Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Challenges on risk assessment and treatment
Answer: To calculate, or define, the values of threat and vulnerability you must consider historical / statistical data (either from the own organization or related to your industry) and the opinion of your personnel that better knows the assets and the process you are assessing. The information available will allow you either to calculate the values based on quantifiable data or adopt values based on the perception you and your team will have from the situation.
It is important to note that for ISO 27001 there is no need to assessing threats/vulnerabilities value to calculate the level of risk.
These articles will provide you more information:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Qualitative vs. quantitative risk assessments in information security: Differences and similarities https ://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/
2. How to write the findings and recommendations in the assessment report with the overall risk rating and security ranking?
Answer: ISO 27001 does not require the findings of the assessment report to be linked directly with overall risk rating and security ranking (in fact include this correlation would result in a report excessively complex with little added value).
Regarding recommendations, for each finding the consultant should provide at least one or two recommendations on how to handle the situation (e.g., controls to minimize probability and/or impact of a risk occurring)
3. Kindly do let me know how to update the overall score and risk rating (Highlighted in Red box)
Answer: If by the the overall score and risk rating you mean the level of risk associated to the findings identified in the assessment, then the way to improve the score and the rating is to introduce controls which will decrease the risk, by handling the findings. -
ISO 27001 implementation
Answer: To start the implementation of an ISMS complaint with ISO 27001, you should consider these steps:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk treatment plan;
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding implementation approaches, the most common are:
- Use you own staff to implement the ISMS
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.
Each one of them have their advantages and disadvantages. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Justifications for ISO 27001
I can mention at least three reasons for you to consider ISO 27001:
- Your clients may demand some sort of guarantee that you you are able to protect properly the programs that handle their information, and ISO 27001 is one of the most world-wide recognized frameworks to provide that
- The industry you work on may have regulations or laws that require you to protect the programs that handle your client's information, and ISO 27001 can help you track and manage them so you can avoid fines.
- ISO 27001 may give you a business edge regarding your competitors, by means of providing programs with higher levels of security embedded.
This article will provide you further explanation about ISO 27001:
- ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Four key benefits of ISO 27001 implementation https://adviser a.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Implementation timeframe
Answer: The time to implement ISO 27001 will depend on many variables, like the size of the organization, the complexity of the scope, the resources available, etc., but in general, for small and medium-sized organizations the implementation duration, can vary from 3 to 12 months.
To have an estimate based on your organization context, I suggest you to take a look at our free ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
These articles will provide you further explanation about ISO 27001 implementation:
- What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/o oks/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Integrating ISO 20000 and ISO 27001
Answer: Both ISO 20000 an ISO 27001 standards do not prescribe how to build the documentation, so you can elaborate your ISO 27001 documentation as you proposed (putting inside the ISO 27001 documents, where appropriate, the references to the ISO 20000 ones or parts of the ISO 20000 documents).
But before you do that you should consider if keeping separated documents wouldn't require more effort than using an integrated document (generally integrated documents are more useful and require less effort).
These articles will provide you f urther explanation about documentation and integration:
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
These materials will also help you regarding ISO 27001 and ISO 20000 integration:
- How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/
- ISO 27001 vs. ISO 20000 matrix https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix -
VAPT, cybersecurity and ISO 27001
Answer: ISO 27001 is a management standard, so it does not go far on technical aspects of security controls, including VAPT (Vulnerability Assessment and Penetration Test). It focus on establishing control objectives (which should be achieved by implementing the controls) and general requirements for applicable controls. ISO 27002, a supporting standard for implementation of ISO 27001 controls, provides additional details and guidance for controls implementation, but also does not go deep on technical details.
For details regarding cyber security, you should consider the ISO 27032 standard, which provides specific information about cybersecurity related controls. For more information, see this article: ISO 27001 vs. ISO 27032 cybersecurity standard https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/
These articles will provide you further explanation about ISO 27001 controls:
- The basic logic of ISO 27001: How does in formation security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Recovering a ISO 27001 implementation
Answer: To regain top management trust and support to an ISO 27001 implementation, you should focus on quickly solving relevant business problems currently affecting the organization by means of implementation of ISO 27001 related controls. At this point the focus should be on quick risk assessments and implementation of the easier controls that can achieve the faster and more important results (such things as internal audit and documentation control should be postponed).
Once significant results are achieved you can argument that to maintain them in the long run the other ISO 27001 requirements should be implemented.
These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Top management perspective of information security implementat ion https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/ -
Organización y ejecución del SGA
Mi respuesta:
Puede organizar la implementación de su SGA siguiendo estos pasos:
1) Obtenga el soporte de la alta dirección real, esto significa suficiente dinero y recursos humanos para el proyecto. Para este propósito, el beneficio comercial del proyecto debe ser comunicado a la alta gerencia.
2) Establezca la estructura del proyecto, nombre al gerente del proyecto, el patrocinador del proyecto, el equipo del proyecto (si es necesario), defina los hitos, fechas límite, resultados y presupuesto.
3) Identifique los requisitos legales para su SGA.
4) Defina el alcance de su sistema de gestión ambiental
5) Defina los procedimientos y procesos del SGA. Puede verificar qué documentos son obligatorios y los recomendados en este artículo: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
6) Realice la formación y toma de conciencia
7) Opere su EMS, manteniendo los registros necesari os para la auditoría
8) Realice la auditoría interna
9) Realice la revisión de la gestión
10) Implemente acciones correctivas
11) Auditoría de certificación
Durante la implementación, no escriba demasiados documentos. Por supuesto, debe tener en cuenta lo mínimo necesario, pero evite escribir documentos demasiado detallados, ya que se mejorarán a lo largo del tiempo durante el proceso regular de revisión.
Para obtener más información, puede ver este artículo "Lista de pasos de implementación de ISO 14001: https://advisera.com/14001academy/es/knowledgebase/lista-de-pasos-para-la-implementacion-de-la-iso-14001/
Estos materiales también le ayudarán con ISO 14001: 2015:
- Libro "El compañero ISO 14001: 2015" (sólo disponible en inglés): https://advisera.com/books/the-iso-14001-2015-companion/
- Curso de Fundamentos ISO 14001: 2015: https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio - Herramienta de cumplimiento: https://advisera.com/conformio/ -
Context and risks (1)
Answer:
Consider your organization with a given strategic orientation and a quality policy. Your organization is an open system interacting with the environment, it is not wise to define objectives for the management system, for example, without considering the internal and external context. For that reason, organizations assess the environment and determine relevant internal (like process performance, like customer complaints, like downtime, like … ) and external issues (like legislation evolution, like technological evolution, like social and economic trends, like …). Then, your organization can evaluate those issues and see if they can be related with opportunities or risks. For example, a demographic evolution can be seen as an opportunity and an economic trend can be seen as a risk. An opportunit y is something that can help meeting an objective, and a risk is something that can hinder meeting an objective.
You can also look into a process or a product/service and think about the desired outcomes and/or desired performance. Then you can determine risks and opportunities about those expected results.
The following material will provide you information about context and the risk-based approach:
- ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Approved documented information
Answer:
As far as I understand your description of the situation, for example, an auditor can issue a finding regarding clause 7.5.2 c)
The following material will provide you information about documented information:
- ISO 9001 – Some Tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ 015-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/