Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Inventory of assets
Regarding ISO 27001, the inventory of assets must consider only assets associated with information and information processing facilities, including fixed assets like safes, shredders and others, so you can leave non related furniture and fixed assets out of this inventory.
This article will provide you further explanation about assets inventory:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding assets inventory:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Design alterations
New question:
"Thanks for this information – You’ve answered my Question.
I’ve asked this question as Company 1 is the Head Office and they do the design – Thus Holding the ISO Certificate for Design & Development– Company B is the Sister company which only does repairs and they claim they are not doing design but my argument was that they are redesigning the Original Design down to something else therefore their ISO Certificate should include design even if they use the design engineers at company A but documented Information must be in place.
Do you agree?"
My answer:
If Company B only does repairs, repairs are not considered design. Perhaps one should clarify the meaning of “repairs”, presently I’m working with a company that sell new machines, buy used machines from customers, if both parts agree, and then they repair them and sometimes do changes because, for example, new safety requirements, better components, to sell them as second-hand machines. In tha t case design is a must!
Another important point is: who is ordering the design changes? If they do the design changes but the order with the indications come from Company 1, design is not an issue for Company B. -
Controls in third party facility
We received this question:
>I have a further question. Some of the properties and free, public and we do not have a contract. How will this impact your suggestion?
Answer: Without a contract you will not have any support to enforce the properties responsible to implement the security controls you require, and you will be at risk of being legally processed for modifying the facilities to implement the controls by yourself without authorization. -
Risk treatment plan
Answer: The Risk Treatment Plan must include actions only to:
- treat risks evaluated as unacceptable (as result of risk assessment)
- improve the performance of already existing controls (based on a top management decision)
This article will provide you further explanation about risk treatment plan:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
These materials will also help you regarding risk treatment plan:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Requirement for vulnerability scanning
Answer: The performing of vulnerability scanning or penetration testing, either by the organization itself or by a 3rd party, are options to be considered only if the control A.18.2.3 (Technical compliance review) is considered applicable as result of risk assessment or because of a top management decision. It is important to understand that vulnerability scanning or penetration testing are only options. If other means, like manual reviews, can fulfill your needs, the performing of vulnerability scanning or penetration testing are not necessary.
This article will provide you further explanation about vulnerabilities management:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/ -
Before certification audit
Answer:
Yes! If your organization has not yet performed an internal audit and a management review certification auditors cannot verify that your organization complies with all ISO 9001 requirements.
The following material will provide you information about internal audits:
- ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Standard for BCM
Answer: For ISO the main standard for business continuity management is the ISO 22301, which defines the requirements for the business continuity management system. For complementary guidance and recommendations there are supporting standards such as ISO 22313 and ISO 27031 (Guidelines for information and communication technology readiness for business continuity)
Other organizations have their own standards that an organization should consider according to its own context, like National Fire Protection Association (NFPA) and its NFPA 1600
These articles will provide you further explanation about BCM standards:
- What is ISO 22301? https://advisera.com/27001academy/what-is-iso-22301/
- ISO 22301 vs. ISO 22313 https://advisera.com/27001academy/blog/2013/05/21/iso-22301-vs-iso-22313/
- Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/
- NF PA 1600 vs. ISO 22301 – Similarities and differences https://advisera.com/27001academy/blog/2013/11/05/nfpa-1600-vs-iso-22301-similarities-and-differences/
2- The requirements state what SHOULD be done and not HOW to do it right?
Answer: Your assumption is partially correct. ISO 22301, like other ISO management standards, has mandatory requirements (associated to the words must/shall) and also optional requirements (associated to the words may/should), and these only define what must/should be done, and not how. This is like this way to allow each organization to freely define how to implement the requirements.
This material will also help you regarding BCM:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Recruitment and competencies
It is not an area that I am familiar with. Nevertheless, I can make a connection with ISO 9001:2015 clause 7.2 about competency. Your customer wants you to recruit people with enough competencies and skills for the job that they will perform. Due to clause 8.4.3 about information for external providers, your customer should give you the competency requirements that they need.
The following material will provide you information about competencies:
- ISO 9001 – How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Changing template content
Answer: To change the formula for risk calculation you only have to replace the formula on each cell in "Risk" column, as you would do to change a formula in an excel spreadsheet. The cell are not blocked so you can change the content freely.
To change the values permitted for columns Consequence and Likelihood, please select the cells in the "Consequence" column you want to apply the change to, access the tab "Data" in the main menu, then in Data Tools select the option "Data Validation". In the window that will show you can edit the values permitted for the cells as well as the warning text. Do the same steps for cells in the column "Likelihood".
To change the colours that are displayed automatically based on the r isk level, you have to select the same cells as in the previous explanation and access in "Home" tab the "Conditional Formatting" option, and the the option "Manage rules". From there you can edit the colours according your needs.
For more information, please access these links:
- https://support.office.com/en-us/article/apply-data-validation-to-cells-29fecbcc-d1b9-42c1-9d76-eff3ce5f7249
- https://support.office.com/en-us/article/use-formulas-with-conditional-formatting-fed60dfa-1d3f-4e13-9ecb-f1951ff89d7f -
Information protection
Answer: For protection of information flowing through the Internet, and networks in general, the recommended approach is application of cryptography, either to protect the communication channel and the information itself, as well as to authenticate the parties involved in the communication.
These articles will provide you further explanation about use of cryptography:
- How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
- How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/