Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Certification and cloud providers


    How am I going to become 27001 compliant without implementing 27017? Is there perhaps a document where I can write that we have outsourced security in the cloud to this ISO-certified provider? Will that be enough?

    Challenging my sponsor to either implement ISO27017 or in-source all outsourced data, will be complicated, to say the least.

    Answer: First of all, even though your organization uses cloud services, it doesn't need to implement ISO 27017 to be compliant with ISO 27001. It is true that ISO 27017 provides cloud oriented recommendations and guidelines to help implement controls from ISO 27001 Annex A, but ISO 27001 controls are generic enough to cover cloud information security risks without the need to relay on ISO 27017.

    Considering the fact that almost all data is placed at cloud pro viders, the main documents you should consider to record and handle this situation are the ISMS scope (where you have to state that some organization data are handled by cloud providers), the Statement of applicability (where you have to state which controls are to be implemented by cloud providers), and the service agreements/contracts signed between the organization and the cloud providers (where you have to include information security clauses the cloud providers must comply with).

    You should note that, even if your sponsor wants to fulfil only the bare necessities of ISO 27001, since the data placed on cloud providers, the organization will have to consider these providers when performing the risk assessment and risk treatment process required by the standard, at risk of leaving a significant part of the information out of the process and thus not being able to comply with the standard.

    This article will provide you further explanation about ISO 27017:
    - ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

    These articles will provide you further explanation about handling suppliers:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
    - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  • QMS scope narrowed to one department

    In our Department, there are about 7 units, and about 100 employees. My question is whether the Department can get ISO 9001 . Regardless Our organization get it or not?..

    Answer:

    Theoretically, it is possible but I'm failing to see the value in it. QMS is developed to be applied in whole organization and it contain requirements for the entire organization. If you decide to implement it only in one department, it means that the rest of the organization will be the client and supplier of this department, and on the level of the department you will have to define processes, such as purchasing, design and development, etc, and implementing it in just one department would have arguable effect on the conformity of the organization products and services and customer satisfaction. Implementing some parts of the standard can be ben eficial for the department, but implementing QMS that will only cover one department would cause the department to have redundant bureaucracy and not much more

  • Quality objectives and risks


    Answer:

    Fast and short answer: No. It is not a requirement of the standard. On a second thought, doing that can be considered a good project management practice, something called “premortem method”. You can determine the new risks and incorporate actions to deal with them embedded in the quality objectives implementation plan.

    The following material will provide you information about quality objectives and risks:

    - ISO 9001 – Aligning quality objectives of the QMS with the strategic direction of the company - https://advisera.com/9001academy/blog/2017/03/07/aligning-quality-objectives-of-the-qms-with-the-strategic-direction-of-the-company/
    - How to address risks and opportunities in ISO 9001 - https://adv isera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
    - Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Scope definition


    We have yet to start on anything yet.

    Let describe the situation.

    - Our company was awarded a concession contract by the government to build a system (operate and maintain for 10 years).
    - A subsidiary was set-up to design and built this system for the government.
    - The Info security and IT business continuity design must comply to ISO 27001/27002 and 22301 requirements.
    - It is a greenfield project (it will replaced all together the old system and infrastructure)

    Questions:

    1 - We would like to start in defining the scope of ISMS – As it involve the customer sites (the government agency and its branches), and also development (at new subsidiary) and the operations (a command center, DC & DR) at customer sites – how do we scope this ISMS implementation?

    Answer: An ISO 27001 ISMS scope can be defined in terms of locations, processes or business units, so, considering the information you provided, you may define the ISMS scope in terms of customer and subsidiary locations, and the business and supporting processes and infrastructure related to the information system you have to operate and maintain, as well as the related development and maintenance processes. For example:

    "The ISMS scope comprises the process XYZ performed by the information system ABC, and its related infrastructure, which is operated and accessed from the following locations: customer site address 01, ..., customer site address n.

    Also comprises the ISMS scope the information system development and maintenance processes performed at subsidiary site address."

    These articles will provide you further explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    2 - How do we conduct the risk assessment – there is no (infrastructure) assets (it is a greenfield project) for us to identify. Asset based risk assessment will be a bit difficult to implement. Can you advise and point to the right resources for scenario based RA or other risk assessment methodology that is suitable. The context of risk assessment should cover the company (who develop the system) and also the government agency (where the system will be in operation).

    Answer: Since you are working with a greenfield project, first you should identify the requirements, assumptions and constrains for this system, its related IT infrastructure, and the locations where the system will operate, so you can devise how this implementation should be performed (as in all project, you have to identify the deliverables in order to know what you have to build and how).

    After that you can create a scenario on which the system will operate and then you can identify the elements you should consider in your risk assessment. For example, in one site you can identify that you may have an average of 1000 simultaneous accesses and that it is in a highly populated area subject to storms and floods. This information will give you an idea about the systems requirements (either for software and infrastructure).

    You also should consider information from the current system (e.g., configurations, schemes, incident history) so you can have an idea of what this new system should have and what it should avoid.

    Considering this approach, you can use the asset based methodology to perform your risk assessment.

    This article will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • ISO 27001 Lead Auditor or CISA?


    Which one should I choose?

    Answer: This will depend of the type and depth of the activities you desire to perform. If your want to focus on information security management, you should consider ISO 27001 LA. If you want to go beyond the scope of information security, and also consider the strategic relationships between information security and the information systems and business objectives you should consider CISA. Please note that these courses do not exclude each other, they only offer different perspectives about how information interacts with business.

    This article will provide you further explanation about CISA and ISO 27001:
    - CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/

    This material will also help you regarding ISO 27001 Lead Auditor:
    - ISO 27001 Lead Auditor Course preparation train ing [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/

  • Cloud environment and information security scope/boundaries


    Additionally, where does the responsibility and accountability fall in this type of model.

    Answer: The main concern regarding information security in cloud environments when it is provided by cloud service providers is the level of access the providers will have to the organization's information and systems, because this will have a direct impact in the controls that will have to be implemented to each party, and in the contractual clauses that will have to be included in the service agreement with the providers.

    For example, a IaaS provider will not have access to the organization's systems, only to the physical infrastructure. On the other hand, a SaaS provider will have access to systems and data. So these two scenarios will require completely different security requirements to be fulfilled.

    This article will provide you further explanation about scope considering cloud environments:
    - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

  • Internal Audit performed using Annex A

    I'm assuming you are referring to plan specific dates to audit each control of the Annex A. Considering that, there is no problem with this approach. My only suggestion to you is, if you have many controls to audit, you should consider grouping them in a way that in a single audit you can cover as many controls as possible, reducing the quantity of audits you have to perform. As criteria to group controls you can consider controls related to the same process, or implemented in the same location or business unit you are going to audit.

    This article will provide you further explanation about internal audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

    These materials will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • Lack of statement of applicability

    First of all you should understand that if this organization is planning to be certified against ISO 27001, the lack of the statement of applicability is a major non conformity that can prevent the certification audit to proceed until an approved statement is available. So, if this internal audit you mentioned is related to an ISMS implementation aiming for certification, you should solve this question as soon as possible to ensure this issue will not compromise the certification audit. For more information about the Statement of Applicability, please read this article: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    Regarding internal audits, an organization can decide to proceed with the audit even with the lack of the statement. In practical terms, the lack of the statement of applicability only will make your audit work harder. You should look for the approved risk assessment report and risk treatment plan to identify which risks are to be treated a nd how the organization proposes to treat them. These information will not be sufficient to cover the requirements of the statement of applicability (this lack of documentation will be your first non conformity), but you at least will have some information to audit the controls the organization has decided to implement. In the case you do not have either the approved risk assessment report nor the risk treatment plan then you cannot proceed with the audit, because you will not have enough information to know which controls to audit.

    These articles will provide you further explanation about internal audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

    These materials will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

  • Documentation


    Answer:
    Most of the ISO standards, including ISO 20000 in section, contains requirements for the documents. Additionally, you have to be careful while creating document templates and documents related to processes and procedures in order to avoid overhead.
    Our toolkit contains "Procedure for Document and Record Control" (https://advisera.com//wp-content/uploads//sites/6/2015/06/Procedure_for_Document_and_Record_Control_Premium_EN.pdf) which is used to set rules for all documents in scope of the SMS.

    In following articles you can find few details how to approach the topic:
    "How to structure ISO 20000 documentation" https://advisera.com/20000academy/blog/2016/09/27/how-to-structure-iso20000-documentation/
    "Defining roles and responsibilities for ISO 20000-based IT Service Management" https://ad visera.com/20000academy/blog/2017/10/18/defining-roles-and-responsibilities-for-iso-20000-based-it-service-management/

  • Nonconforming output and nonconformity


    Answer:

    I would like to have more context about the use of the two words. Nevertheless I will try to give an explanation. Nonconforming output is related to the non-compliance with a specification associated with a final or intermediate product or service. Nonconformity can be used in the same context as nonconforming output or, more generally, whenever there is the non-fulfillment of a requirement of a management system. For example, a company did not performed the re-evaluation of its supplier base as scheduled.

    The following material will provide you information about nonconformities:

    - ISO 9001 – Understanding dispositions for ISO 9001 nonconforming product - https://advisera.com/9001academy/blog/2014/11/18/understanding-dispositions-iso-9001-nonconforming-product/
    - ISO 9001 - ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/ ion/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
Page 838-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +