Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk assessment


    The point is, I believe that risk assessments often use tables to analyze the variables. My doubt is how can someone make the necessary analysis of assets, threats and vulnerabilities since there are so many options of them to a single asset? I believe that pointing out all of them would make the analysis larger than it needs to be and it probably wouldn’t be so functional, so probably in the assessments, the standards and laws do not require a full analysis of all assets/procedures.

    For example, if I added “hardware” in the table from one of your lectures. Let’s say the risk owner would be the CSO, the threats could be: the CSO himself (due to his actions), fire, electricity outage, unauthorized access, theft, hacking, among many others.

    For all these threats is possible to establish a control method to reduce or avoid it, but adding all these point in the inventory table below would make it less effective I guess.

    Answer: To make your risk assessment more effective, you should consider the assets, threats, and vulnerabilities to be analysed in terms of the requirements your ISMS must fulfill (e.g., laws, regulations, contracts, business objectives, etc.). By this approach, your assessment will focus on risks that can have perceivable impacts on the business.

    Regarding the quantity of elements, I generally use the approach of performing the risk assessment in cycles, where in each cycle I work on a small quantity of risks (5 to 10), also limiting the quantity of assets, threats and vulnerabilities. First I start with the ones perceived as the highest. After each assessment, if I conclude the overall risk level is still unacceptable I perform another cycle (in general I need three to four cycles to finish the assessment). This way you can cover both the highest perceived risks and a quantity of risk that your resources are capable to handle.

    2 - Concluding my question, what are the main metrics to establish the main threats and vulnerabilities to an asset, reducing the table and improving effectiveness?

    Answer: For the identification of main threats and vulnerabilities to an asset you can rely on historical data (from your own organization or related to your general industry), expert opinion, or specialized material, such as standards recommendations.

    These articles will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
    - Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

    These materials will also help you regarding risk assessment:
    - Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • ISO 27001 standard


    Answer: I'm sorry, but the ISO 27001 standard is an intellectual property of the International Organization for Standardization (ISO), and like so it cannot be sold as part of our toolkits. You can find and bought this standard at this link: https://www.iso.org/standard/54534.html

  • ISO 27001 Mandatory documentation


    Answer: The text in the Document Management from ISO 27001 Blog refers to the ISO 27001:2005 standard, in which the Procedure for Managing Documents is in fact mandatory. This standard was superseded by ISO 27001:2013, which is now the current standard, and in this version the Procedure for Managing Documents is not mandatory.

    These materials will provide you further explanation about the differences between the versions of the standard:
    - A first look at the new ISO 27001 https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/
    - Infographic: New ISO 27001 2013 revision – What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/

    2 - Also, could you share with me how you came up with the Checklist of Mandatory Documentation? I can’t seem to find the source of the information in the ISO 27001:2013 Standard. Not sure if it is there or in another ISO document.

    Answer: To identify the mandatory documentation in the standard you have to find the requirements that demand "documented information" to be available, to be kept, to be retained, or any other similar verb or expression. For example:
    - The scope shall be available as documented information.
    - The organization shall retain documented information about the information security risk assessment process.

    This article will provide you further explanation about ISO terminology:
    - Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/

  • Un sólo documento o varios


    Respuesta: Sí, podrías tener un único documento incluyendo información sobre el alcance, objetivos, funciones, etc, pero en mi opinión, esta no es la mejor manera, porque estás mezclando conceptos que son diferentes, y si tienes un único documento con mucha información, puede ser difícil e incómodo encontrar algo. Por tanto, lo mejor es que tengas un documento para el alcance, otro para la política de seguridad de la información y objetivos, etc.

    Recuerda que existe una lista de documentos que son obligatorios, que puedes ver aquí “Lista de documentos obligatorios exigidos por la norma ISO 27001 (revisión 2013)” : https://advisera.com/27001academy/es/knowledgebase/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/

    Y este artículo puede ayudarte a estructurar los documentos para los controles del Anexo A de la ISO 27001 “How to structure the documents for ISO 27001 Annex A controls” : https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

  • ISO 9001


    Respuesta: La última versión de la ISO 9004 es la ISO 9004:2018, y puedes descargarla directamente de la página oficial de iso.org

    Con respecto a la segunda cuestión, disculpa, pero no ofrecemos ese tipo de servicios.

    Finalmente, quizas puedan interesarte estos artículos:

    "ISO 9004" : https://advisera.com/9001academy/knowledgebase/iso-9004/

    “How to make your QMS successful with ISO 9004” https://advisera.com/9001academy/blog/2015/04/28/how-to-make-your-qms-successful-with-iso-9004/#

  • GDPR related question about SPAM email


    Answer:

    What you are describing is commonly referred to as unsolicited marketing. The EU GDPR states that for marketing you need to obtain the consent of the data subject. Also, the ePrivacy Directive imposes additional constraints if you market by telephone, email or fax.

    For example, you can only send direct marketing to someone by email if:
    - they have given you consent; or
    - you have an existing relationship with them and fall within the so-called similar products and services exemption
    Unless one of the two criteria apply I would suggest to file a complaint to your local Supervisory Authority.

    You can find out about how the EU GDPR will affect marketing by checking out our free webinar “How GDPR Affects Marketing Practices” https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/

  • Content of the medical device file


    Answer:

    The medical device file should contain the following information:
    - General description of the medical device, intended purpose and instructions for use (I think you've covered that)
    - specification for the product
    - specifications or procedures for manufacturing, packaging, storage, handling and distribution;
    - procedures for monitoring and measuring;
    - procedure for installation, if appropriate; and
    - procedure for servicing, if appropriate.

    For more information, see: How to meet ISO 13485:2016 requirements for medical device files https://advisera.com/13485academy/blog/2017/06/28/how-to-meet-iso-13485-requirements-for-medical-device-files/

  • IATF Certificate suspension


    I am trying to find out what is the process for IATF certification suspension for the corporate scheme.

    The situation is like this: one corporate scheme has few manufacturing sites. What happens if the central functions are claimed by the customer as having an issues? How the manufacturing sites are impacted and where I can find this information? Can the certification body request a special audit at a manufacturing site even if the issues is strictly related to the central functions? The central functions have their own IATF certification audit. In the 5th rules I was not able to find all this details.

    Answer:,

    According to Rules for achieving and maintaining IATF recognition, the certification body can suspend the certificate if the certification body receives a performance complaint against the client from an IATF OEM member, its relevant IATF Oversight office, or any automotive customer of the client.

    The certification body must undertake immediate analysis of the situation to dete rmine the severity of the situation and risk to the customers of the certified client, taking into account, where applicable, IATF OEM customer-specific requirements. This analysis shall be completed within a maximum of twenty (20) calendar days from the start date of the decertification process.

    Since the manufacturing sites are under the same certificate as the central office, they can also be subjected to additional audits.

    For more information, you can take a look at Rules for achieving and maintaining IATF recognition 5th edition, clause 8.0 CERTIFICATE DECERTIFICATION PROCESS

  • Appendix for Inventory of Processing Activities


    Answer:

    EU GDPR art. 30 “Records of processing activities” https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/ states that you need to provide a “of data subjects and of the categories of personal data” which suggest that a certain amount of granularity is required and sensitive and non-sensitive would not be enough.

  • Information security and ISO 27001 topics

    Contudo, gostaria de saber se existe a possibilidade de me fornecer algum material que me ajude nos seguintes tópicos:

    Grupo 6 - ISO 27001 - Tecnologia da informação
    Iniciar com conceitos e definições do que é “ISO 27001 ”; Quando surgiu, onde surgiu; Atuação das empresas na busca da ISO 27001; Custos de implantação; Concorrência e mercado; Certificação (como é o processo); Quais os requisitos da norma; Exemplos de empresa que aplicam; Por que esta empresa adotou esta norma; Resultados/benefícios desejados; Etc; Desde já grato pela atenção e ao seu dispor.

    (I am a Logistics student at XXXX and I need to prepare an academic paper about ISO 27001 requested by the XXXX professor.
    However, I would like to know if there is a possibility of providing me with some material that will help me in the following topics:

    Group 6 - ISO 27001 - Information technology
    Start with concepts and definitions of what is "I SO 27001"; When it arose, where it arose; Companies acting in the search for ISO 27001; Implementation costs; Competition and market; Certification (how is the process); What are the requirements of the standard? Examples of companies that apply; Why this company adopted this standard; Desired outcomes / benefits; Etc; Thank you in advance for your attention and at your disposal.)

    Answer: For some topics you asked for information, I suggest you these materials:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - ISO survey https://www.iso.org/the-iso-survey.html

    These materials will also help you regarding your questions:
    - Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
    - How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
    - Applicability of ISO 27001 divided by industry https://info.advisera.com/27001academy/free-download/applicability-of-iso-27001
    - Checklist of mandatory documentation required by ISO 27001:2013 https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 761-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +