Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • NDAs and non-competition clauses


    Is this clause mandatory for ISO 27001 compliance ? Can it be avoided ? Is there any best/shared practices how to successfully implement this without forcing an employees to sign non-competion clause or non-disclosure agreement after end of the contract? *(as i outlined – this can be rather costly wi th increased attrition..)

    Answer:

    Control A.7.3.1 is not about non-competition clauses, it is about how to close/change the access to systems and data after an employee leaves the company, or changes his/her position within the company.

    Non-competition clauses and NDAs are normally defined as part of control A.7.1.2 Terms and conditions of employment. If you want to avoid non-competition clause and you are afraid that particular employee might abuse the information when starting to work for the competition, then you should not allow this employee to access your most sensitive information and/or your business model should be developed in such way that its competitiveness cannot be threatened solely by information leakage.

    Any control can be avoided, i.e. declared non-applicable - this must be done in the Statement of Applicability, based on the results of the risk assessment - here are the articles that explain the details:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  • Risk assessment frameworks


    Answer: Since your scope is IT, I'd suggest you to implement COBIT, since this framework was designed having IT in mind. ISO 27001 can help with specifics about information security in IT, but this ISO standard is focused on information protection, and it is not so detailed on IT controls as COBIT.

    Unfortunately, COBIT is not in our expertise (we work with ISO standards), but you can find some useful information here: https://www.isaca.org/knowledge-center/risk-it-it-risk-management/pages/default.aspx

    Some materials are free to access and others are free but require registration.

    For an overview of risk assessment on ISO 27001 I suggest you these articles:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowl edgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

    These materials will also help you regarding ISO 27001 Risk Assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    If you would like to try Risk assessment for ISO 27001, you can take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    This toolkit contains the following documents: 1) Risk Assessment and Risk Treatment Methodology, (2) Risk Assessment Table, (3) Risk Treatment Table, (4) Risk Assessment and Treatment Report, (5) Statement of Applicability, and (6) Risk Treatment Plan. You just have to scroll down the screen a little to access the free demo tab.

    The material is editable and you can make adjustments to fulfil your needs.

  • Operational change


    1 - Please help me with the documents that I have to complete ( change control, inventory, backup policy,… what else?)

    Answer: For a change, common documents and records you should consider to develop are:
    - change plan: so you can have a general overview of all actions required for the change
    - risk assessment and treatment plan: so you can map all unacceptable risks and the measures you need to implement to minimize risks during the change
    - backup plan: so you can ensure no information is lost during the change process
    - Validation plan: so you can verify if all changes are achieved
    - roll back plan: so you can return to previous state if the change does not work
    - equipment and system configuration parameters and installation instructions: so you can know exactly what to do to install and configure assets properly
    - inventory of assets: so you can keep control of all assets in your environment

    For other documents, you should consider the results of your risk assessment.

    Considering business continuity, you also must consider performing a business impact analysis, so you can identify tolerable availabilities that can help you plan you change activities.

    2 - I do have to run Risk Assessment Treatment?

    Answer: Yes, you have to perform a risk assessment and treatment to help you identify the main risks related to this change and plan controls to reduce risks to acceptable levels.

    3 - I do have to call the inspector of ISO27701 to check me? If yes, what is the perfect time to do it? After the completion of this project?

    Answer: No. To perform the change there is no need to call an ISO 27001 auditor, but you should at least communicate your certification body about that, because depending on size of this change regarding your ISMS scope some modifications on your next audit of your certification cycle may have to be done.

    4 - Finally, what else I do have to do?

    Answer: after the change you have to perform a new risk assessment to update you risks scenario and ensure this change is considered in the next management review so its results can be evaluated.

    This article will provide you further explanation about Operational change:
    - How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

    These materials will also help you regarding Operational change:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Gap analysis and checklists


    Answer: To help you in your gap analysis I suggest you to take a look at the free demo of our Internal Audit Checklist at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/

    This checklist will provide you questions to help you assess the level of compliance of you polices and controls regarding the management system and security controls. You only have to scroll down the screen a little to find the free demo tab.

    Another tool I can suggest to you is our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

    It is similar to the checklist, but it also provide you recommendations on how to overcome your gaps.

    2 - In addition, do we have some sort of available checklist to share on physical and environmental controls specifically for:
    Data centers
    Disaster recovery site
    Network operation center
    Product support
    Business application and system support?

    Answer: Unfortunately we do not have such specific checklist, but this article can help you built them to comply with your specific needs:
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

  • ISO 27001 and EU GDPR


    Answer: You can use ISO 27001 together with ISO 27018, an specific standard for protection of Personally Identifiable Information (PII) to cover most of the requirements of EU GDPR.

    These articles will provide you further explanation about ISO 27001 and EU GDPR:
    - ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
    - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

    These materials will also help you regarding ISO 27001 implementation:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://training.adv isera.com/course/iso-27001-foundations-course/
    - What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help

  • Enterprise risks


    Answer: ISO 27001 was designed to cover risks related to information security from operational to enterprise levels, but enterprise risks cover much more than information security, so you should consider to complement it with some other frameworks, like COSO, which provides recommendations for managing enterprise risks, like economical, social, and others.

    2. Do we have high level classification of enterprise risk?

    Answer: General classification for risks like low, medium and high are used when we talk about enterprise risks, so we can compare risk from different types, like technological, economical, strategic, etc.

    These articles will provide you further explanation about enterprise risks and monitoring:
    - How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
    - Aligning information security with the strategic direction of a company according to ISO 27001 https://adviser a.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
    - How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

  • SOA


    Answer: You assumption is right concerning controls that are to be implemented, or aren't to be, considering the results of risk assessment. But you also have to remember that you may have some controls already implemented before the ISMS implementation practice, either because you adopted them as a market practice, or a contract or legal requirement required you to do so. So, some controls can already be stated as implemented during the implementation of the risk treatment plan.

    This article will provide you further explanation about SOA:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    Thes e materials will also help you regarding SOA:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Evaluation of suppliers


    Answer:

    The standard requires organization to determine criteria for evaluation, selection and monitoring of external providers i.e. suppliers, so you as a company can decide what kind of criteria and method to use to evaluate the suppliers. If you find your existing suppliers questionnaires redundant, you can exclude them from your supplier evaluation activities.

    For more information, see: How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/

  • Documentation requirements for production process


    Answer:

    I assume by "iso" you mean ISO 9001:2015. When it comes to explicit requirements for documentation in the production process, ISO 9001:2015 requires following:
    - The characteristics of the products to be produced, the services to be provided, or the activities to be performed (clause 8.5.1)
    - Records about customer property (clause 8.5.3)
    - Production/service provision change control records (clause 8.5.6)

    But, you may also decide to document production procedure, work instructions, etc. For more information about mandatory documents, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

  • Example of statutory and regulatory requirements for products


    Answer:

    Most of the products are not regulated in terms of quality, but for some of them , there are requiremnets for raw materials, packaging, users manuals, etc. For example, plastics used for producing toys for children must comply with regulations regarding the content of the plasctics, concentration of some chemicals withing the plastics, etc.

    For more information, see: How to include statutory and regulatory requirements in your QMS https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/
Page 899-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +