Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Filling Risk Treatment Table
No. Name of asset Asset owner Threat Vulnerability New impact New probability Residual risk
Answer: In columns A to I from the Risk Treatment Table you have to fill in the values you have identified in the Risk Assessment process considering the risks identified as unacceptable. Then after the identification of proper risk treatment options and means of implementation you have to identify the new values for impact, probability and residual risks, considering the effects of the proposed control will have on them.
These articles will provide you further explanation about Risk assessment and treatment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Why is residual risk so important? https://adviser a.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
These materials will also help you regarding Risk assessment and treatment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISO 27001 Standard reference in controls implementation
Answer: You can write ISO 27001 as reference for your documents without the need to get certified. Regarding the standard itself, you indeed need to have a licensed version available, so you can show proper evidence you had proper access to the standard content. -
Monitoring internal and external issues
Answer:
For example, when you monitor and evaluate process performance one of your decisions can be to update internal and external issues. Another possibility is to update the determination of relevant internal and external issues when preparing for the next management review meeting.
The following material will provide you information about internal and external issues:
ISO 9001 – How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/ -
Non-scheduled audits
Answer:
ISO 9001 says nothing about non-scheduled audits. ISO 9001 refers to an audit program that includes frequency, which presupposes the existence of a schedule for audits. However, if a thing is not included in the standard does not imply that it is forbidden. If this type of audits is foreseen in your quality management system, in addition to the scheduled audits, there is no non-conformity. One final note, beware of the message: employees can consider non-scheduled internal audits as a signal of distrust.
The following material will provide you information about internal audits:
ISO 9001 – 13 Steps for ISO 9001 Internal Auditing using ISO 19011 - https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ -
BIA vs AIA
Mi respuesta: Disculpa, pero el término "Análisis de Impacto en Aplicativo" está relacionado con aplicaciones de TI, y este término no es utilizado por ISO 22301. Este estándar, quiero decir, ISO 22301, está diseñado para el negocio (no sólo para TI), y podrías utilizar el BIA (Business Impact Analysis o Análisis de Impacto en el Negocio en español), para determinar el impacto de las aplicaciones TI en el negocio (el BIA es una herramienta específica de análisis de impacto de ISO 22301). Si estás interesado en el BIA, puedes ver este artículo: https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
Scope Definition
Answer: You can limit your ISMS scope to your business core offering without problems, but for small and medium-size organizations sometimes is better to include all the organization in the ISMS scope, because the effort to manage a scope that covers only part of the organization is not worthy.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/pro blems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Controls required for ISO 27001 certification
Answer: According to ISO 27001, the elements you mentioned only need to be in place in the following situations:
- to treat unacceptable risks
- are required by laws or contracts the organization must comply with
- are demanded by top management for any other reason
If you cannot link these elements to any of these reasons they are not required for ISO 27001 certification.
This article will provide you further explanation about ISO 27001 and mandatory documents:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- List of mandatory documents required by ISO 27001 (2013 revi sion) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article will provide you further explanation about risk assessment and risk treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding ISO 27001, mandatory documents and risk assessment and risk treatment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk-based approach example
Very helpful
Many Thanks -
GDPR - Supervisory Authorities
Answer:
In your case, based on provided description, since you only have one establishment in UK then the Supervisory Authority you will have to deal with is the UK Information Commissioner’s Office in terms of GDPR.