Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk Assessment on SDLC
We want to start the risk assessment right before the design stage.
We want to ensure that the design is secure and taking into consideration all the security risks that system environment will be facing.
By understanding the risk and the risk level, all appropriate controls will be put in place at the design stage.
This will then ensure secure development, secure delivery and the end objective to have secure operation and maintenance.
I am thinking of using threat modelling risk assessment at the design stage.
As I understand the risk assessment is not a “one time do and forget” exercise. Thus, we should be having a periodic risk assessment, with review and monitoring. May be it is a good practice to have a yearly exercise.
For our environment, we should have it at every stages.
Hope to get some feedback from you on the above.
Answer: Your thinking is absolutely right. System security must be though as soon as possible in the development process, and s hould be periodically reviewed because of the identification of new types of threats, codification problems and opportunities of improvement. To ensure this thinking is considered in your organization's process you should consider the implementation of a Secure Development Policy (a template for this policy is included in your toolkit, at folder 08 Annex A, subfolder A.14 System acquisition, development and maintenance), as well as integrate the security activities in your current development process. A good reference for secure development is the ISO 15408 standard, which you can see at this link: https://www.iso.org/standard/50341.html
These articles will provide you further explanation about secure development:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/ -
Information Security Policy
The first thing you have to consider is the identification of the requirements this Information Security Policy must comply to (e.g., laws, contracts, standards, etc.), then, based on these requirements you can plan what to look for as evidences that this policy is implemented and being followed.
I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
This toolkit has four documents (Internal Audit Checklist, Procedure for Internal Audit, Annual Internal Audit Program, and Internal Audit Report) that can help you perform an internal audit considering the ISO 27001, the leading ISO standard for information security, in a easy and efficient way.
These articles will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 h ttps://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
Defects, problems and incidents
Answer:
Incidents lead to problems, that's correct (see the articles
ITIL Problem Management: getting rid of problems https://advisera.com/20000academy/blog/2013/08/05/itil-problem-management-getting-rid-problems/
How to make your ITIL/ISO 20000 Problem Management more effective with a Problem Record https://advisera.com/20000academy/blog/2017/02/14/how-to-make-your-itiliso-20000-problem-management-more-effective-with-a-problem-record/
On the other side, defects relate to not satisfying service requirements and involve e.g. change on the service in early life support phase. According to ITIL, definition of a problem is " A cause of one or more incidents.". So, if that defect doesn't cause incidents, there is no need to go to problem management. It's rather that you need to send it back to development (Release and Deployment or even to Service Design processes if you conclude that there is an error in service design). So, as you could see, defect can have much deeper causes then "usual relation" incident -problem. -
Major Incident Management process
Answer:
I assume MIM stands for Major Incident Management. So, having so many people in MIM process is seldom productive. MIM usually involves minimum required people. That means you should have someone who is in charge per resolution (consider it as "project leader"), someone from top management (you need quick reaction, best people you have, maybe some monetary resources - so you need strong sponsor) and technical experts related to the topic.
This article can provide more details:
Major Incident Management – when the going gets tough… https://advisera.com/20000academy/knowledgebase/major-incident-management-going-gets-tough/ -
Cláusula 8.5.2
Mi respuesta:
La organización debe controlar la identificación única de los productos cuando la trazabilidad es un requisito, y debe retener la información documentada necesaria para permitir la trazabilidad. Esto significa que va a necesitar proporcionar justificaciones para las exclusiones que realice
Respecto a la cláusula 8.5.2, no todos los productos o servicios requieren identificación y trazabilidad. Algunas empresas etiquetan sus piezas con números de serie únicos que pueden contener todos los datos de la trazabilidad de esa pieza, mientras otros aplican la trazabilidad al lote que se necesita.
Para más información, vea "ISO 9001:2015 Cláusula 8.5 realización del producto: ejemplos prácticos para su cumplimiento" (en inglés): https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/
Estos materiales también pueden ayudarle en la implementación de ISO 9001:2015:
- Libro “Preparación para el proyecto de implementación: Una guía en un lenguaje sencillo”: https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso gratuito en línea: Curso de fundamentos ISO 9001: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio (herramienta en línea para ISO 9001): https://advisera.com/conformio/ -
Implementación ISO 9001
Mi respuesta:
Lo que se certifican son las actividades, que coinciden con el alcance de la certificación. En el caso de que quieras implementar ISO 9001 en un solo departamento/unidad de la organización/localización, no existen demasiados beneficios, ya que la norma ISO 9001 ha sido desarrolla para ser aplicada en la totalidad de la organización, por lo que contiene requisitos para toda la organización.
Para más información vea "Cómo definir el alcance del SGC de acuerdo a la ISO 9001:2015": https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-definir-el-alcance-del-sgc-de-acuerdo-a-la-iso-90012015/
Estos materiales también pueden ayudarte en la implementación de ISO 9001:2015:
- Libro "Preparación para el proyecto de implementación: Una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso gratuito en línea: Curso de fundamentos ISO 9001: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio (herramienta en línea para ISO 9001): https://advisera.com/conformio/ -
ISO 22301 toolkit content relate to internal and external issues
Answer: The information required by ISO 22301 clause 4.1 is addressed by following templates:
- Organization's activities (from clause 4.1 a)) and potential impact from disruptive incidents are addressed by template Business Impact Analysis Questionnaire (located at folder 04 Business Impact Analysis Methodology)
- Organization's functions (from clause 4.1 a)) are addressed in all templates when an activity to be performed is required (by means of the field [job title]). Functions related specifically to the BCMS are defined in the template Business Continuity Policy, section 3.5, (located at folder 03 Business Continuity Policy)
- Organization's product and services (from clause 4.1 a)) are addressed by template Business Continuity Policy, section 3.5, (located at folder 03 Business Continuity Policy)
- Relations with suppliers, partners and interested parties (from clause 4.1 a)) are addressed by template Business Continuity Strategy (located at folder 05 Business Continuity Strategy)
- Relationships between the Business Continuity Policy and other organization's policies, objectives and general risk management strategy (from clause 4.1 b)) are addressed by template Business Continuity Policy, section 2, (located at folder 03 Business Continuity Policy)
- Organization's risk appetite (from clause 4.1 c)) is addressed by template Business Impact Analysis Questionnaire, section 6 (maximum acceptable outage) (located at folder 04 Business Impact Analysis Methodology) -
Toolkit content
- NOC (network operations center) policy
- Log Management – not as part of the annex a section A12 operating procedures
- Capacity Management/Business Capacity
- Client Complaint Policy
Answer: These documents you mentioned are not mandatory for ISO 27001, and they are not usually used by smaller companies, that's why we didn't include specific template for them in the toolkit, but regarding the Log Management, you can use the content of Operating Procedures for Information and Communication Technology template to create a specific document using blank template that comes with your toolkit.
Our toolkits focus on small and mid-size companies, and that's the reason we do not write documents to cover each control – for those companies this large number of documents would result in an overkill for many of them. Instead of that a single template may cover multiple controls.
If you consider that these documents are needed for your organization, i ncluded in your toolkit you can schedule a meeting with one of our experts and he can help you elaborate such documents. To schedule a meeting with one of our experts, please access this link: https://advisera.com/27001academy/consultation/ -
Templates content differences
Could you explain essence and main differences between next tree documents?
Appendix_1_Risk_Assessment_Table_EN.xlsx, Appendix_2_Risk_Treatment_Table_EN.xlsx, and Risk_Treatment_Plan_EN.docx
Answer: Sure.
The Appendix_1_Risk_Assessment_Table_EN.xlsx is the document used to list all identified risks during the risk assessment and currently related implemented controls (when they exist).
The Appendix_2_Risk_Treatment_Table_EN.xlsx is the document used to select treatment options and controls.
Finally, the Risk_Treatment_Plan_EN.docx is the document where you list all the actions and resources needed to implement the treatment options identified on the Risk Treatment Table, as well as the respective deadlines and responsible people.
As you can see, from the Risk assessment table to the risk treatment table, the information becomes more focused on the risks that must be treated. You could have all this information on a single document, but this will make it more complex to handle.
By the way, included in the toolkit you bought you have access to video tutorials that will explain you about these documents and how to fill them in.
This article will provide you further explanation about risk treatment and risk treatmewnt plan:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment