Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Organizational knowledge and competency
Answer:
Organizational knowledge is that knowledge that comes from the experience of operating your processes. For example, consider one process from your company. Then, list all activities performed in that process. For each activity, identify which function performs what. Then, list what kind of knowledge someone on those functions has to have in order to perform those activities competently. That knowledge can include things like:
o knowing work instructions;
o having a professional certificate considering the person as a professional welder;
o knowing how to operate certain machines;
o knowing how to control the quality of certain parts;
o Knowing how to identify, segregate and manage nonconformance parts.
When you identify organizational knowledge you do not consider any person in particular, you are using abstract thinking. What kind of knowledge s hould have anyone performing that function.
Then, look at the actual performance of the process and to the actual persons performing those functions. Do they have the right amount of knowledge? Are they competent enough? Remember, you can have competent people working in a process and because your company becomes more demanding at performance, perhaps those some people become non-competent.
The following materials will provide you details with organizational knowledge:
- Article - How to manage knowledge of the organization according to ISO 9001
- https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- Article - How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ -
Recognizing certificated organizations
Answer: Each certification body has a set of rules regarding how an ISO certified organization must demonstrate it is certified. It generally involves keeping the certificate in a visible place, the use of certification body logo on organization's marketing material or this information must be provided to customers or other interested parties when requested by them.
This article will provide you further explanation about certification:
- Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/ -
Risks definition and SoA
1 - Is there something else- more specific- that I can get from you in order to do it right?
Answer: Basically it is rather easy to follow the asset-based methodology - you have to list all the assets, then list all the threats to these assets, and then the related vulnerabilities. The template "Risk Assessment Table" has sheets with examples of assets, threats and vulnerabilities you can use to identify your organization's risks.
For risk assessment I suggest you to take a look at this article:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Additionally, I can suggest our free ISO 27001:2013 Foundations Course (https://advisera.com/training/iso-27001-foundations-course/ ) which will explain you the basics of risk assessment and treatment.
If you understand that this additional information is not enough to solve your doubts, included in the toolkit you have scheduled consultations with one of our experts so you can present him the situations you are facing and he will help you define how to handle them.
To schedule a consultation with our expert, please access this link: https://advisera.com/27001academy/consultation/ and provide him as many information as you can so at the scheduled time he can provide you a more effective support.
2 - In addition- is it mandatory to write the Business Continuity Management Policy?
Answer: If you want to be compliant with ISO 27001 only, then Business Continuity Policy is needed; if you want to be compliant with ISO 22301 then BC Policy is mandatory. -
Access to suppliers SoA
Answer: For current suppliers you should consult the service agreement/contract established with each supplier. For new suppliers, to have an access to their SoA, should be condition of the suppliers selection process, because this document can provide you a general overview of how the supplier handles its own information security. But you should also note that suppliers can refuse to present their SoAs, and you should be prepared to consider that too in your selection process (maybe include visits to potential supplier's premises for evaluation).
These articles will provide you further explanation about management of suppliers' information security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-secur ity-clauses-to-use-for-supplier-agreements/
These materials will also help you regarding management of suppliers' information security:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27031 or ISO 22301
Hello
Thank you alot for this precious enlightenment.
Or can I take a course close to my location?
I work at Algeria Telecom Mobile Mobilis as infrastructure NGBSS system administrator OS and DBA expert level 3 .
In algiers .ALgeria
Best Regards. -
Risk assessment example for agile approaches
Answer: The most common approach for information security risk assessment is the asset-threat-vulnerability methodology, which in my opinion fits very nice in the concept of agile approaches (quick to perform and requires few documentation). You can find detailed information in the following articles:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
For a graphic view, I suggest you to see this free downloadable material:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process atment-process
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISO 27001 and COBIT 5 relation
Answer: ISO 27001 standard describes how to manage information security in an organization, while COBIT provides implementable controls over information technology, organized into IT-related processes. ISO 27001 provides many security control objectives applicable to information technology that can be used to enhance effectiveness of COBIT (e.g., controls from section A.13.1 Network security management) processes. Additionally, COBIT governance practices and ISO 27001 context understanding requirements can be used together to better align information security and information technology with business objectives.
This article will provide you further explanation about COBIT and ISO 27001:
- How to integrate COSO, COBIT, and ISO 27001 frameworks -
ISO 27001 implementation
Answer: To implement ISO 27001 from scratch I suggest you to take a look at the 16-step list in this article:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Control performance evaluation
Answer: First of all, the expression "there is no risk" is kind of incorrect (there is no situation risk-free). A more appropriate expression would be "all current risks are acceptable."
That said, to state 'sufficiency of controls' a company should identify which controls are applied to each identified risk and how these controls are being measured and evaluated to ensure they are sufficient. Based on that information an auditor can look for evidences of compliance. As for the identification of the most important control to ensure sufficiency, besides the identified risk you should consider the security requirements and objectives established to built a checklist of what to look for. Seasoned auditors can rely on their experience t o quickly identify them.
These articles will provide you further explanation about risk management and audits:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding risk management and audits:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 27001 and NIST RMF
Answer: Although ISO 27001 does not prescribe any methodology for risk management, its requirements for risk assessment and treatment can be fulfilled by NIST's RMF (it is not a question whether they are similar or not, but that RMF is a framework that fits ISO 27001 very nice).
These articles will provide you further explanation about ISO 27001 and NIST practices:
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
These materials will also help you regarding ISO 27001 risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Th e basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/