Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Language of the work instructions
Many thanks for your help - that answers my question fully. -
Contexto de la organización
Mi respuesta:
Depende de la organización determinar con qué frecuencia es necesaria considerar a evaluación del contexto y de las partes interesadas. Mi recomendación es comenzar haciéndola cada seis meses con el fin de actualizar y mejorar el análisis.
Para más información sobre el contexto de la organización puedes leer "Cómo identificar el contexto de la organización en ISO 9001:2015": https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/
Estos materiales también pueden ayudarte en la implementación de ISO 9001:
- Libro "Descubre ISO 9001:2015 a través de ejemplos prácticos"(en inglés: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/)
- Curso gratuito en línea "Fundamentos de ISO 9001:2015": https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Controls applicability
- Α.5.1.1- Policies for information security
- Α.5.1.2 – Review of the policies for information security
- Α.6.1.1- Information security roles and responsibilities,
- Α.12.1.2 – Change management
- Α.18.1.1 – Identification of applicable legislation and contractual requirements
- Α.18.1.2 – Intellectual property rights
After having a look at your website, I found out that the following controls are listed as mandatory:
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (cl ause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
I have very much enjoyed your online course. It has provided helpful information and tips but now I am facing a great dilemma. Which of the above information is correct and why…
I only guess that the word ‘documented’ determines which controls are mandatory. However, A.7.1.2 is not described as ‘documented’ in Annex A (I have ISO/IEC 27001:2014). On the other hand, I do not understand why controls in Annex A can be regarded as mandatory. Does this mean that an organization cannot exclude them in the Statement of Applicability even if they are not considered as applicable?! Hard to believe.
As I often trust the information and knowledge provided in your online course, I hope you can provide some satisfactory clarification on this issue.
Answer: Controls listed on ISO 27001 Annex A are mandatory only to treat risks deemed as unacceptable, to comply with laws, contracts or other legal requirements, or if demanded by top management decisions. So, if any one of these reasons apply, an organization cannot state a control as not applicable if it wants to certify its ISMS against ISO 27001.
Considering the controls mentioned by the auditor, they are needed to support the organization's fulfilment of ISO 27001 requirements for certification (the condition to comply with legal requirements is applicable here):
- Control Α.5.1.1 would help cover clause 5.2 (Policy), because an organization has to have at least the Information Security Policy
- Control Α.5.1.2 would help cover clause 9.3 (Management Review), because if not in any other occasion, policies should be reviewed at the management review
- Control Α.6.1.1 would help cover clause 5.3 (Organizational roles, responsibilities and authorities)
- Control Α.12.1.2 would help cover clauses 7.5.3 c) (control of documented information) and 10.1 e) (Nonconformity and corrective action)
- Control Α.18.1.1 would help cover clause 4.2 (Understanding the needs and expectations of interested parties)
In my view, only control Α.18.1.2 – Intellectual property rights does not have an explicit link with standard's clauses (they do not mention intellectual property rights or use of proprietary software products), but it is unlikely that an organization can operate without not considering them (an organization should at least consider its own intellectual property and proprietary software). -
Organizational knowledge and competency
Answer:
Organizational knowledge is that knowledge that comes from the experience of operating your processes. For example, consider one process from your company. Then, list all activities performed in that process. For each activity, identify which function performs what. Then, list what kind of knowledge someone on those functions has to have in order to perform those activities competently. That knowledge can include things like:
o knowing work instructions;
o having a professional certificate considering the person as a professional welder;
o knowing how to operate certain machines;
o knowing how to control the quality of certain parts;
o Knowing how to identify, segregate and manage nonconformance parts.
When you identify organizational knowledge you do not consider any person in particular, you are using abstract thinking. What kind of knowledge s hould have anyone performing that function.
Then, look at the actual performance of the process and to the actual persons performing those functions. Do they have the right amount of knowledge? Are they competent enough? Remember, you can have competent people working in a process and because your company becomes more demanding at performance, perhaps those some people become non-competent.
The following materials will provide you details with organizational knowledge:
- Article - How to manage knowledge of the organization according to ISO 9001
- https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- Article - How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ -
Recognizing certificated organizations
Answer: Each certification body has a set of rules regarding how an ISO certified organization must demonstrate it is certified. It generally involves keeping the certificate in a visible place, the use of certification body logo on organization's marketing material or this information must be provided to customers or other interested parties when requested by them.
This article will provide you further explanation about certification:
- Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/ -
Risks definition and SoA
1 - Is there something else- more specific- that I can get from you in order to do it right?
Answer: Basically it is rather easy to follow the asset-based methodology - you have to list all the assets, then list all the threats to these assets, and then the related vulnerabilities. The template "Risk Assessment Table" has sheets with examples of assets, threats and vulnerabilities you can use to identify your organization's risks.
For risk assessment I suggest you to take a look at this article:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Additionally, I can suggest our free ISO 27001:2013 Foundations Course (https://advisera.com/training/iso-27001-foundations-course/ ) which will explain you the basics of risk assessment and treatment.
If you understand that this additional information is not enough to solve your doubts, included in the toolkit you have scheduled consultations with one of our experts so you can present him the situations you are facing and he will help you define how to handle them.
To schedule a consultation with our expert, please access this link: https://advisera.com/27001academy/consultation/ and provide him as many information as you can so at the scheduled time he can provide you a more effective support.
2 - In addition- is it mandatory to write the Business Continuity Management Policy?
Answer: If you want to be compliant with ISO 27001 only, then Business Continuity Policy is needed; if you want to be compliant with ISO 22301 then BC Policy is mandatory. -
Access to suppliers SoA
Answer: For current suppliers you should consult the service agreement/contract established with each supplier. For new suppliers, to have an access to their SoA, should be condition of the suppliers selection process, because this document can provide you a general overview of how the supplier handles its own information security. But you should also note that suppliers can refuse to present their SoAs, and you should be prepared to consider that too in your selection process (maybe include visits to potential supplier's premises for evaluation).
These articles will provide you further explanation about management of suppliers' information security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-secur ity-clauses-to-use-for-supplier-agreements/
These materials will also help you regarding management of suppliers' information security:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27031 or ISO 22301
Hello
Thank you alot for this precious enlightenment.
Or can I take a course close to my location?
I work at Algeria Telecom Mobile Mobilis as infrastructure NGBSS system administrator OS and DBA expert level 3 .
In algiers .ALgeria
Best Regards. -
Risk assessment example for agile approaches
Answer: The most common approach for information security risk assessment is the asset-threat-vulnerability methodology, which in my opinion fits very nice in the concept of agile approaches (quick to perform and requires few documentation). You can find detailed information in the following articles:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
For a graphic view, I suggest you to see this free downloadable material:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process atment-process
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/