Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • SoA availability

    But then how do you (as a customer) really know what the true value is of a suppliers IOS27001 certification if you don't know what controls are or are not implemented?

  • Scope definition


    Answer: You can exclude business units you do not consider relevant to be part of the ISMS scope (they would be treated as external parties), but you should evaluate if the administrative and operational effort resulting from this separation wouldn't be greater than considering some or all units as part of the scope. For example, business units operating on a different floor are easily to segregate, but for those in the same office room the segregation effort probably wouldn't be worthy.

    These articles will provide you further explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  • Employess trainning and awareness


    Answer: Although there are some common knowledge the employees should be trained about, for a precise answer you should consider your risk treatment plan, because there you will find information about all controls that must be implemented, and then you can evaluate for each control the level of training you have to provide, considering technical staff, managers and final users.

    You should note that the employees do not need to be trained in the whole ISO 27001 standard (except perhaps the person responsible for the ISMS), only for the particular controls related to their activities.

    For the more common training to be considered, I suggest you take a look a this article:
    - 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-traini ng-and-awareness-program/

    This article will provide you further explanation about awareness and training:
    - How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301

    These materials will also help you regarding awareness and tranning:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ISMS scope definition

    Thank you so much for this clear explanation!

  • Stakeholder info to document

    Yes, the information you are gathering will provide you a good overview for the understanding of needs and expectations of interested parties and it is covering the clause's requirements:
    - which interested parties are relevant to the ISMS
    - which requirements of these interested parties relevant to information security

    For stakeholders analysis you should also consider if there is any implemented control to meet these requirements

    These articles will provide you further explanation about interested parties analysis:
    - How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

    This material will also help you regarding interested parties ana lysis:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Product requirements review record


    Answer:

    The purpose of the product/service requirements review records (clause 8.2.3.2) is for organization to ensure that it can provide required product in required quantity and quality. Basically this is a review of the customer requirements and all you need is a record where you will document the customer requirements and also whether your organization is able to meet the requirements.

    This of course is not required in retail where you cannot record and review requirements of every customer but rather is wholesale process or when the customer has requirements that are not part of your usual products and you what to evaluate whether it is feasible and profitable to met the customer requirement. Here you can download free preview of our Customer Requirement Review Checklist https://advisera.com/9001academy/documentation/customer-requirement-review-checklist/ -review-checklist/

    As far as the records for controls, outputs and changes goes, in my opinion it is best to use Quality Plan https://advisera.com/9001academy/documentation/quality-plan/

  • Language of the work instructions

    Many thanks for your help - that answers my question fully.

  • Contexto de la organización


    Mi respuesta:

    Depende de la organización determinar con qué frecuencia es necesaria considerar a evaluación del contexto y de las partes interesadas. Mi recomendación es comenzar haciéndola cada seis meses con el fin de actualizar y mejorar el análisis.

    Para más información sobre el contexto de la organización puedes leer "Cómo identificar el contexto de la organización en ISO 9001:2015": https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/

    Estos materiales también pueden ayudarte en la implementación de ISO 9001:

    - Libro "Descubre ISO 9001:2015 a través de ejemplos prácticos"(en inglés: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/)

    - Curso gratuito en línea "Fundamentos de ISO 9001:2015": https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • Controls applicability

    - Α.5.1.1- Policies for information security
    - Α.5.1.2 – Review of the policies for information security
    - Α.6.1.1- Information security roles and responsibilities,
    - Α.12.1.2 – Change management
    - Α.18.1.1 – Identification of applicable legislation and contractual requirements
    - Α.18.1.2 – Intellectual property rights

    After having a look at your website, I found out that the following controls are listed as mandatory:
    - Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
    - Inventory of assets (clause A.8.1.1)
    - Acceptable use of assets (clause A.8.1.3)
    - Access control policy (clause A.9.1.1)
    - Operating procedures for IT management (clause A.12.1.1)
    - Secure system engineering principles (cl ause A.14.2.5)
    - Supplier security policy (clause A.15.1.1)
    - Incident management procedure (clause A.16.1.5)
    - Business continuity procedures (clause A.17.1.2)
    - Statutory, regulatory, and contractual requirements (clause A.18.1.1)

    I have very much enjoyed your online course. It has provided helpful information and tips but now I am facing a great dilemma. Which of the above information is correct and why…

    I only guess that the word ‘documented’ determines which controls are mandatory. However, A.7.1.2 is not described as ‘documented’ in Annex A (I have ISO/IEC 27001:2014). On the other hand, I do not understand why controls in Annex A can be regarded as mandatory. Does this mean that an organization cannot exclude them in the Statement of Applicability even if they are not considered as applicable?! Hard to believe.

    As I often trust the information and knowledge provided in your online course, I hope you can provide some satisfactory clarification on this issue.

    Answer: Controls listed on ISO 27001 Annex A are mandatory only to treat risks deemed as unacceptable, to comply with laws, contracts or other legal requirements, or if demanded by top management decisions. So, if any one of these reasons apply, an organization cannot state a control as not applicable if it wants to certify its ISMS against ISO 27001.

    Considering the controls mentioned by the auditor, they are needed to support the organization's fulfilment of ISO 27001 requirements for certification (the condition to comply with legal requirements is applicable here):
    - Control Α.5.1.1 would help cover clause 5.2 (Policy), because an organization has to have at least the Information Security Policy
    - Control Α.5.1.2 would help cover clause 9.3 (Management Review), because if not in any other occasion, policies should be reviewed at the management review
    - Control Α.6.1.1 would help cover clause 5.3 (Organizational roles, responsibilities and authorities)
    - Control Α.12.1.2 would help cover clauses 7.5.3 c) (control of documented information) and 10.1 e) (Nonconformity and corrective action)
    - Control Α.18.1.1 would help cover clause 4.2 (Understanding the needs and expectations of interested parties)

    In my view, only control Α.18.1.2 – Intellectual property rights does not have an explicit link with standard's clauses (they do not mention intellectual property rights or use of proprietary software products), but it is unlikely that an organization can operate without not considering them (an organization should at least consider its own intellectual property and proprietary software).
Page 845-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +