Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk treatment evidences
What level of documented information is expected here? Am I expected to maintain a separate log or is using the risk treatment plan which details the treatments enough to use as a basis for demonstrating that the treatments have been applied?
Answer: Besides the Risk Treatment Plan you also have to maintain evidences of the results achieved with each treatment implemented. For example, if the treatment is monitoring an asset, evidences may be log, as you stated. If treatment is backup, evidences may be the backup media or backup media register.
In the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment.
This article will provide you further explanation about risk treatment:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/knowledgebase/risk -treatment-plan-and-risk-treatment-process-whats-the-difference/
These materials will also help you regarding risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Scope definition
Answer: You cannot set only the software's database as your scope. An ISMS scope should be defined in terms of processes, organizational units or physical locations. Considering this, a suggestion is that you define your scope in terms of the department that handles the development and/or production of that software/database. Another way you can use is set the scope for your whole company, this is the best solution for smaller companies (e.g. up to 50 employees).
These articles will provide you further explanation about Scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding Scope definition :
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Surveillance audit and transition
Yes, you can cancel the surveillance audit and apply directly for the new version. The only thing is that between the moment when you cancel the certification audit and get certificate for the new version, your company wont be ISO 9001 certified. -
Preparing for an audit
Answer: I'm not sure what do you mean by "live auditing" but I'll assume you are referring to normal on-site audit.
Regarding its execution, since it focuses on observing the person responsible while he performs his jobs, the auditor has to be well prepared and informed about the process being audited, so he can quickly identify and ask activity related questions. Additionally, since this kind of audit practically happens at live environment, you should take measures to avoid the audit may impact on production (e.g., avoid as much as you can the execution of emergency procedures for example).
So, in short, you should consider to ask and study the process documentation previously, take notes on critical activities sequences to be performed, and think about questions to ask like "why this kind of activity is performed?" and "why this kind of activity is performed in this sequence?" (these questions can help you verify if people performing the activity understand w hat is being done and why).
This article will provide you further explanation about preparing for an audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding preparing for an audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Audit practices
1.1) Your screen/computer should be locked out if you failed login 5 times consecutively.
1.2) Your password should be expired after 45 days and system should ask to change the password.
Answer: Typically the auditor will focus on whether the activities performed in a company are compliant with the standard and with internal policies, procedures and plans - in your example, the auditor will check the behaviour of the screen lock feature, and the settings of the password expiry.
Testing is usually not done by ISO 27001 auditors - the auditor should check whether the responsible person in the company has performed any tests if this was required by the internal documentation; however, ISO 27001 does not prevent internal auditors from performing tests so this is also a possibility.
2) In one of the cases, we were checking whether IT team has configured their system/servers for sending alerts on me eting certain conditions (Say, if the memory(RAM) use is more than 80% ...etc).(Since these servers were performing critical operations)
2.1) In this case, there were more than 70 systems/servers. So, should we just check for some servers randomly(important ones) or should we check for all servers even if it is 100+?
Here, if we sample, let's say 10 servers -
2.1.1) Chances are that for these 10 servers configurations are proper but for remaining it is not.
2.1.2) Chances are that for some selected servers configurations are not done. And actually, when we did for some servers we found that some of those were not configured.
Answer: For deciding between a 100% checking or verifying a smaller sample, you should evaluate the associated risk assessment results, the previous history of related incidents regarding the potential impacts of a incident occurring and the available time and resources you have.
If the decision is for audit a sample, to maximize the reliability that your sample represents your entire scenario, you should use statistical concepts to help you define the size of your sample, which servers will be part of the sample, and the number of acceptable failures among the sample you can have and still maintain the degree of confidence. -
Monitoring ISMS effectiveness
ISO 27001 does not require the usage of specific means of presentation of KPIs to top management, so we do not offer specific dashboards templates. If you used our Matrix of Key Performance Indicators [ISO 9001:2015] to list your KPIs, you can present this document to them.
But if you are thinking about a meeting presentation using something like PowerPoint, what I can suggest you is to use the 30-20-10 rule for presentations: use fonts size 30, maximum 20 minutes, up to 10 slides. And the presentation should last a maximum of 10 minutes, so you can have 10 minutes for questions and answers. Longer presentations will make top management lose focus on you message. -
Human Resource Policy in toolkit
Answer: The human resources requirements and most common controls used related to ISO 27001 are covered in documents "Training and Awareness Plan", "Confidentiality Statement", and "Statement of Acceptance of ISMS Documents". Other controls that are directly related to human resources are covered by documents like "Bring Your Own Device (BYOD) Policy" and "Acceptable Use Policy". You can find all this information in the "List of Documents" file that comes with your toolkit. It identifies which requirements and controls of the standard are covered by each document.
Regarding a Human Resource Policy, this document is not mandatory for ISO 27001, and it is not usually used by smaller companies, that's why we didn't include an specific template for the policy in the toolkit, but you can use the content of the templates your organization considers more relevant and merge them in a Human Resource Policy using our blank template.
This article will provide you further explanation about writing documents:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ -
Course for certification
Answer: Regarding certifying others, I'd suggest you the Lead Implementer course, which will provide you knowledge about the implementation process (e.g., which information to gather, which steps to take and when, etc.). Additionally, you also may consider the Lead Auditor course, so you can have a better understanding of how an certification auditor works (e.g., what he looks for and how he considers found evidences, etc.).
This article will provide you further explanation about Lead implementer and Lead Auditor courses:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
This material will also help you regarding ISO 27001 imple mentation:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
This material will also help you regarding how to become a consultant:
- How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
- How to become an ISO 27001 / BS 25999-2 consultant [free webinar on demand] https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/ -
ISO 22301 and ISO 22316
Answer: ISO review process takes between 2 and 3 years to complete, and review of ISO 22301:2012 started on April 15 of this year, so we can expect a new version of ISO 22301 latest April 2020.
2 - What is the link between ISO 22301 and 22316?
Answer: ISO 22316 is about resilience, the ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper. While ISO 22301 covers actions to ensure organization survival during disruptive events, ISO 22316 provides recommendations for identification and management of situations that are not so immediate in terms of impact but that in the long run can be as damaging to the organization. You can think ISO 22301 as an specific application of the broader concept of resilience.
These articles will provide you further explanation about ISO 22301 and ISO 2316:
- Organizational resilience according to ISO 22316 – Is this another buzzword? https://advisera.com/27001academy/blog/2016/12/12/organizational-resilience-according-to-iso-22316-is-this-another-buzzword/
This material will also help you regarding ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
AS 9100 question - Followup
Or, as we do not manufacturer or repair any parts that go up in a plane – we can remain AS9120?
Please clarify as that is the information I need.
Answer:
The general rule of thumb is that if it goes airborne it should be built using a quality management system that is implemented to AS9100, however tools are not. However, the real definitive criteria for having a QMS that meets AS9100 is if your customer requirements demand it.