Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11277 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Addressing risks

Answer:

ISO 9001:2015 recommends us to deal with risks and opportunities at three levels.

4.4.1 f) – risks about processes – Every process has intended outcomes and possible undesirable effects. What can affect negatively or positively the ability to meet those intended outcomes or to avoid those undesirable effects
5.1.2 b) – risks about products and services
6.1.1 a) – risks about intended outcomes of the QMS as a whole (quality objectives)

The following material will provide you information about the risk-based approach:

- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking repl acing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
¿ISO 27001 para seguridad y salud laboral?

Respuesta: No, lo siento, ISO 27001 está enfocada en la seguridad de la información, no en la prevención de la seguridad y salud laboral. Para esto, existe un estándar internacional específico, que ha sido publicado recientemente: ISO 45001. Este artículo puede ser interesante para ti “How to address risks and opportunities and opportunities in ISO/IDS 45001” : https://advisera.com/18001academy/blog/2016/02/10/how-to-address-risks-and-opportunities-in-isodis-45001/
ISO 27001 implementation
Answer: For the implementation of ISO 27001 an organization has to fulfill the requirements established on sections 4 through 10 of the standard. Broadly speaking, an organization has to:
- Define and document a scope based on the needs and expectations of interested parties relevant to information security
- Define, document and communicate an information security policy
- Define roles and responsibilities relevant to operation and management of information security
- Define a risk assessment and treatment methodology
- Define and allocate competencies and resources for the operation and management of information security
- Implement risk assessment and risk treatment
- Operate the security controls and generate the necessary records
- Measure, monitor and evaluate the information security performance
- Implement corrections and improvements

Any person can implement ISO 27001 in their organizations. To increase chances o f success, it is important that persons involved have experience in project management and knowledge of the standard.

These articles will provide you further explanation about ISO 27001:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/

2- How much time does it take for the implementation of ISO 27001 standard?

Answer: The time to implement ISO 27001 will depend on many variables, like the size of the organization, the complexity of the scope, the resources available, etc., but in general, for small and medium-sized organizations the implementation duration, can vary from 3 to 24 months.

To have an estimate based on your organization context, I suggest you to take a look at our free ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

3- What are the costs associated with this project?

Answer: Like in the previous answer, the costs associated to an ISO 27001 implementation will vary according to the size and complexity of the scope and the controls identified as needed as result of the risk assessment. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated / implemented
- Employee's effort and time
- The certification process

Regarding knowledge on costs, I suggest you these articles:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/

4 - Is it possible that a trained personnel of my organization can implement this standard after getting training from the online courses.

Answer: Our online courses provide the knowledge necessary to understand and apply the concepts of ISO 27001, and with the expert support provided with our documentation toolkits a person can go though the implementation process.

These materials will also help you regarding ISO 27001 implementation process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Conformio (online tool for ISO 27001) https://advisera.com/conformio/
Risk management

Answer: Non-tangible assets related to information or information processing facilities are also considered assets for ISO 27001. In fact, intellectual property usually is one critical information asset to be protected.

For more information about assets, please see this article:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

2- Is it possible to get a sample of a completed Appendix 1 – Risk Assessment table looks like?

Answer: Included in the toolkit you bought you have access to a video tutorial that can help you fill the risk assessment table, providing examples with real data.

3 - We are struggling with do we identify every single possible threat or just go with the most likely threats.

Answer: The identification of every single possible threat is unfeasible, so you have to focus on the most likely ones. To minimize chances that you miss a relevant threat, the risk identification step should count with the participation of personnel with knowledge about the situation being analysed (e.g., key users, systems administrators, etc.).

4 - Does the vulnerability relate to the threat or is it mutually exclusive in this table as in one has nothing to do with the other.

Answer: a vulnerability is weakness, associated to one or more assets, that can be exploited by one or more threat, so there is a relation between them.

5 - Can there be a 1 to many relationship of threat to vulnerability?

Answer: a single threat can explore many vulnerabilities, the same way a vulnerability can be exploited by many threats.

6 - Can an asset have many threats with many vulnerabilities?

Answer: A single asset can have many threat associated to it, and as explained in the previous answer, these threats can explore many vulnerabilities.

7 - Can a single threat or a single vulnerability have many controls?

Answer: Single threats / vulnerabilities can have multiple controls designated to handle them. In fact in many cases this is the most common situation (which we call "defense in depth", where multiple controls are implemented to ensure that if one fails some sort of security still remains, giving people more time to identify and react to the threat).

These articles will provide you further explanation about risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Call recording policy

Answer:

The EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ is meant to offer companies the documents that will be required to be compliant with the EU GDPR regardless which is their business. And since not all companies are doing telephone call recording or use CCTV there are no specific documents for this.

For both call recording and CCTV there is no need to have a specific policy in place, however, you would need to inform the data subject about the fact they are being recorded during a specific call as well as the fact that there is a CCTV monitoring system in place. For both, you can use the “General Data Protection Notice” if folder 2 “Personal data protection policy framework” of the EU GDPR Documentation Toolkit.

Y ou can also check out our webinar on “Privacy Notices under the EU GDPR “ - https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/
Indemnification clauses

Answer:

Usually indemnification clauses are found in the Master Agreement not in the Annexes and the reason is that it needs to be applicable to all subsequent documents of the Master Agreement.

However if you want to put a indemnification clause in the Supplier Data Processing Agreement you can use the following wording: “Supplier will indemnify and keep indemnified and defend at its own expense [Company Name] against all costs, claims, damages, expenses, or proceedings which [Company Name] may incur as a result of a breach of Supplier of its obligations herein. In case [Company Name] has suffered loss, cost and/or damage, or has to pay any penalty or compensation according to EU GDPR or other Privacy Laws due to Supplier’s breach, Supplier shall reimburse [Company Name] for all that loss, cost and damages.
Use of structured templates

Answer:

There is nothing mandatory in the ISO 9001:2015 about documents having to follow a structured template. Normally every organization follows the practice of having work instructions, procedures or forms following a structured template. That transmits, order, planning, and frames a common visual look but it is not a mandatory requirement. Clause 7.5.2 b) requires that the template(s) used is/are adequate.

The following material will provide you information about the documented information:

- ISO 9001 – How to structure quality management system documentation
- https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Setting up a network

Answer: ISO 27001, and more specifically ISO 27002, can provide you requirements regarding what you must consider when setting up a network, but they do not provide guidance on how to perform such task.

These articles will provide you further explanation about ISO 27001 and ISO 27002:
- What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

Technically speaking, you should consider:
- Identification of which traffic must come in and out of this network, so you can configure the rules for the security pe rimeter (e.g., through an outbound firewall)
- Identification of which traffic should flow inside the network, so you can configure how the elements should be segregated (e.g., to segregate networks accessed by visitors, by embassy's employees in general, and by embassy's high staff).
- In case of use of wireless networks, what would be the rules for use and access.

These articles will provide you further explanation about ISO 27001 and network security:
- How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
- How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/
List of evidences / artefacts
Example: HR security domain :-
Evidence required : Approved HR policy document, Roles and responsibility in the table in ISMS, Last 5 onboarded resources with training completed list and offboarded 5 resources list with offboard checklist and data removable certificate, access revoked mail confirmation. etc

Answer: It seems to me that you are making a mistake here.

When performing risk assessment there is no need to list evidences /artefacts. In this step you have to identify which risks are relevant considering the scope of the assessment.

Evidences and/or artefacts regarding the 114 controls from ISO 27001 Annex A are used when you perform either a gap analysis (to identify how many controls you already have implemented) or an audit (to evidence the controls implementation and performance).

For a list of questions regarding gap analysis, I suggest y ou to take a look at our free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

Its question-and-answer format allows you to visualize which specific elements of an information security management system are already implemented, and what still needs to be done.

For a list of questions regarding internal audit, I suggest you to take a look at the free demo of our Internal Audit Checklist at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/

For each clause or control from the standard the checklist provides one or more questions which should be asked during the audit in order to verify the implementation.

These articles will provide you further explanation about gap analysis, internal audit, risk assessment and checklists:
- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
- Risk assessment vs. internal audit in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/12/08/risk-assessment-vs-internal-audit-in-iso-27001-and-iso-22301/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
ISO 9001 Use of Quality Tools
Academy: https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/

Answer:
This is correct, ISO 9001:2015 does not dictate any quality tools to be used in the QMS. ISO 9001:2015 calls for the QMS to continually improve, and the article was pointing out some ways that quality tools can be used to support this continual improvement. They are not mandated, however, like other tools such as Six Sigma and Lean the quality tools can be used to support the QMS.
For more information on these other tools see these articles: https://advisera.com/9001academy/knowledgebase/iso-9001-vs-six-sigma-how-they-compare-and-how-they-are-different/ and https://advisera.com/9001academy/blog/2014/07/22/iso-9001-vs-lean-compare-different-2/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11277 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Addressing risks

¿ISO 27001 para seguridad y salud laboral?

ISO 27001 implementation

Risk management

Call recording policy

Indemnification clauses

Use of structured templates

Setting up a network

List of evidences / artefacts

ISO 9001 Use of Quality Tools

Didn’t find an answer?