Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
NIST, COSO and ISO 27001
Answer: In fact these frameworks are not competitors, but they complement each other. COSO gives you a corporate view for risk management, and NIST SP 800 series provides security practices for IT environments. As for ISO 27001, it provides you a framework for managing information security, considering not only IT environments, but also physical and human aspects, as well as business objectives.
That said, while ISO 27001 is more prepared to manage information security than NIST standards and COSO, it can benefit form the other two frameworks for complementing its approach regarding IT controls and understanding of risk in business context.
These articles will provide you further explanation about these frameworks:
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
- How to use the NIST SP800 series of standards for ISO 27001 implementation h ttps://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/ -
Career on Information Security
I want to take up training and certification for ISO27001, and gradually move up ladder with CISA .
Here is dilemma like should i opt for ISO certification at this stage or not . And what approach to follow to attain same . What study material should i follow , do you take up training session, what action plan should i follow since post this data center project , there is high probability i would be aligned to different project for same role.
As of now i am finding myself in a situation while taking up decisions, since the decisions i take , my team would have to live with them for long . My self dont have prior experience in this domain and finding bit difficult to gauge CIA parameters.
I have expertise in Service operations , Incident , Change and Event management . Good knowledge of Serve r admin role and basics of network .
Answer: By what you described, my suggestion for your development would be first to consider obtaining knowledge on the requirements of the standard and how to conduct an implementation process. For that you can find on market ISO 27001 Lead implementation courses. Your previous knowledge on ITIL, servers administration and network will help, but information security covers much more issues, like human resources and legal requirements.
Second would be obtaining knowledge on audit aspects of ISO 27001, and for that you can consider either ISO 27001 Internal audit courses or ISO 27001 Lead auditor courses (for immediate or low budget you can go for internal audit courses, but since you are thinking about CISA, the lead auditor course can help you more regarding that goal).
Regarding training sessions, you can take a look at some of our online courses:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
These articles will provide you further explanation about courses on ISO 27001:
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
These materials will also help you regarding ISO 27001:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Risk assessment
Answer: For creation of a risk assessment you should consider:
- Definition of how to identify the risks to information security
- Definition of how to identify risk owners
- Definition of criteria for assessing consequences and likelihood of the risk
- Definition of how calculate the risk
- Definition of criteria for accepting risks
Regarding the risk analysis, the main approaches are qualitative and quantitative analysis
These articles will provide you further explanation about Risk assessment:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Qualitative vs. quantitative risk assessments in information security: Differences and simila rities https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/
These materials will also help you regarding Risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
For environmental impact assessment, I suggest you to take a look at these articles:
- ISO 14001:2015 – How to set criteria for environmental aspects evaluation https://advisera.com/14001academy/blog/2016/10/31/iso-140012015-how-to-set-criteria-for-environmental-aspects-evaluation/
- ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/ -
ISO 20000 and ISO 9001
Answer:
This free material explains mentioned relationship:
"ISO/IEC 20000-1:2011 vs. ISO 9001:2015 matrix" https://info.advisera.com/20000academy/free-download/iso-iec-20000-1-2011-vs-iso-9001-2015-matrix -
Scope of EMS, 2015 version
How can I define the Scope of the EMS for a manufacturing company, according to 2015 version of ISO 14001, without going too far that is impossible to manage? (company uses minerals, metals, chemicals, etc). Could you provide an example? -
Defining context of the organization
Answer:
When determining context of the organization, you need to examine all internal and external issues that can affet your QMS (Quality Managemnet System). When it comes to internal issues, you need to consider products and services, organizational structure, roles, and responsibilities, organizational culture, capabilities, etc. For external issues, the organization needs to consider culture of the markent where it operates, legislations, customer requirements and habits, competitors, etc.
Even for the companies that conduct the same type of business in the same country, the context of the organization can be different because of the various elements of the context that need to be considered.
Here you can find case study for context of the organization that can be helpful: ISO 9001:2015 Case study: Context of the organization as a success factor in manufact uring company https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/ -
Requirements of the clause 8.3.2 in ISO 9001
Answer:
The clause 8.3.2 j) requires that during design an development planning the organization to consider documented information needed to demonstrate that design and development requirements have been met. This doesn't mean that you need to provide these documented information during the planning phase but to define what documented information must exist at the end of the design and development process to demonstrate that the requirements have been met. For example, in the project plan or project task you will define what documented information will be created as the design and development output, e.g. CAD drawings.
For more information, see: Specific use of ISO 9001 design and development in the machining process https://advisera.com/9001academy/blog/2017/03/14/specific-use-of-iso-9001-design-and-development-in-the-machining-process/ -
Competence requirements for auditors and management representative
For ex: In our organization, I am the quality manager/primary person for QMS. I have been trained for internal auditor along with 3 other colleagues?
Is it expected from the the rest 3 auditors to have the same extent of knowledge that I have?
Answer:
Management representative (MR) is no longer a mandatory role in the QMS (Quality Management System) so the standard does not have any requirements regarding the management representative. But considering the roles and responsibilities the MR, he or she should have knowledge of the standard requirements and also knowledge of the organization's operations and processes.
Auditors should be familiar with requirements of the standard and the auditing techniques but the same type of training is sufficient for the MR as well. There are no differences in competence requirements but there are differences in responsibilities and authorities between these two role s.
For more information, see: What is the job of the quality management representative? https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/ -
Integrating ISO 9001, ISO 14001 and ISO 45001
Answer:
ISO 45001 hasn't been published yet, so it is difficult at this point to talk about integration of this standard with other management system standards but the approach will be the same.
First step is to identify all common requirements of the standards you want to integrate. For example, ISO 9001 and ISO 14001 have requirement for determining the context, defining the policy and objectives, internal audit, competence and awareness, etc. For more information see: ISO 14001:2015 integration with ISO 9001:2015 – What has changed? https://advisera.com/14001academy/blog/2016/02/15/iso-140012015-integration-with-iso-90012015-what-has-changed/
Once you determine the similarities, you should start implementing them first and than add specifics of the each standard. Since ISO 9001 is better foundation for the system ,it is better to start implementing ISO 9001 requi rements and process and than add requirements for ISO 14001. For example, you first need to implement requirements for production, design and development, purchasing and so on and then to conduct assessment of environmental aspects for each process. For more information, take a look at this free webinar – How to integrate ISO 9001:2015 and ISO 14001:2015 https://advisera.com/9001academy/es/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar//
When you implement ISO 9001 and ISO 14001 it will be easy to add requirements of ISO 45001 once it is published. It will probably have the same structure as ISO 9001 and ISO 14001 so the integration wont be too challenging. If you want to take a look at the Integrated Management System documentation, here you can download a free preview https://advisera.com/9001academy/iso-9001-iso-14001-integrated-toolkit/ -
BS 25999 and ISO 22301
(Is the 25999 standard the same as the 22301?)
Answer: No. 25999 standard is an old British Standard officially recognized in the United Kingdom (its current status is superseded), while 22301 is an ISO standard accepted worldwide (current status published, version 2012). In terms of content, we can consider ISO 22301 an "upgrade" of BS 25999, with the ISO standard presenting significant changes and additions.
This article will provide you further explanation about BS 25999 and ISO 22301:
- ISO 22301 vs. BS 25999-2 – An Infographic https://advisera.com/27001academy/blog/2012/05/22/iso-22301-vs-bs-25999-2-an-infographic/
These materials will also help you regarding BS 25999 and ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- What’s new in ISO 22301 : How to make the transition from BS 25999-2 [free webinar] https://advisera.com/27001academy/webinar/whats-new-in-iso-22301-how-to-make-the-transition-from-bs-25999-2-free-webinar/