Search results

Cloud security risk assessment methodology

I'm assuming that by "cloud adoption lifecycle" you mean a sequence of steps followed to implement cloud computing capabilities.

Considering that, please note that this toolkit includes all you need to perform the cloud security risk assessment and to plan for cloud security controls. You have to follow the steps in the toolkit and use the templates to achieve this.

In case you need further support to implement the documents, you can schedule a call with an expert to have a one-on-one live consultation.

This article will provide you with further explanation about ISO 27001 information risk assessment:

• 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/

Audit of an application hosted on a private cloud virtual server

The general approach to performing an audit is:

• define dates, criteria (i.e., the security requirements that need to be evaluated), and audit scope (i.e., the application to be evaluated).
• develop checklists to help you not forget something during the audit (i.e., what needs to be verified to evaluate if the security requirements are being met).
• evaluate the application. At this point, the most common methods are: Inquiry personnel (e.g., users, developers, administrators, etc.); Observation of the application being used; Examination or Inspection of Evidence (e.g., records of previous processing, system logs, etc.); Re-performance (i.e., repeating previous processing to evaluate its results); and use of tools to perform Computer-Assisted Audit Techniques (CAAT).
• elaborate on the audit report which will include the non-compliances and other findings

Considering a cloud environment, you need to clarify the responsibilities for each asset, so you can properly identify who needs to be audited about which asset.

For example, in an IaaS cloud model, the cloud provider is responsible only for the physical structure, while in a PaaS model, the cloud provider is also responsible for the development environment used by application developers, and in a SaaS environment, the cloud provider is also responsible for the applications.

These articles will provide you a further explanation about preparing an audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
• Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

Testing and calibration

I do not have enough information to respond to the question of how long it would take to calibrate a tester.

For more information on associated calibration intervals, refer to ILAC G24:2007 Guidelines for the determination of calibration intervals of measuring instruments (note currently under revision) available for download at https://ilac.org/?ddownload=818 

For more information, have a look at

The article: What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/

Valor y entregables de ITIL

ITIL considers the whole life cycle of the service as well as the whole (IT Service Management) organization.

Here are a few articles that can give you an idea of why consider (and implement) ITIL i.e. what are some of the positive outcomes of the ITIL implementation:

• Why ITIL? https://advisera.com/20000academy/knowledgebase/itil/
• How ITIL can help reduce the gap between customers and the IT department https://advisera.com/20000academy/blog/2016/06/28/how-itil-can-help-reduce-the-gap-between-customers-and-the-it-department/
• How to translate ITIL/ISO 20000 language into business language understandable by your management https://advisera.com/20000academy/blog/2016/03/01/how-to-translate-itiliso-20000-language-into-business-language-understandable-by-your-management/
• acing reality – Measurements in ITIL https://advisera.com/20000academy/blog/2013/04/02/facing-reality-measurements-itil/
• ITIL – Framing the value of services (part II) https://advisera.com/20000academy/blog/2014/11/25/itil-framing-the-value-of-services-part-ii/

• General privacy policy/notice vs. entity-specific policy/notice

  It all depends on the role of the subsidiaries, whether they are data controllers or data processors. If they are data processors, it is the role of the data controller to make sure that data subjects are informed by means of a privacy notice. If they are data controllers, they need to make sure that they have a privacy notice describing their processing operations. What is really important is to make sure that the data subject is informed. The privacy notice or notices can reside in a single location, however, they must be easy to read and understand, and contain information about all the processing operations.

  Please visit these resources as well:

  • Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
  • Article 13 GDPR: Information to be provided where personal data are collected from the data subject: https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/
  • Article 14 GDPR: Information to be provided where personal data have not been obtained from the data subject: https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/

• ISO 45001 Audits in a Construction Company

  The departments that need to be audited for the OHSMS will depend on the scope you have chosen for the management system. With ISO 45001 it is up to the organization to determine which processes will become part of the OHSMS, and this will determine what needs to be audited. I like to think of the scope as “where the PH&S rules will apply”.

  Once you know which processes are included, then you will prepare to assess each process against the planned arrangement. In effect, you will be collecting evidence to show that process meets their requirements. Where they do not, you will raise a nonconformity which will require corrective action to improve the system and make the process meet requirements once again.

  You can find out more on how scope and internal audit work in the articles:

  • How to determine scope of the OH&SMS https://advisera.com/45001academy/blog/2015/12/09/how-to-determine-scope-of-the-ohsms/
  • How to perform internal audits in ISO 45001 https://advisera.com/45001academy/blog/2015/09/23/how-to-perform-internal-audits-in-iso-45001/

  • Inquiry on IT Risk Assessment and IS Risk Assessment

    1 - I was assigned to do a review on company (financial institution) IT and IS Risk Assessment. However, I am confuse about the difference of both assessment? 

    I'm assuming that by ISRA you mean "Information security risk assessment", and that by ITRA you mean "Information Technology risk assessment".

    Considering that, although they have an overlap, IT risk assessment and IS risk assessment focus on different things. IS risk assessment focuses on impacts related to the loss of confidentiality, integrity, and/or availability of information, while IT risk assessment focus on impacts that affects information technology assets and/or provided information technology services.

    The overlap is that part of IS risk assessment covers information and communication technologies, and part of IT risk assessment covers information related to provided information technology services.

    2 - how will I start? 

    Although these are independent assessments, since information in many situations relies on information technology assets, starting with the IS risk assessment review may provide you with a better understanding when performing the IT risk assessment review because as part of IS risk assessment you need to list all information related assets - and for IT assets you will perform the IT risk assessment.

    3 - And what about IT Risk Policy Manual and IT Risk management Framework is same?  how is this related on both ISRA and ITRA?

    The IT Risk Policy Manual and IT Risk management Framework are not the same.

    An IT Risk management Framework provides the general elements for a risk management process (e.g., risk assessment, risk treatment, etc.), while an IT Risk Policy Manual defines the specific rules defined by the organization to be applied to the risk management process.

    Risk management framework and risk policy should be developed for information security, and potentially include a further explanation for IT.

    This article will provide you with a further explanation of ISO 27001 information risk assessment:

    • 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/

    • Choosing the right Certification Body for ISO27001 Compliance

      Hello Jaya.
      
      I would also like to add that you can also consider some more dimensions:
      
      -Do you think it can be beneficial to have the accreditation body to be from the same country as the entity audited (cultural similarities, same language - no language barriers etc)?
      
      Why is this important? Well, maybe the staff at the entity/entities only speaks the local language and don't know other languages, which will be an issue for an external auditor that needs to interview the staff.
      
      -Do you need to conduct onsite interviews or can it be done remotely? If some elements need to be conducted onsite (inspect data centers, inspect physical security controls etc), then perhaps it might be less costly to select an accredited body that is local due to travel costs (accommodation, flights etc) for the external auditors.
      
      

    • Justification and control objectives

      Please note that justifications in the Statement of Applicability need to be based on applicable legal requirements, relevant risks, or management decisions (in general because management considers the implementation of control as a good practice).

      Considering that, the fact that you operate on a remote structure wouldn’t be enough. Since you stated that you do not have legal or contractual reasons for justifying some controls, you should review the results of the risk assessment to see if any identified risk can be used as a justification. If there are no relevant risks, you do not need to implement any controls.

      In case you decide to implement a control regardless of the lack of legal requirements and relevant risks, you can state as justification that the control implementation is considered good practice management.

      For further information, see:

      • How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
      • Checklist of cyber threats & safeguards when working from home https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home

    • MDR article 120 significant changes

      Yes, it is, because you need to prove that the new company that provides sterilization is just as good as the previous one (so that it has a valid ISO 13485 certificate for its type of sterilization, that you have sterilization validation results with the new provider, that you have done biological indicator tests with the new provider, etc.). Also, in your risk analysis, you should check whether any new risks have appeared with the change of sterilization provider: for example, how long is the transport from you to the new provider, is it longer or shorter, has the responsibility for transport changed.