Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 Scope Document

    1 - Do we need to show network documentation of all offices in the ISMS scope, or can we put reference links to the documentation?

    For the ISMS scope document, there is no need to show network documentation, but if you want you can include reference links to detailed documentation. 

    2 - Do we need to include network diagrams of each office in the ISMS scope document?

    There is no need to include high-level topology diagrams, but if you want you can include reference like those included on page 5 of each of your documents to give an overview of the network topology.

    3 - Do we need to include the XYZ1 office in the scope as the whole outsourcing department works from XYZ2, and it's only the senior managers like the CEO and Founder who work from  XYZ1 including the IT security administrator?

    Yes, you should include the XYZ1 office in the scope, or at least the part of the office with senior management and the IT security administrator.

    4 - Will the ISMS scope focus on the outsourcing department's IT infrastructure be enough, or do we need to implement the ISMS scope to cover the *** IT operations infrastructure across the business?

    This answer will depend on the information you want to protect. In case you want to protect the information handled and processed by ***, then you need to include the IT operations infrastructure that runs across the business. If this is not the case, then the scope covering the Outsourcing departments will be enough.

  • SOA Control Objectives

    The controls listed in the SoA template included in the ISO 27001:2022 toolkit are the same ones defined in the ISO 27002:2022.

    Please note that the column “Control Objectives” needs to be filled in by the organization. Control objectives are not mandatory in SoA, but including them in the SoA will make it easier to follow them, and reduce administrative effort to keep them in a separate document.

    These articles will provide you with further explanation about ISO 27001 and ISO 27002 controls:

    • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
    • Main changes in the new ISO 27002 2022 revision https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/
    • Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/

    • Add Further Reference Documents

      You can address these requirements in your ISMS by including the ISM and the RFRR as legal requirements in the Register of Requirements module.

      In addition to including these requirements in the Register of Requirements, you need to implement the security controls related to them. These will be automatically identified in the Statement of Applicability when you define the information in the “To what area is this requirement related?” field in the Register of Requirements module for each entry.

      Considering the ISM, suggested areas are “Specifying mandatory safeguards” or “Identification of stakeholders and security requirements”.

      Considering the RFFR, the suggested area is “Risk Management”.

    • ISO 27001 - Question nonconformities

      Please note that findings do not become nonconformities because they are related to risks, but because they evidence noncompliance with defined rules (e.g., policies and procedures), planned actions (e.g., actions not executed or wrongly executed), or expected results (e.g., missing results or wrong results).

      Regarding nonconformities classification, ISO 27001 does not require them to be classified, so you can adopt criteria that best fit your needs. Associating them to a risk level is an acceptable criterion. Certification audits adopt minor and major levels to classify nonconformities, and this is also an option for you.

      This article will provide you with further explanation about the classification of nonconformities:

    • Determining necessary security measures

      1- From the role of DPO in a Spanish company (provider of Head Hunting and Personnel Search services) that has begun its adaptation to GDPR, how should the actions to be taken be planned in an orderly manner to determine the necessary security measures? , which guarantee the rights of users (candidates who apply for Internet searches and through forms/questionnaires to be completed on the institutional website of the Spanish company) and also the security of the information of their personal data (sensitive because they have health data)?

      We have an EU GDPR Documentation Toolkit which is structured in a simple and intuitive way to help you drive your GDPR-Compliance project. You can start with the Project Plan, in the first Directory, and gather all the necessary information to fill in all the required documents. The toolkit also contains privacy notices templates that you can use to inform the candidates about how you process their personal data. Moreover, you also have Live Expert Support, should you require it. 

      On our website we also have resources that you can use, please consult these links as well:

      2. Would there be a document or article published on the Internet that has a mapping between what is required by GDPR and what is recommended by good practices: ISO 27001, ISO 27701, ISO 27002, ISO 27018?

      We have a free webinar – How to integrate GDPR with ISO 27001 – which we offer for free, you can listen to the recording or join the next time it will be live. Also, we have some free resources on our website, please consult these links as well:

    • Labeling of medical device accessories

      The standard that talks about symbols for medical products is ISO 15223-1:2021. There is no laser symbol specifically in it, but it says that the manufacturer is responsible for conducting a risk analysis based on which he will assess what information he must provide to the user. In your risk analysis, the danger of laser beams must be covered, so it is logical that such a symbol exists on the product.

    • Supplier Security Policy

      I’m assuming you are referring to the text “, as well as audit the supplier or partner at least once a year.” in section 3.5 of the Supplier Security Policy.

      Considering that this text means that, as you need to audit your processes, you also need to audit suppliers and partners to ensure they have implemented the security controls you agreed with them, and if the controls are performing properly.

      Please note that such audits are required only if control A.15.2.1 - Monitoring and review of supplier services is stated as applicable in the Statement of Applicability.

      Additionally, there are different types of audits, some more thorough (e.g., a comprehensive local audit), others simpler (e.g., verification of applied security clauses), and you should consider criteria such as the criticality of the supplier, results of previous audits and incidents history to decide which audit approach to apply.

      For further information, see:

    • Internal Audit Questions

      1. On the first management review meeting should we discuss about the Internal Audit  

      Results of performed internal audits are mandatory inputs to be discussed in the management review.

      For further information, see:

      2. Should the project manager gather all pieces of information during the project implementation

      The project manager is responsible to ensure that information needed for the ISMS implementation is identified and gathered by the information owners (e.g., department heads, process owners, users, etc.).

      Please note that the project manager has a coordinator role regarding tasks to be performed in the ISMS implementation project.

      For further information, see:

    • ISO security framework or standard for IoT

      I’m assuming that by CSA you mean Cloud Security Alliance.

      Considering that, ISO has three specific standards related to IoT:

      • ISO/IEC 21823-2:2020 Internet of things (IoT) — Interoperability for IoT systems — Part 2: Transport interoperability
      • ISO/IEC TR 30164:2020 Internet of things (IoT) — Edge computing
      • ISO/IEC TR 30166:2020 Internet of things (IoT) — Industrial IoT

      They do not define a security framework for IoT, but security requirements that need to be considered (e.g., Security and privacy, by ISO/IEC TR 30164:2020, and Security requirements by ISO/IEC 21823-2:2020), and ISO 27001 can be used to implement the security framework to fulfill such requirements.

      These articles will provide you with further explanation about ISO 27001 and how to work with security controls:

Page 65-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +