Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Asset owner and risk owner
(What is the difference between the asset owner and the risk owner?)
Answer: The asset owner is the person responsible for protecting and managing an asset in your company, while the risk owner is a person designated to solve a risk. Although these are different roles, they can be performed by the same person in a small organizations, but you should note that designating these roles to the same person becomes increasingly complex as the quantity of assets and risks under his responsibility increases.
This article will provide you further explanation about asset owner and risk owner:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
These materials will also help you regarding asset owner and risk owner:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Information labelling
Answer: This statement is only a recommendation. ISO 27001 control A.8.2.2 (Labeling of information) does not define any form of labeling, only that a labeling procedure must be defined and implemented (if the control is considered applicable). How to label information is an organization's decision. In cases where the implementation of labeling is not feasible, or it will require much effort or resources, an organization can define that labeling will not be applicable.
This article will provide you further explanation about informat ion handling:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Cyber Security Policy
Answer: To ensure a better alignment between Information security and cyber security practices it is better to consider the Cyber Security Policy as a section of your Information Security Policy. Regarding which points you should consider, a good reference is the ISO 27032 standard, which provides guidelines for cyber security. In terms of policies you should consider the following topics:
- Guidelines to be followed when you are an information providing organization and when you are an information receiving organization
- Classification and categorization of information
- Information minimization
- Limited audience
- Coordination protocol
These articles will provide you further explanation about cyber security and ISO 27001:
- What is cybersecurity and how can ISO 27001 help? https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/
- ISO 27001 vs. ISO 27032 cybersecurity standard https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/
These materials will also help you regarding cyber security and ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- 9 Steps to Cybersecurity: The Manager’s Information Security Strategy Manual https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Scope definition
Answer: In principle any process and/or organizational unit can be excluded from the ISMS scope, but sometimes the effort to implement such segregation is not worthy (e.g., the organization is too small or the process/organizational unit has many relations with elements included in the scope), so your organization should evaluate this situation first before deciding to include or not the purchasing in the scope.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://adv isera.com/books/secure-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
GDPR implementation process in a non-EU country
Answer: Your company needs to be compliant with the GDPR only if it collects personal data from citizens of European Union; if you do not collect such information, then you do not have to be compliant. This principle is valid no matter whether your company is based in EU or outside of it.
You can see the process in this EU GDPR Implementation Diagram: https://advisera.com/eugdpracademy/free-downloads/
Also, the whole process is described in details in the GDPR Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ -
Controls vs Threats
No. Since each organization has unique requirements for information security and risk tolerance, and a threat may be handled by different sets of controls, it is unfeasible to build such mapping considering all possible alternatives. To build a map considering your organization requirements you should perform a risk assessment.
This article will provide you further explanation about risk assessment applicable to information security:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment applicable to information security:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Information security policy content
Answer: In terms of mandatory documentation, ISO 27001 requires two types of policies:
- The Information Security Policy referred in clause 5.2 (Policy)
- Information Security policies related to controls from ISO 27001 Annex A if there are risks which would require their implementation (e.g., Access control policy, required by clause A.9.1.1)
For more information about ISO 27001 mandatory documentation, please see this article: List of mandatory documents required by ISO 27001 (2013 revision).
These materials will also help you regarding information security policies:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera .com/books/secure-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Non conformity identification
Answer: To support your assumption that there is no correct segregation of tasks or of environments, you have to identify a policy or procedure which defines the rules for access control, and then evaluate if the situation is complaint or not with the established rules.
If the situation is not compliant with the established rules you can declare a non conformity.
If there is no policy or procedure available, you should look for the risk assessment results and applicable legal requirements (e.g., laws and contractual clauses), and then evaluate if the situation is complaint or not with them. If the situation is not compliant with the risk assessment results or legal requirements you can decl are a non conformity.
This article will provide you further explanation about corrective actions:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
These materials will also help you regarding corrective actions:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Correction, corrective and preventive action
Answer:
In a management system one can consider three kinds of action:
• Correction action;
• Corrective action and;
• Preventive action.
Correction action is about dealing with a non-conformity. The purpose is to eliminate the non-conformity. For example, rework a defective part.
Corrective action is about eliminating the cause of a particular non-conformity. For example, why is the part defective? Because our temperature control system during production is not working properly. A corrective action can improve the temperature control system and eliminate that kind of defect.
Preventive action is about eliminating the cause of a potential non-conformity. For example, what kind of actions should the company develop to reduce the monthly frequency of defective parts.
The following material will provide you information about correction, corrective and preventive actions:
• - ISO 9001 – Difference between correction and co rrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
• - Seven Steps for Corrective and Preventive Actions to support Continual Improvement - https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
• - How to proceed once a QMS corrective action is defined? - https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/
• - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Clause 7.1.3 Infrastructure
Thank you very much for that great explanation. its help me a lot.