Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Scope and asset definition
1. May we/should we exclude third-party cloud providers (document management, e-mail, and time and billing)? [Note: Most have their own ISO 27001 certifications—may we or should we reference these in our documentation, or would that only confuse things?]
Answer: By the scenario you described, you do not need to include the third-party cloud providers in your scope. The main point to consider here is how much direct control your firm has over the applications and databases hosted on the outsourced IT services. If you can manage the applications (e.g., create and manage user accounts, change configurations, etc.), you should include the applications in your scope. If all t his management work is performed by the provider you have to include only the databases in your ISMS scope (e.g., email database, documentation database, time and billing database).
2. Should we include our IT service provider? If so, how deeply must we delve into their systems? [They provide similar services to many companies, and have visibility into our system for maintenance and troubleshooting.]
Answer: As explained in the first answer, you do not have to include your IT service provider in the scope.
This article will provide you further explanation about Scope definition:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
3 - A related question pertains to the distinction between a company and its software. For example, Microsoft as a company may be subject to threats such as breach of contractual relations or equipment failure. At the same time, its software (in this case Office 365) may have its own threats and vulnerabilities, such as application errors, inadequate patching, etc. Should these be combined in the risk assessment table as a single reference to Microsoft with all related threats and vulnerabilities, or should it be broken out as third-party provider and software? (Assuming, of course, that they are included at all consistent with our questions above.)
Answer: Considering your example, if your relationship with Microsoft is limited to the use of Office 365, then the "Office 365" is the asset to be assessed, and all identified risks should be associated to it. However, if besides Office 365 you also use other Microsoft products or services (e.g., onedrive, skype, windows, etc.) then an additional asset, called for example as "Software Provider - Microsoft", also should be considered for assessment, because now you also have to consider risks in terms of all Microsoft products and services you use, not only the risk for specific ones, and this can be better handled if they are concentrated in a single asset. -
Security in web applications
Thank you for you replay ,
is 27001 combined with 27002 a good idea to secure a web application also? , because i mean there is some points in 27001 that we dont need probably or if i want to write a security policy for a web application , because i didn't get a lot of information about 15408 and how it works
What do u think about PCI ? im just trying to get the best norm and explain why thanks for u help -
8.5.1.2 Standardized Work
8.5.1.2 Standardized Work – operator instructions and visual standards
The organization shall ensure that standardized work instructions are:
a) Communicated to and understood by the employees who are responsible for performing the work:
b) Legible:
c) Presented in the language(s) understood by the personnel who are responsible to follow them:
d) Accessible for use at the designated work area(s).
Thank you
Answer:
In case when you have different nationalities, you can either choose to define official language of the company so all official documents are required to be written on this language but this wont resolve your problem with people who don't speak the language.
For people who do not speak the official language of the company, you can either translate the documents that they need to use and make the doc uments bilingual or try to make those document more pictorial and avoid writing text but present them with pictures. In any case you do not have to translate all QMS documents but only those that are used by employees who don't speak the official language. -
Making IATF 16949 transition using documentation templates
Answer:
The templates can e very useful and save you a lot of time and effort in the transition project. They are usually well formatted and cover all requirements of the standard regarding the documentation. Basically, you will save yourself from spending too much time on details and technicalities related to the standard and focus on the essence and process control.
When thinking of purchasing the templates it is important to make sure it contains all mandatory documents an d maybe some non-mandatory documents that can be useful. And also to see what kind of support is included in the price, do they offer online meetings, answering your questions by email, document review, etc. -
Risk treatment evidences
What level of documented information is expected here? Am I expected to maintain a separate log or is using the risk treatment plan which details the treatments enough to use as a basis for demonstrating that the treatments have been applied?
Answer: Besides the Risk Treatment Plan you also have to maintain evidences of the results achieved with each treatment implemented. For example, if the treatment is monitoring an asset, evidences may be log, as you stated. If treatment is backup, evidences may be the backup media or backup media register.
In the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment.
This article will provide you further explanation about risk treatment:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/knowledgebase/risk -treatment-plan-and-risk-treatment-process-whats-the-difference/
These materials will also help you regarding risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Scope definition
Answer: You cannot set only the software's database as your scope. An ISMS scope should be defined in terms of processes, organizational units or physical locations. Considering this, a suggestion is that you define your scope in terms of the department that handles the development and/or production of that software/database. Another way you can use is set the scope for your whole company, this is the best solution for smaller companies (e.g. up to 50 employees).
These articles will provide you further explanation about Scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding Scope definition :
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Surveillance audit and transition
Yes, you can cancel the surveillance audit and apply directly for the new version. The only thing is that between the moment when you cancel the certification audit and get certificate for the new version, your company wont be ISO 9001 certified. -
Preparing for an audit
Answer: I'm not sure what do you mean by "live auditing" but I'll assume you are referring to normal on-site audit.
Regarding its execution, since it focuses on observing the person responsible while he performs his jobs, the auditor has to be well prepared and informed about the process being audited, so he can quickly identify and ask activity related questions. Additionally, since this kind of audit practically happens at live environment, you should take measures to avoid the audit may impact on production (e.g., avoid as much as you can the execution of emergency procedures for example).
So, in short, you should consider to ask and study the process documentation previously, take notes on critical activities sequences to be performed, and think about questions to ask like "why this kind of activity is performed?" and "why this kind of activity is performed in this sequence?" (these questions can help you verify if people performing the activity understand w hat is being done and why).
This article will provide you further explanation about preparing for an audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding preparing for an audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Audit practices
1.1) Your screen/computer should be locked out if you failed login 5 times consecutively.
1.2) Your password should be expired after 45 days and system should ask to change the password.
Answer: Typically the auditor will focus on whether the activities performed in a company are compliant with the standard and with internal policies, procedures and plans - in your example, the auditor will check the behaviour of the screen lock feature, and the settings of the password expiry.
Testing is usually not done by ISO 27001 auditors - the auditor should check whether the responsible person in the company has performed any tests if this was required by the internal documentation; however, ISO 27001 does not prevent internal auditors from performing tests so this is also a possibility.
2) In one of the cases, we were checking whether IT team has configured their system/servers for sending alerts on me eting certain conditions (Say, if the memory(RAM) use is more than 80% ...etc).(Since these servers were performing critical operations)
2.1) In this case, there were more than 70 systems/servers. So, should we just check for some servers randomly(important ones) or should we check for all servers even if it is 100+?
Here, if we sample, let's say 10 servers -
2.1.1) Chances are that for these 10 servers configurations are proper but for remaining it is not.
2.1.2) Chances are that for some selected servers configurations are not done. And actually, when we did for some servers we found that some of those were not configured.
Answer: For deciding between a 100% checking or verifying a smaller sample, you should evaluate the associated risk assessment results, the previous history of related incidents regarding the potential impacts of a incident occurring and the available time and resources you have.
If the decision is for audit a sample, to maximize the reliability that your sample represents your entire scenario, you should use statistical concepts to help you define the size of your sample, which servers will be part of the sample, and the number of acceptable failures among the sample you can have and still maintain the degree of confidence. -
Monitoring ISMS effectiveness
ISO 27001 does not require the usage of specific means of presentation of KPIs to top management, so we do not offer specific dashboards templates. If you used our Matrix of Key Performance Indicators [ISO 9001:2015] to list your KPIs, you can present this document to them.
But if you are thinking about a meeting presentation using something like PowerPoint, what I can suggest you is to use the 30-20-10 rule for presentations: use fonts size 30, maximum 20 minutes, up to 10 slides. And the presentation should last a maximum of 10 minutes, so you can have 10 minutes for questions and answers. Longer presentations will make top management lose focus on you message.