Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 14001

    Your inputs are really help for me. Thank you so much Sir..

  • Risk Management Questions

    Can you help me with the following questions

    1. How much level of detail is necessary in the process of identification and analysis of Risks of Information assets?, since many risks could be formulated for each asset.

    ISO 27001 does not prescribe a level of details for identification and analysis of risks, so you can adopt the level of detail you understand that will provide confidence that you assessed the most relevant risks.

    This means that for some assets 1 or 2 risks may be enough, but for others, you may understand that a greater number of risks needs to be considered.

    To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 30 to 60 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 180 to 360 risks.

    For further information, see:

    2. Can assets be grouped for risk analysis? we have many servers with similar characteristics and possibly the same level of exposure to the same threats. What considerations should be taken into account to group assets to facilitate risk analysis?

    ISO 27001:2013 let you free to use any methods you consider proper to assess information security risks as long as they meet clause 6.1.2 (information security risk assessment). So, you can assess a set of assets as a single one to identify and evaluate common risks as long as they are similar (in your case, the servers). As a consideration point, you should group assets also considering the asset owner, and other parameters that can make it easier to handle them (e.g., servers that are in the same location).

    This article will provide you with further explanation:

    3. Is there a catalog of predefined and/or recommended Threats that can be used as a basis for risk analysis?

    In the Risk Assessment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Threats” with a catalog of suggested threats.

    4. Is there a catalog of predefined and/or recommended vulnerabilities that can be used as a basis for risk analysis?

    In the Risk Assessment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Vulnerabilities” with a catalog of suggested vulnerabilities.

    5. Is there a catalog of recommended controls that can be used as a basis to propose the ideal controls for the treatment of identified risks?

    In the Risk Treatment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Controls” with the catalog of controls defined in ISO 27001 Annex A.

    These controls are used in the Risk Treatment tab in the column K “Means of implementation”.

    For further information, see:

    • Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

    • Best method of internal audit checklist

      I’m assuming that your question is about which method to use (opened/closed question) when using a process-based approach for the audit.

      Considering that, the method will depend on your objective:

      • If you want to find out documents/records related to the process, the closed question method is more appropriated
      • If you want to find out people’s understanding of the process, the opened question method is more appropriated

      In a process-based approach to elaborate an audit checklist the questions should cover the process’s elements:

      • Customers: the entities which receive/use the outputs (e.g., customers, other departments/processes, etc.). For this element either closed or opened questions can be used, depending upon what you want to verify.
      • Outputs: what the process is intended to deliver (e.g., information, a product, a service, etc.). For this element either closed or opened questions can be used, depending upon what you want to verify.  
      • Tasks: what needs to be done, by whom, how, when. For this element, open questions are more useful.
      • Inputs and resources: the material that is needed to produce the outputs (e.g., raw material, specifications, manuals, policies, procedures, etc.) and required infrastructure (e.g., equipment, competencies, facilities, etc.). For this element either closed or opened questions can be used, depending upon what you want to verify.  
      • Suppliers: the entities that supply the inputs and resources (manufacturers, other departments/processes, etc.). For this element either closed or opened questions can be used, depending upon what you want to verify.  

    • ISO 27001Toolkit

      The most similar documents to be used are the documents for risk assessment and treatment and for the risk treatment plan. You can develop the process of web application vulnerability assessment as a subprocess of ISO 27001 Risk assessment (in the Methodology document).

      The documents for risk assessment and treatment can be found in the folder 05 Risk Assessment and Risk Treatment.

      The document for risk treatment plan can be found in the folder 07 Implementation Plan.

    • 17025 consulting

      I understand from your question you are asking if you can postpone the surveillance assessment by the accreditation body?

      It depends on when your accreditation cycle ends and the certificate of accreditation expires. You need to refer to the specific policy of your accreditation body and engage with them. There may be some flexibility with the date for a surveillance assessment, however it depends on availability of assessors. If the laboratory is at the end of the accreditation cycle and the full reaccreditation assessment is due, the laboratory would need to close any nonconformances before the expiration date anyway.

      Consider the laboratory’s commitment to clients, obligation as an accredited laboratory (contractual agreement with the accreditation body) and options. If there are major issues then they need to be identified, documented and addressed as a matter of priority. If these are minor issues that do not affect the validity of results, then acknowledge and start addressing them before the assessment. Then deal with the nonconformances raised by the accreditation body. If the validity of results are in question, then taking on work should typically be suspended until the issues are resolved. There are situations where a laboratory is obliged to go into voluntary accreditation suspension and cannot claim to be accredited until reassessed.

    • Driving factors and increased importance of OHS

      The reason that the context of the organization has been included in the ISO 45001 standard is to ensure that an organization thinks about the internal and external issues that can affect their OH&S processes, as well as understanding who the interested parties are for the OHSMS and what their additional needs and expectations are for OH&S management so that these can be included in the scope. These expectations will include business issues and risks that will need to be addressed to better prevent injury and ill health in the workplace. This is because an organization cannot simply meet the requirements of ISO 45001 for a management system, but need to also include legal and other requirements from interested parties within these processes.

      You can read a bit more about the context of the organization requirements in the article:

Page 72-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +