Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001, NIST CSF and NERC CIP
I am thinking whether I can approach the Cybersecurity in a risk management framework , from risk management strategy to identify and access the risk , build Cybersecurity program and security assurance architecture , mitigate the risk from Cybersecurity plan with security control in ISO 27001 Annex A against the control category in NIST CSF which comply with NERC CIP 02-09.
Answer: We're not experts in NERC CIP, but it seems that it is possible to combine these three frameworks. The following material will give you an overview on how to integrate ISO 27001 and NIST CSF:
- Which one to go with – Cybersecurity Framework or ISO 27001? https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
- How to implement the NIST Cyber Security Framework using ISO 27001 https://info.advisera.com/27001academy/free-download/how-to-implement-nist-cyber-security-framework-using-iso-27001
and since the correlation between NIST CSF and NERC CIP is already mapped, the integration between these three would follow the same logic. -
Risks on software development
Answer: The specific risks perceived by an organization regarding its processes (e.g., software development) and provided services (e.g., CRAM software on a SaaS environment) are unique considering its organizational context and objectives, and should be supported by a risk assessment process, but broadly speaking you should consider these references:
- Top Threats to Cloud Computing Plus: Industry Insights https://cloudsecurityalliance.org/download/top-threats-cloud-computing-plus-industry-insights/
- OWASP Top Ten 2017 Project https://www.owasp.org/index.php/Top_10-2017_Top_10
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessmen t: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Importancia de los indicadores en la ISO 27001
Respuesta: Los indicadores son muy importantes porque puedes usarlos para medir y monitorizar los procesos y los controles de seguridad de la información, que es un requerimiento en la ISO 27001, de acuerdo al punto 9.1 Seguimiento, medición, análisis y evaluación.
Por cierto, este artículo sobre indicadores puede ser interesante para ti “Key performance indicators for an ISO 27001 ISMS” : https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
Y también este otro sobre los objetivos de control "Control objectives - Why are they important? " https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
Auditing outsourced processes (1)
Answer:
Consider auditing a process – what ISO 9001:2015 clauses do you consider?
Auditing process performance (9.1.1 and 9.1.3);
Auditing process control (8.5.1);
Auditing quality control (8.6);
Auditing nonconformities control (8.7);
Auditing order control (8.4)
Auditing documentation control (7.5)
Auditing monitoring resources (7.1.5)
Auditing identification and traceability (8.5.2)
As you can see, you can use several ISO 9001 clauses to audit a process, outsourced or not.
The following material will provide you information about scope definition:
- ISO 9001 – How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
- ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Issues are not necessarily negative (1)
I believe that “issue” is related with clause 4.1 of ISO 9001:2015. Several organizations use SWOT analysis as a way of determining relevant internal and external issues. Using the SWOT analysis implies determining issues with a positive connotation (opportunities and strengths) and determining issues with a negative connotation (threats and weaknesses)
The following material will provide you information about internal and externa l issues:
- ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Data Subject Access Request Procedure
Answer:
All the data subject requests including the “right to be forgotten request” would be dealt with according to the “Data Subject Access Request Procedure”.
To find out more about data subjects right you can check put our webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
EU GDPR
Answer:
You should first check the iCloud Privacy Policy because it might be that the data for EU users are stored in Europe.
To find out about data transfers don`t miss our webinar “How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Transmission of data to third countries
Answer:
You should first check the iCloud Privacy Policy because it might be that the data for EU users are stored in Europe.
To find out about data transfers don't miss our webinar “How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Policy documentation
In ISO world, mandatory requirements/documents are related to the words "must" or "shall", while non mandatory requirements/documents are related to words "may"or "should". In ISO 27002, since it provides recommendations for the implementation of controls that may be required as a result of a risk assessment, you will find the guidance ruled by "should", i.e., you only have to consider the recommendations that will help handle the risks you identified as unacceptable.
You can find more information in this article: Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/ -
ISO 22301 LA course
From your perspective, is it possible to take only the exam for ISO23001 lead auditor and not do once again the training? Is it something your company is offering?
Answer: The ISO 22301 Lead Auditor exam is the final part of the ISO 22301 Lead Auditor course, so you cannot take the exam without attending the course, unless you are taking a second exam after failing the first one in the allowed time interval.
Besides that, the content about audit methodologies and techniques are only part of the course. You will be presented to ISO 22301 concepts and requirements, as well as the exercises developed during the course are different.
At this moment we are not providing the ISO 22301 Lead Auditor course.