Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Audit competencies
Answer:
To audit other ISO management standards based on your competencies as an ISO 27001 internal auditor, you have to demonstrate verifiable evidences that you also have competencies on those ISO standards.
For example, if you have attended e.g. ISO 9001 Foundations course, or have previous experience with an ISO 9001 QMS, you can audit ISO 9001.
This article will provide you further explanation about audit competencies:
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
Although this article aims to ISO 27001, the concepts are valid for any ISO management standard. -
Filling templates
Answer: The data related to "version 0.1" in the history section is only for exemplification purposes. You can change this information for your own.
2. The Risk Assessment of course is the bulk of the questions from asset owners. Some are clear such as physical equipment. Some are less obvious, for example SaaS software common these days such as CRM software, GoogleSuite, Office365 etc - do each of these get listed as a separate asset with a separate owner, or can each be listed with a central asset owner. The permutations will very rapidly end up with hundreds of assets for our 5 person company, with then thousands of Risk (by threat and vulnerability). Would you have any samples for very small start-up companies with < $1M in revenues and all assets are cloud based (SaaS, AWS, personal compute devices etc.)? I plan to do all the heavy lifting as much a s possible and will interview the other employees.
Answer: ISO 27001 does not prescribe how the inventory of assets should be developed, so you can use the organization that better fits your needs. Some suggestions are:
- Organize by SaaS provider (e.g., Google applications, Microsoft applications, etc.)
- Organize by purpose (e.g., HR applications, Collaborative applications, etc.)
The most important tip here is that you have to simplify the process by grouping similar assets.
Regarding the designation of assets owners the same applies (you can have one person responsible for all related assets, one for each asset, or a mixed approach). If several users across the company are using particular software or SaaS, then the most senior of them can be the asset owner.
About sample of assets, in this template you have a sheet with a catalogue of assets.
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Submission of Non-conformity Report
Wich one?
Answer:
National Competent Authority refers to a government body that is in charge of handling matters related to medical devices in your country. In this case, it should be ANVISA. You might want to discuss with the certification body that audited for ISO 13485 if necessary before any submission.
For more information, you might want to refer to :
ISO 13485:2016 nonconforming product – How to approach the post-delivery actions
https://advisera.com/13485academy/blog/2017/04/11/iso-134852016-nonconforming-product-how-to-approach-the-post-delivery-actions/ -
Risk assessment
Answer:
For methods to gather security risks I suggest you to look for ISO 31010, the ISO standard for Risk assessment techniques.
These articles will provide you further explanation about risk assessment and ISO 31010:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/ -
Filling template Key Contacts for Business Continuity
Answer:
ISO 22301 only requires that contact information is available, so organizations can define which one they can include in the Key Contacts for Business Continuity. But you have to note that with less alternatives to contact personnel, more difficult may be to reach them in case of need.
This article will provide you further explanation about communication:
- Enabling communication during disruptive incidents according to ISO 22301 https://advisera.com/27001academy/blog/2016/12/19/enabling-communication-during-disruptive-incidents-according-to-iso-22301/ -
Risk assessment template
Answer:
You can fill in the Risk assessment table in cycles, including only the few risks each time and analyzing them. If you identify that you still need more risks you can perform any cycles you want. This way you ensure to include the most important and relevant risks with less effort.
By the way, included in the toolkit you bought, you have access to a video tutorial that can help you fill in the risk assessment table. This video uses real data to make the understanding easier. -
Performance objectives and strategic objectives
Answer:
For me strategic objectives are performance objectives, but not all performance objectives are strategic. An organization can translate its strategic orientation into a set of objectives and targets, aligned with the quality policy. When we measure the organization’s performance against those strategic objectives, we are measuring the strategic performance. Besides strategic objectives an organization can have other objectives, for example can have process objectives that are not strategic. When we measure the organization’s performance against those process objectives, we are measuring performance or operational performance.
The following material will provide you information about implementing an ISO 9001 management system:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- How to define Key Performance Indicators for a QMS based on ISO 9001 - https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
- free online webinar recorded Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Filling template
Answer:
Included with the toolkit you bought you have an access to a video tutorial that can help you fill in the Risk Assessment table. This video tutorial uses the real data to facilitate the process understanding.
In the second sheet of this template you will find a list of suggested assets, and also list of threats and vulnerabilities. -
Sharing resources
Answer:
If you can provide evidence that sharing the network cabinet will not affect your information security risks (e.g., through a risk assessment), or that there are implemented controls to maintain the risks in acceptable levels, then you will have no complications with your ISO 27001 implementation.
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
- How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/ -
Information labeling
Answer:
phpMyAdmin is an administration tool for MySQL databases, so as an application which shows information, you should consider including a label on the user interface (e.g., at the upper left corner of the screen) identifying the most sensitive information the application has access to.
This article will provide you further explanation about information labeling:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/