Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Study material

    Though I have some idea about these but if you can suggest me good books or online material which I can refer to consolidate my Audit knowledge.

    The areas to be audited are as below(in one of the organisations):

    • Physical Security
    • Device / Data Security
    • Human Resource Security
    • IT Environment management
    • Business Information Processing
    • Access to Applications & Network
    • Privacy (data)
    • Backup / Recovery
    • Incident / Problem Management
    • Business Continuity
    • Vendor & Contract management
    • Client contract management

    Answer: Considering ISO standards, I suggest you to take a look at the following materials:
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/

    These material will provide you a comprehensive view of such diverse subjects in a not-so-large number of sources of information.

    You also can consult the articles in our knowledge base (https://advisera.com/27001academy/knowledgebase/). There you can find materials divided in subjects covering the topics you mentioned.

  • Documenting clause 8.4.2.2


    Answer:

    The standard requires organization to document a process (procedure) for ensuring that products are compliant with statutory and regulatory requirements related to the product in all countries in which the product arrives within its life cycle. This can be done in procedure for purchasing or in some separate procedure.

  • Legal requirements


    Answer: If your organization must comply with this law then yes, compliance with it is a requirement for ISO 27001 certification.

    Regarding if you should work first on the law or on ISO 27001, the first thing you should consider is the duration of your ISO 27001 implementation project and the deadline for compliance with that law. If your project can be concluded before the deadline, maybe it is better to start with ISO 27001 because, it can deliver an environment which can fulfil both, the law you need to be compliant with and other requirements your organization may have for the ISMS.

    If your project cannot be finished before the deadline, you should consider if a reduction in the certification scope, e.g. to cover only the part of the original scope that would be related to the law yo u must be compliant with, can allow you to meet the deadline, and if postponing the implementation of the remaining scope is acceptable (since the management part of the system will be already implemented you will have less activities to perform).

    If none of these alternatives are acceptable, then you should consider work first for compliance with the law, and after that make arrangements in the ISO 27001 implementation project to include those controls in the system.

    This article will provide you further explanation about ISO 27001 projects:
    - ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/

    These materials will also help you regarding ISO 27001 projects:
    - Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
    - Seven key problems to avoid in ISO 27001 implementation [free webinar] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/

  • Requirements from interested parties for working in public places


    Answer:

    Employee working in a public place is not an interested party, because he/she is part of your company - this person will have to comply with the security policies and procedures that your company develops. Therefore, the security requirements will come from within your company, n ot from an interested party.

    By the way, you will be able to define the security rules for an employee working in public place after you perform the risk assessment and treatment, this article will explain you the concept: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    To learn more about interested parties read these articles:
    - How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

    These materials will also help you regarding security controls:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
    Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course
    https://advisera.com/training/iso-27001-foundations-course/

  • Liderazgo

    En la caracterización de los procesos establezco las rendiciones de cuentas por los lideres de proceso, y en las juntas de calidad como los ejecuto?
    Debo establecer una caracterización para la parte de liderazgo "Gerencia"?

    Mi respuesta:

    El análisis GAP puede ser una buena herramienta en la implementación de ISO 14001:2015 para enfocar el liderazgo y el compromiso de la alta dirección. Puedes considerar también el mapa de procesos existente para conectarlo con las responsabilidades de gestión documental para cada tipo de proceso.

    En cuanto a la alta dirección o "gerencia", necesitará cumplir con los siguientes aspectos:
    - Asegurar que los planes estratégicos de la organización y los objetivos son compatibles y están integrados, y que se encuentran dentro del alcance de la organización.
    - Asegurar que los recursos necesarios están disponibles y que el SGA puede interaccionar con los procesos de negocio existentes.
    - Adoptar la responsabilidad para de legar y dirigir empleados con el fin de asegurar que los objetivos de desempeño son cumplido.
    - Asegurar que la mejora continua se alcance.
    - Proporcionar liderazgo a otros puestos de apoyo dentro de la organización para asegurar que las metas generales son cumplidas.
    - Comunicación: asegurar que los objetivos críticos, aspectos, y los parámetros de desempeño y resultados con comunicados de manera efectiva y continua a todos los grupos de interés.

    Para más información, vea: https://advisera.com/14001academy/blog/2015/10/05/how-to-demonstrate-leadership-according-to-iso-140012015/

  • Controls applicability


    P.S. we did a risk assessment for the IT-Services delivered and Chose the controls from A.15 for rist mitigation.

    Answer: Even if your organization's IT operations are outsourced, some controls from section A.12 might still be applicable to it, like A.12.1.2 (change management), A.12.1.3 (Capacity Management) , and A.12.7.1 (Information systems audit controls), so you have to perform an evaluation first to verify this situation before consider all controls as "not applicable". For those t hat are totally under the provider control you can state them as "not applicable", providing as justification the IT operation is outsourced.

    Regarding stating a control as "applicable" referring it to the ISMS of another organization, you cannot do that because you do not have control over provider's ISMS (at most you are an interested party - customer - that is considered in that ISMS context). For situations like that you can state controls from section A.15 as "applicable" to your ISMS, to ensure that the provider will take as much care of IT security as if you were performing the IT operations yourself. For example, if in your IT operations you would use backup practices, you have to ensure the service agreement also define that the provider also has I to use backup practices.

    This article will provide you further explanation about suppliers and controls applicability:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
    - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

    These materials will also help you regarding supplies and controls applicability:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Implementation alternatives


    Answer: The first thing you should consider is the duration of your ISO 27001 implementation project and the deadline for EU GDPR compliance. If your project can be concluded before the deadline maybe it is better to start with ISO 27001 because, as you said, it can deliver an environment which satisfies GDPR and other requirements your organization may have for the ISMS.

    If your project cannot be finished before the deadline, you should consider if a reduction in the certification scope, e.g. to cover only the part of the original scope that would be related to EU GDPR, can allow you to meet the deadline, and if post poning the implementation of the remaining scope is acceptable (since the management part of the system will be already implemented you will have less activities to perform).

    If none of these alternatives are acceptable, then you should consider going first for EU GDPR compliance, and after that make arrangements in the ISO 27001 implementation project to include those controls in the system.

    This articles will provide you further explanation about ISO 27001 projects:
    - ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
    - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

    These materials will also help you regarding ISO 27001 projects:
    - Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
    - Seven key problems to avoid in ISO 27001 implementation [free webinar] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/

  • Temporary change process controls


    Answer:

    The organization needs to identify, document and maintain the alternate methods for process control and get approval from the customer for these controls. The list of alternate process control methods should be referenced in a control plan.

    The standard requires documenting procedure for managing the use of alternate controls and this can be part of your production procedure, and standard work instructions are required for each alternate control.

  • ISO 31000 and ISO 27001


    Answer: Yes, but as means to provide a common basis to align the information security risk management with other types of risk management in a company (e.g., quality risks, environmental risks, etc.). ISO 31000 by itself is not enough to comply with ISO 27001 because risk management requirements in ISO 27001 are much more detailed than in ISO 31000.

    This article will provide you further explanation about Risk Management:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

    These materials will also help you regarding Risk Management:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Business Continuity Lifecycle document


    Answer: According ISO 22301, there is no requirement demanding such specific document, so unless defined by your organization, a law or another legal requirement, like a contract, you do not need to have it in your management system.

    The business continuity life cycle is covered from standard's clauses 8.2 to 8.5, so, considering the list of documents that comes with your toolkit, you can share the following documents (of course the auditor can ask about the records related to these documents too):

    Business Impact Analysis Methodology
    Business Continuity Strategy
    Business Continuity Plan
    Incident Response Plan
    Disaster Recovery Plan
    Exercising and Testing Plan
    BCMS Maintenance and Review Plan

    This article will provide you further explanation about Mandatory documen ts for ISO 22301:
    - Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
Page 890-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +