save a somewhat complicated contract/service agreement and less controls to be audited.

        The scenarios considering Site A and Site B as different companies, and both as the same company but with Site B scoped out of ISMS would be the same for an ISO 27001 certification, i.e., you would still need to develop an agreement between them, since they will have the same client-supplier relation.

        In fact, this situation would be a bit more complex, because you would need to align first with the certification body the situation of having two legally different organizations considered as a single company.

        3 - Lastly, I understand that the Chief of Information Security type role is not mandatory under 27001 but it is beneficial to the process. Is it possible for someone from Site B to take this position for Site A despite being scoped as a third party?

        ISO 27001 does not prescribe that information security roles need to be fulfilled by an organization’s employee, so provided you can evidence that the related roles are defined and being fulfilled, you can “outsource” this position to someone from Site B.
Page 64-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +