Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 implementation
First thing I suggest you is to build a project plan and a project presentation, so you can get all this information you already have and make them available for a quick presentation if needed. The second point is that even if you already have management support (your implementation is already considered in strategic plan), you should approach processes owners asking them to validate your BIA, so you both are aligned regarding what is considered important in terms of information security, and only after that you should ask them for resources. This way you work on their needs first and yours will be easier to gain.
Regarding on which process you should start, this will depend on the resources you will have available (both in terms of quantity and competence) and your organizations priorities.
This article will provide you further explanation about ISO 27001 implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/es/knowledgebase/lista-de-apoyo-para-implementacion-de-iso-27001/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/seguro-simple-una-guia-para-la-pequena-empresa-para-la-implementacion-de-la-iso-27001-con-medios-propios/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Enforcing ISO 27001 in satellite offices
Answer: When you refer to "satellite offices" I'm not sure if you refer to your company branch offices, or home offices of your employees/consultants? If those are branch offices, then you simply create security rules that will be valid throughout your company, in all company locations - e.g. according to Acceptable Use Policy the employees in all locations would be required to create the backup of their files in a certain way.
If these are home offices, then you need to create a Teleworking policy that will define the security rules for employees working from home.
So basically you are enforcing the implementation of the security rules in both cases, only you're doing it through different documents.
These articles will help you:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
These materials will also help you regarding implementation of ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/
- Conformio (online ISO 27001 tool) https://advisera.com/conformio/ -
Auditing risks and opportunities
Answer:
It is really hard to identify nonconformity regarding clause 6.1 because the requirements are very vague. If the remark is not directly related to some requirement of the standard, it is impossible to raise nonconformity. Inadequate clarity on risk based thinking cannot be stated as nonconformity but rather as observation.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Risk management in ISO 9001
Answer:
First, ISO 9001:2015 does not require risk management in terms that you need to implement it on full scale. All the standard requires is to identify risks and opportunities related to the QMS and to take actions to address them. The standard does not require organization to document a procedure for addressing risks and opportunities, or to adopt methodology for risk assessment. Organization only needs to plan actions to address risks and opportunities and evaluate effectiveness of these actions.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Safety file non compliant with ISO 9001
Answer:
The good start is to see if the client already stated which policies are not compliant with ISO 9001 and what clauses are in question. If you have such information provided by the client, you can start with correcting this part o your policies.
If you weren't provided with any other information rather than your documents are not compliant with the standard, then you probably have a lots of nonconformities and they didn't want to bother by stating individual clauses of the standard. In this case, you will have to audit your procedures and policies against ISO 9001 and see exactly what parts of your documentation are not compliant with ISO 9001 and then try to correct them. If you do not ave text of the standard, I suggest you to use Internal Audit Checklist that contains all requirements of the sta ndard in form of "yes or no" questions. Here you can download free preview of such checklist https://advisera.com/9001academy/documentation/internal-audit-checklist/ -
Risks and opportunities in HR department
There is no requirement in ISO 9001:2015 to have documents or records about risks and opportunities but ISO 9001:2015 invites us to determine risks around:
- context and interested parties;
- products and services; and
- processes
If I think about a process around competency and training I can determine risks like:
- determining wrong competency requirements for each function within the QMS
- failure to do a proper evaluation of people’s competency
- determining the wrong or incomplete actions to close competency gaps (for example, hoping that
- training is the right tool when it is not, choosing a bad trainer, …)
- not enough time for training or other actions
- failure to do a proper evaluation of training effectiveness
If I think about a process around onboarding of new people I can determine risks like:
- choosing the wrong person
- allowing that a person without the proper training and experience starts performing a function
-
Management decisions
Answer: Considering ISO 27001, top management can previously define under which circumstances can the rules (i.e., processes or controls) be bypassed, and must ensure that relevant information related to those decisions are recorded (e.g., a risk assessment). If you can provide such circumstances and evidences the situation is ok.
The situation you should be worried about is if bypass situations happen often, because this would means that the information security management system is not properly aligned with business expected outcomes, and that is a problem, generally related to the perception of the risks the organization is will ing to take, also called risk appetite. I this case, what top management can do is to change policies or procedures as they think is needed.
This article will provide you further explanation about risk appetite:
- Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
These materials will also help you regarding risk appetite:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Statements for systems development
Answer: No. Since systems development processes are unique for each organization these parts need to be adapted by the organization itself in the Secure Development Procedure template, on sections 3.2 and 3.3.
This article will provide you further explanation about securing development environment and engineering principles:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
These materials will also help you regarding securing development environment and engineering principles:
- ISO 27001 Annex A Controls in Plain Engl ish https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Function separation Matrix
How did this person get on here? -
Statement of compliance
Do you have an executive attestation statement of compliance that they could use for now until the next ISO-27000 security audit occurs in August of this year? If they cannot provide an Executive Attestation at the very least, they may very well lose this client account.
Answer: Regarding ISO 27001, as an equivalent for an Executive Attestation Statement, you could recommend the use of the Statement of Applicability (you can see a free demo of this document at this link: https://advisera.com/27001academy/documentation/sta tement-of-applicability/ and see if it can fulfil his needs).
This article will provide you further explanation about the statement of applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding the statement of applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/