Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How to become GDPR expert
Sure, our DPO course will include the certification exam. -
Mapping of risks to ISO 27001 controls
Answer: Once you have identified the risk you should first look at the controls section objectives to find the one that are the most probable to treat the risk (some risk may be treated by controls from different sections). Once you find the section you should look into the controls description to find which ones are most adequate.
For example, for the risk "loss of a notebook", you can identify the following section objectives, and respective controls:
- Objective from section A.6.2 (Mobile devices and teleworking): To ensure the security of teleworking and use of mobile devices. Applicable control: Mobile device policy (A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.)
- Objective from section A.11.2 (Equipment): To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. Applicable controls: Security of equipment
and assets off-premises (Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises.) and Unattended user equipment (Users shall ensure that unattended equipment has appropriate protection.)
This material will provide you further explanation about matching risks to controls:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process -
Scope definition
Regarding the video tutorials, please check the "Repository" at the top left corner of your screen in Conformio. From there you can find the subfolder "Video Tutorials". Consult this screenshot as a reference: https://www.screencast.com/t/T5rLxMgc3UJz
Since your scope is limited to IT, you should include in the scope only the IT personnel, but it is important that you state in your scope who is responsible for the information security regarding employees that have access to IT systems and resources in each branch (e.g., someone in headquarters or the head of each branch). To see more information about this issue, please read the section Interfaces and dependencies from the article "How to define the ISMS scope" (https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/) that was also included in the previous post.
You can exclude elements from the scope (e.g fax or printers) only if they are not related to the information your ISMS is propose d to protect. For example, fax or printers located on branches that cannot be used to sent or print information related to the systems in your ISMS scope can be excluded from the scope. -
IT risk identification
Answer: According to ISO 27001, you must establish a risk assessment methodology, which involves:
1) Defining how to identify the risks that could cause the loss of confidentiality, integrity and/or availability of your information
2) Defining how to identify the risk owners
3) Defining criteria for assessing consequences and assessing the likelihood of the risk
4) Defining how the risk will be calculated
5) Defining criteria for accepting risks
For risk identification, the most common approach is the identification of assets and threats and vulnerabilities related to them.
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match asse ts, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Design, validation versus verification
Answer:
Verification is a sort of final control, you are going to control the output of the design project with the inputs for the project (performance requirements, legal and statutory requirements, for example).
Validation is a field control, you are going to test if the output of the design project works in the customer environment. The output can comply with all specifications and yet not getting the favor of the customers. For example, after developing a product to use in a certain context, during validation one realize that customers can use it in another context where it will fail to deliver the promised performance.
The following material will provide you information about the design system:
- ISO 9001 – ISO9001 Design Verification vs Design Validation - https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
- The ISO 9001 Design Process Explained https://advisera.com /9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ -
Risk Assessment
Answer: To put together a risk management process which includes criteria for Risk Appetite, including for IT related risks, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
This toolkit contains the following documents: Risk Assessment and Risk Treatment Methodology, Risk Assessment Table, Risk Treatment Table, Risk Assessment and Treatment Report, Statement of Applicability and Risk Treatment Plan. In the template Risk Assessment and Risk Treatment Methodology you can define the criteri for Risk Appetite you will use to perform the risk assessment and treatment with support of the other templates.
This article will provide you further explanation about Risk Appetite:
- Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-2700 1-implementation/
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Certification and cloud providers
How am I going to become 27001 compliant without implementing 27017? Is there perhaps a document where I can write that we have outsourced security in the cloud to this ISO-certified provider? Will that be enough?
Challenging my sponsor to either implement ISO27017 or in-source all outsourced data, will be complicated, to say the least.
Answer: First of all, even though your organization uses cloud services, it doesn't need to implement ISO 27017 to be compliant with ISO 27001. It is true that ISO 27017 provides cloud oriented recommendations and guidelines to help implement controls from ISO 27001 Annex A, but ISO 27001 controls are generic enough to cover cloud information security risks without the need to relay on ISO 27017.
Considering the fact that almost all data is placed at cloud pro viders, the main documents you should consider to record and handle this situation are the ISMS scope (where you have to state that some organization data are handled by cloud providers), the Statement of applicability (where you have to state which controls are to be implemented by cloud providers), and the service agreements/contracts signed between the organization and the cloud providers (where you have to include information security clauses the cloud providers must comply with).
You should note that, even if your sponsor wants to fulfil only the bare necessities of ISO 27001, since the data placed on cloud providers, the organization will have to consider these providers when performing the risk assessment and risk treatment process required by the standard, at risk of leaving a significant part of the information out of the process and thus not being able to comply with the standard.
This article will provide you further explanation about ISO 27017:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
These articles will provide you further explanation about handling suppliers:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/ -
QMS scope narrowed to one department
In our Department, there are about 7 units, and about 100 employees. My question is whether the Department can get ISO 9001 . Regardless Our organization get it or not?..
Answer:
Theoretically, it is possible but I'm failing to see the value in it. QMS is developed to be applied in whole organization and it contain requirements for the entire organization. If you decide to implement it only in one department, it means that the rest of the organization will be the client and supplier of this department, and on the level of the department you will have to define processes, such as purchasing, design and development, etc, and implementing it in just one department would have arguable effect on the conformity of the organization products and services and customer satisfaction. Implementing some parts of the standard can be ben eficial for the department, but implementing QMS that will only cover one department would cause the department to have redundant bureaucracy and not much more -
Quality objectives and risks
Answer:
Fast and short answer: No. It is not a requirement of the standard. On a second thought, doing that can be considered a good project management practice, something called “premortem method”. You can determine the new risks and incorporate actions to deal with them embedded in the quality objectives implementation plan.
The following material will provide you information about quality objectives and risks:
- ISO 9001 – Aligning quality objectives of the QMS with the strategic direction of the company - https://advisera.com/9001academy/blog/2017/03/07/aligning-quality-objectives-of-the-qms-with-the-strategic-direction-of-the-company/
- How to address risks and opportunities in ISO 9001 - https://adv isera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/