Answer: The National Electronic Security Authority Information Assurance Standards (NESA IAS) are primarily based on ISO 27001:2005, with some additional controls taken from ISO 27001:2013 and NIST Special Publications (SP-Series).
Sorry, I have no such sample. But ISO 14001 is very intuitive, much more than ISO 9001 I would say. Make an environmental assessment, determine if your organization follows conformity requirements, establish priorities for improvement considering the assessment, strategic orientation, context and risk & opportunities. Then, develop plans to meet the improvement objectives and monitor performance.
ISO 14001 includes the Deming cycle (PDCA). So, change management is very useful for the project.
The following material will provide you information about assessment of environmental interactions:
That sentence seems to be taken from a contract or something like that. My understanding is: I as a customer, want you, as my supplier, to establish a process to handle all my quality requirements at product level; at product development level, and at organizational level. Thus this make sense to you?
The following material will provide you information about customer requirements:
Аnswer:
What I would advise you to do is to use “Data Exporter” instead of data Controller and “Data Importer” instead of Processor. In this scenario your company would be the “Data Exporter” and is irrelevant who the controller is.
First it is important to understand that auditors will evaluate documentation not considering how descriptive they are, but if they comply with the standards requirements, applicable legal requirements and needs identified as results of risk assessment.
Considering that, as guidance for writing the details in your documents you should consider the ISO 27002 standard, a supporting standard that provides the details you are looking for. For example, for control information classification this standard recommends that information classification criteria should be reviewed over time. For anti-malware, you should include guidance for users regarding not accessing malicious content or scanning files before using them.
Orientations from this standard can be implemented as needed, so you do not need to implement all of them if you do not identify the need.
This article will provide you more information about ISO 27002:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
"Step name: Entering the information asset in the Inventory of Assets
Responsibility: Chief Information Security Officer"
Further down in the document there is mention of “3.2.4 Reclassification” where asset owners are to review the confidentiality level of their assets with a certain time interval. Then “3.3 Information labelling” gives instructions on labelling of e.g. electronic documents and electronic mail etc.
All this implies that each and every of such documents should be listed in the Inventory of Assets (IoA).
Our employees produce dozens of e-mails and electronic documents every week. If the CISO has to enter all these documents in the IoA this is a full time job in and organisation with only 15 employees or so!
Can you please give me a practical way of dealing with this problem.
General remark: I keep running in to these kind of issues where I am not able to find any examples or practical solutions in your documentation or Secure and S imple.
Answer: You do not need to identify emails and electronic documents individually in your inventory of assets. You can use a single identification for them (e.g., e-mails and electronic documents) and define only once how all of them will be classified and treated.
Please note that Information Classification Policy is not a mandatory document nor are the A.8.3 classification controls mandatory. In other words, if there are no risks nor specific requirements for implementing those controls, you can exclude them in your Statement of Applicability and in such case you wouldn’t need to perform classification at all.
Regarding doubts you may find when filling templates, included in your toolkit you have access to video tutorials that can help you fill some templates (e.g., risk assessment table), using real data. If the tutorials are not enough to clarify your doubts, you can schedule a meeting with one of our experts so he can help you. To schedule a meeting with one of our experts, please access this link: https://advisera.com/27001academy/consultation/
thank you for your helpful answer and advise. Beside would you mind answering another question? This would be so kind of you. Now I'm filling the document "Statement of Applicability". I kind of stuck a bit in column "Reason for choosing / Reason for exclusion". I mean I read Dejan's note that this gap is all about the results of the risk assessment and the contractual and legal obligations. But some controls our risk assessment didn't even touch. I know that we have to have a guideline above all. But whats the reason for choosing? (Cause we want to have the certificate. ;)) I wrote for now: "protection of information against internal and external threats, intentional and accidental." Or is it better if you realize the control to write ALWAYS (the same): "based on the results of the risk assessment, the contractual and legal obligations".
Answer: If your risk assessment does not identify risks that justify the applicability of a control, then you should look for clauses on laws, contracts or standards you have to follow tha t may demand the application of such controls. I this case you may state "control applicable to comply with law/contract XXXX, clause YYYY".
If you still do not find legal requirements to justify controls applicability, you can state "Control applicable because of a Top Management decision to follow industry/market best practices", or "Control applicable because of a Top Management decision to support a business objective".
You should note that you will hardly use the last examples (based on top management decision), because generally there will be risks or legal clauses to support a controls applicability.
There is also now a need, I imagine, to revise your book to accommodate the publication by ISO of ISO 45001:2018 in March this year, and perhaps other standards mentioned in the content of bibliography?
Answer: ISO 19011:2018 has just been released and we are already working on our books update.
The main difference regarding ISO 19011:2018 is the addition of of the risk-based approach to the principles of auditing, to reflect the enhanced focus on risk in both management standards and in the marketplace. But is important to note that the risk-based approach is not mandatory for interna l audits.
Other modifications refer to minor expansions on guidance related to managing an audit program, conducting an audit, competence requirements for auditors, and auditing concepts.
Regarding 45001 - it does not have any different requirements from other ISO standards like ISO 9001 or ISO 27001.
Implementing ISO 45001 in manpower company
Answer:
ISO 45001 can be implemented in any company regardless of the type of business and its size. Implementing the standard in the manpower company would't be much different than in any other company. The only difference is that you need to conduct the hazards assessment based on the activities for which you are providing the manpower to your clients and the type of operational controls you can apply, considering that the employees would be under control of your customers. For example, if the customer has already established the OH&S controls, then your employees should apply those controls, but in case like yours, the customers shoul dn't have much objections o your operational controls (i.e. personal protective equipment, rules for working on heights etc.)
The rest of the implementation process is the same as for any other type of business.