Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk Assessment
Now that the Asset Register is complete, including all assets; Soft, computer, accessories, server, information and infrastructure, is it best to risk assess each item on the register to understand the threats and vulnerabilities?
Answer: Yes, you should have to assess the risks for all assets on asset register. The understanding of ISO 27001 control A.8.1.1 - Inventory of assets is that all assets in the inventory (asset register) are considered relevant in the life cycle of the information, so if you do not assess the risk for one asset you have on the register, you either have a non conformity issue, or that asset should not be in the register at all. But you should note that you also have to add to the register your employees, and suppliers (because of competencies and resources provided) - you need to perform risk assessment on them, too.
These articles will provide you further explanation about Risk Assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assess ment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding Risk Assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Framework for IT audit.
I need to ask you Which framework should we use to do an IT Audit, I know that there are different methodology like (COBIT, ISO27001, NIST).
Answer: This answer will depend upon the purpose of your audit:
- If your purpose is to verify IT governance practices, you should use COBIT as main reference.
- If your purpose is to verify IT information security management practices, you should use ISO 27001 as main reference.
- If your purpose is to verify IT practices related to computer security, you should use NIST SP-800 series as main reference.
In case your audit covers a mix of these purposes, you should make a combination of these standards.
These articles will provide you further explanation about IT frameworks and audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
These materials will also help you regarding IT frameworks and audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Competitor as an interested party
Answer:
Competitor can't be considered as an interested party because his interests are colliding with the interests of the organization. For example, Competitors are interested in gaining bigger part of the market so they would like the organization to provide low quality products by higher price and this is definitely not the kind of need and expectation you want to meet.
For more information about identification of interested parties, see: How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/ -
ISMS challenges
Answer: In terms of challenges, you can mention production losses due to information security related incidents, fees and legal actions for non compliance with legal requirements, internal confusion regarding who must do what and when, and the difficulties on maintenance of a good public image. An ISMS can help handle all these items. For example, by implementing proper security controls you can minimize the occurrence and/or impact of incidents, and by establishing policies and procedures you can define clear responsibilities and actions to be performed in relevant situations.
For detailed examples I suggest you these materials:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Free webinar - ISO 27001 benefits: How to obtain management support https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
- How a change in thinking can stop 59% of security incidents https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/
- What is cybersecurity and how can ISO 27001 help? https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/
- Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/ -
Compliance with EU GDPR
Or if you can help me with sample DLP framework defining exactly what it should contain or relevant references/links?
Answer: Unfortunately we do not have such specific material, but for determination of rights of employees I suggest you to take a look at these material:
ISO 27018 guidelines: This standard aims to protect Personally Identifiable Information from customers that makes use of cloud services, considering the point of view from both customers providers. You can check the orientations for customers to have an idea on what consider for your employees. For detailed information see: ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
CISPE Code of conduct: Cloud Infrastructure Service Providers in Europe (CISPE) is a coalition of technology companies focused on provisioning of cloud computing infrastructure services, and this code is an effort to help customers and providers comply with EU GDPR. You can find more information here: Data Privacy Protection, ISO 27001 and CISPE Code of Conduct https://advisera.com/27001academy/blog/2016/10/31/data-privacy-protection-iso-27001-and-cispe-code-of-conduct/
For additional information about ISO 27001 and EU GDPR I suggest you these materials:
- What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/27001academy/blog/2016/10/03/what-is-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help -
Análisis DOFA
Mi duda es: Un factor interno como es una fortaleza (coge el ejemplo que quieras: documentos, informática, personal, error en objetivos, error en fabricación, en ventas en ofertas, en compras, en fabricación, en post venta, en almacenes etc…) se me convierta en una debilidad y se deba analizar ese riesgo
Entonces, ¿Qué profundidad alcanzáis cuando hacéis el análisis de riesgo?:
Todo (las amenazas + las fortalezas que se me pueden volver debilidades)
Sólo lo más evidente,
En aquellas situaciones y/o aspectos en que “suenan campanas” (por ejemplo “estamos en una burbuja inmobiliaria” y a más de uno le exploto por no tener el análisis realizado y las acciones,..).
Es evidente que si cogemos todo podemos estar escribiendo un año (eso sí, luego siempre son repeticiones y un porcentaje “vale para siempr e” y vale para todo tipo de empresas)
Mi respuesta:
La norma ISO 9001:2015 no requiere de un formato específico para la identificación de riesgos, así que puedes hacer este análisis de identificación de riesgos y oportunidades como quieras y llegar tan lejos como creas que sea necesario. Sin embargo es siempre recomendable encontrar la manera más simple y fácil de llevarlo a cabo en tu organización.
En cuanto a las oportunidades y amenazas (normalmente referidos a factores externos), un análisis PEST puede ser de ayuda para asegurar no pasar por alto factores externos como requerimientos legales o cambios tecnológicos.
Algunos consejos a la hora de utilizar un análisis DOFA son:
.- Aceptar sólo información precisa y verificabl.
- Intentar reducir largas listas de factores y priorizarlas, de este modo inviertes más tiempo en pensar en los que son realmente significativos.
- Aplicar al nivel correcto, por ejemplo, aplicar la herramienta al nivel de producto o de línea de producción en vez de a un nivel más amplio y vago de la empresa.
- Asegurar que las opciones que se han generado son llevadas a cabo en fases posteriores dentro del proceso estratégico.
Para más información puedes ver: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/# -
Defining scope of QMS
You can cover with the scope only one product, but you just need to write that in your document about the scope of QMS -
Quality manual in IATF 16949
Answer:
When it comes to IATF 16949 requirements regarding the manual, it requires at minimum:
a) the scope of the QMS including justification for any exclusion
b) documented processes established for the QMS or reference to them;
c) the organization's processes and their sequence and interactions (inputs and output, including type and extent of control of any outsourced processes;
d) a document (i.e. matrix) indicating where within the organization's QMS the customer specified requirements are addressed.
Previous version of the standard, ISO/TS 16949:2009 required the same as bullets a), b) and c), so if your manual meets all requirements of the new version, you do not have to make changes to it except aligning clauses of the standard. In other case, you need to make an update of your manual to meet all above mentioned requirements. -
Clause 1 Scope vs clause 4.3 Scope of QMS
Answer:
Clause 1 Scope of ISO 9001:2015 explains to what kind of companies the standard applies in terms of size, type of business, type of product or service, etc. On the other hand, the clause 4.3 defines requirements for organization to define scope of its QMS (Quality Management System).
Clause 1 does not have any requirements for the QMS, it just explains to what kind of organizations the standard can apply and clause 4.3 contains actual requirements of the standard and these requirements will be audited during the certification audit. For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/ -
Certifying non-IT organization
Answer: Yes, you can certify a company if you justify the exclusion of certain controls - this is done through a process of risk assessment, see this article for explanation: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
By the way, the fact that your company is not an IT organization does not mean you will exclude all of IT controls - most of the companies today need to include controls like backup, antivirus, access control, etc. This article will help you with the controls: Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
These materials will also help you learn the basics of ISO 27001 and how to implement i t:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/