Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Access to suppliers SoA
Answer: For current suppliers you should consult the service agreement/contract established with each supplier. For new suppliers, to have an access to their SoA, should be condition of the suppliers selection process, because this document can provide you a general overview of how the supplier handles its own information security. But you should also note that suppliers can refuse to present their SoAs, and you should be prepared to consider that too in your selection process (maybe include visits to potential supplier's premises for evaluation).
These articles will provide you further explanation about management of suppliers' information security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-secur ity-clauses-to-use-for-supplier-agreements/
These materials will also help you regarding management of suppliers' information security:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27031 or ISO 22301
Hello
Thank you alot for this precious enlightenment.
Or can I take a course close to my location?
I work at Algeria Telecom Mobile Mobilis as infrastructure NGBSS system administrator OS and DBA expert level 3 .
In algiers .ALgeria
Best Regards. -
Risk assessment example for agile approaches
Answer: The most common approach for information security risk assessment is the asset-threat-vulnerability methodology, which in my opinion fits very nice in the concept of agile approaches (quick to perform and requires few documentation). You can find detailed information in the following articles:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
For a graphic view, I suggest you to see this free downloadable material:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process atment-process
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISO 27001 and COBIT 5 relation
Answer: ISO 27001 standard describes how to manage information security in an organization, while COBIT provides implementable controls over information technology, organized into IT-related processes. ISO 27001 provides many security control objectives applicable to information technology that can be used to enhance effectiveness of COBIT (e.g., controls from section A.13.1 Network security management) processes. Additionally, COBIT governance practices and ISO 27001 context understanding requirements can be used together to better align information security and information technology with business objectives.
This article will provide you further explanation about COBIT and ISO 27001:
- How to integrate COSO, COBIT, and ISO 27001 frameworks -
ISO 27001 implementation
Answer: To implement ISO 27001 from scratch I suggest you to take a look at the 16-step list in this article:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Control performance evaluation
Answer: First of all, the expression "there is no risk" is kind of incorrect (there is no situation risk-free). A more appropriate expression would be "all current risks are acceptable."
That said, to state 'sufficiency of controls' a company should identify which controls are applied to each identified risk and how these controls are being measured and evaluated to ensure they are sufficient. Based on that information an auditor can look for evidences of compliance. As for the identification of the most important control to ensure sufficiency, besides the identified risk you should consider the security requirements and objectives established to built a checklist of what to look for. Seasoned auditors can rely on their experience t o quickly identify them.
These articles will provide you further explanation about risk management and audits:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding risk management and audits:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 27001 and NIST RMF
Answer: Although ISO 27001 does not prescribe any methodology for risk management, its requirements for risk assessment and treatment can be fulfilled by NIST's RMF (it is not a question whether they are similar or not, but that RMF is a framework that fits ISO 27001 very nice).
These articles will provide you further explanation about ISO 27001 and NIST practices:
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
These materials will also help you regarding ISO 27001 risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Th e basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Auditing documentation requirements for ISO 9001 and ISO 13485
Answer:
If your Quality Management System is compliant with both ISO 9001 and ISO 13485, during the internal audit you need to check compliance with both standards. When it comes to common requirements or requirements related to the same elements of the system, you need to audit against requirements of both standards. Whichever standard has stricter requirements, those requirements should be applied and auditing should be done against those requirements.
Another option is to conduct separate audits for ISO 9001 and ISo 13485 but this would just mean that you will double the work.
For more information, see: How to create a checklist for an ISO 13485 internal audit fo r your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/ -
Risk calculation
Answer: For the purposes of a simple risk assessment, there is no difference if you add or multiply likelihood and consequence to calculate the risk. The difference would only make sense for statistical calculations, which are not required for simple risk assessment.
This article will provide you further explanation about likelihood and consequence assessment:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
These materials will also help you regarding likelihood and consequence assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ sh/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Confidentiality in IATF 16949
Answer:
The standard requires organization to ensure confidentiality of the customer-contracted products and projects under development, including related product information. The standard does not specify what kind of protection of the information should be applied and in most cases it is either defined by the customer or usual confidentiality rules of the company are applied.
As far as documenting the requirement in the manual goes, you should explain what rules for confidentiality your company applies and who is responsible to enforce those rules.