Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Requirements from interested parties for working in public places
Answer:
Employee working in a public place is not an interested party, because he/she is part of your company - this person will have to comply with the security policies and procedures that your company develops. Therefore, the security requirements will come from within your company, n ot from an interested party.
By the way, you will be able to define the security rules for an employee working in public place after you perform the risk assessment and treatment, this article will explain you the concept: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
To learn more about interested parties read these articles:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
These materials will also help you regarding security controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Liderazgo
En la caracterización de los procesos establezco las rendiciones de cuentas por los lideres de proceso, y en las juntas de calidad como los ejecuto?
Debo establecer una caracterización para la parte de liderazgo "Gerencia"?
Mi respuesta:
El análisis GAP puede ser una buena herramienta en la implementación de ISO 14001:2015 para enfocar el liderazgo y el compromiso de la alta dirección. Puedes considerar también el mapa de procesos existente para conectarlo con las responsabilidades de gestión documental para cada tipo de proceso.
En cuanto a la alta dirección o "gerencia", necesitará cumplir con los siguientes aspectos:
- Asegurar que los planes estratégicos de la organización y los objetivos son compatibles y están integrados, y que se encuentran dentro del alcance de la organización.
- Asegurar que los recursos necesarios están disponibles y que el SGA puede interaccionar con los procesos de negocio existentes.
- Adoptar la responsabilidad para de legar y dirigir empleados con el fin de asegurar que los objetivos de desempeño son cumplido.
- Asegurar que la mejora continua se alcance.
- Proporcionar liderazgo a otros puestos de apoyo dentro de la organización para asegurar que las metas generales son cumplidas.
- Comunicación: asegurar que los objetivos críticos, aspectos, y los parámetros de desempeño y resultados con comunicados de manera efectiva y continua a todos los grupos de interés.
Para más información, vea: https://advisera.com/14001academy/blog/2015/10/05/how-to-demonstrate-leadership-according-to-iso-140012015/ -
Controls applicability
P.S. we did a risk assessment for the IT-Services delivered and Chose the controls from A.15 for rist mitigation.
Answer: Even if your organization's IT operations are outsourced, some controls from section A.12 might still be applicable to it, like A.12.1.2 (change management), A.12.1.3 (Capacity Management) , and A.12.7.1 (Information systems audit controls), so you have to perform an evaluation first to verify this situation before consider all controls as "not applicable". For those t hat are totally under the provider control you can state them as "not applicable", providing as justification the IT operation is outsourced.
Regarding stating a control as "applicable" referring it to the ISMS of another organization, you cannot do that because you do not have control over provider's ISMS (at most you are an interested party - customer - that is considered in that ISMS context). For situations like that you can state controls from section A.15 as "applicable" to your ISMS, to ensure that the provider will take as much care of IT security as if you were performing the IT operations yourself. For example, if in your IT operations you would use backup practices, you have to ensure the service agreement also define that the provider also has I to use backup practices.
This article will provide you further explanation about suppliers and controls applicability:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
These materials will also help you regarding supplies and controls applicability:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Implementation alternatives
Answer: The first thing you should consider is the duration of your ISO 27001 implementation project and the deadline for EU GDPR compliance. If your project can be concluded before the deadline maybe it is better to start with ISO 27001 because, as you said, it can deliver an environment which satisfies GDPR and other requirements your organization may have for the ISMS.
If your project cannot be finished before the deadline, you should consider if a reduction in the certification scope, e.g. to cover only the part of the original scope that would be related to EU GDPR, can allow you to meet the deadline, and if post poning the implementation of the remaining scope is acceptable (since the management part of the system will be already implemented you will have less activities to perform).
If none of these alternatives are acceptable, then you should consider going first for EU GDPR compliance, and after that make arrangements in the ISO 27001 implementation project to include those controls in the system.
This articles will provide you further explanation about ISO 27001 projects:
- ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
These materials will also help you regarding ISO 27001 projects:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- Seven key problems to avoid in ISO 27001 implementation [free webinar] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/ -
Temporary change process controls
Answer:
The organization needs to identify, document and maintain the alternate methods for process control and get approval from the customer for these controls. The list of alternate process control methods should be referenced in a control plan.
The standard requires documenting procedure for managing the use of alternate controls and this can be part of your production procedure, and standard work instructions are required for each alternate control. -
ISO 31000 and ISO 27001
Answer: Yes, but as means to provide a common basis to align the information security risk management with other types of risk management in a company (e.g., quality risks, environmental risks, etc.). ISO 31000 by itself is not enough to comply with ISO 27001 because risk management requirements in ISO 27001 are much more detailed than in ISO 31000.
This article will provide you further explanation about Risk Management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
These materials will also help you regarding Risk Management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Business Continuity Lifecycle document
Answer: According ISO 22301, there is no requirement demanding such specific document, so unless defined by your organization, a law or another legal requirement, like a contract, you do not need to have it in your management system.
The business continuity life cycle is covered from standard's clauses 8.2 to 8.5, so, considering the list of documents that comes with your toolkit, you can share the following documents (of course the auditor can ask about the records related to these documents too):
Business Impact Analysis Methodology
Business Continuity Strategy
Business Continuity Plan
Incident Response Plan
Disaster Recovery Plan
Exercising and Testing Plan
BCMS Maintenance and Review Plan
This article will provide you further explanation about Mandatory documen ts for ISO 22301:
- Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/ -
Becoming an auditor
Answer: Yes, your previous experience will count in your formation as an auditor. Your competencies in IT will help you understand the auditee scenario, define what you should look for as evidence and define proper non conformities statements and recommendations for improvement.
To start you journey to become an information security auditor you should attend an ISO 27001 lead auditor course, so you can understand the concepts of ISO 27001 management system and the processes and techniques involved in an audit. After being approved in the course you need to accumulate audit hours, first as an observer, and after that as an audit team member, so you can gain understanding and experience in practical audits. After sufficient auditing hours, and good evaluations from your team lea der, you can achieve the status of auditor and after that lead auditor.
This article will provide you further explanation about becoming an auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
These materials will also help you regarding auditing:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Compliance list
Many thanks. -
Information security implementation
Answer: Considering the situation you presented, it seems you need a quick action to fix some issues as soon as possible and a longer term plan to maintain the results. Also considering you mentioned a limited staff, maybe hiring a cyber expert for the quick action would be the best option, even considering the higher costs of a consultant, because in this case delaying the fixes let you vulnerable for much more time. And you could ask the consultant to use as reference the practices of cyber essentials.
For the longer term plan, the implementati on of ISO 27001 can help you manage the implemented security, and for that you have three implementation alternatives: hiring a consultant (maybe the same you hired for the quick fix), implementing on your own, or implementing on your own with expert support. Each alternatives have their pros and cons, and I suggest you to take a look at this white paper to identify which alternative is best for you: Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
Regardless the way you choose, when ISO 27001 is implemented properly, you won't focus too much on documentation - rather, you'll focus on changing the way your employees are using the technology, and therefore decrease the number of security incidents. Here's an article that will help you: ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
This article will provide you further explanation about information security implementation:
- 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
These materials will also help you regarding information security implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/