Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk evaluation
>1 - Is this asset evaluation is mandatory in iso 27001.?
Answer: Risk assessment is a mandatory clause for ISO 27001, but you can choose which methodology to use, and assessing assets risks is just one of them. You can use, for example, scenario analysis, interviews or checklists also.
This article will provide you further explanation about ISO 27001 requirements:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
>2 - Can you please tell me what is the risk residual acceptance criteria .
Answer: The risk residual acceptance criteria are the same criteria you use to evaluate a risk. The difference is that they are applied to the risks after controls deemed necessary are implemented, so you can re-evaluate them to decide if additional treatment is necessary or if the risk as it is now will be accepted.
This article will provide you further explanation about residual risks:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
These materials will also help you regarding ISO 27001 requirements and residual risk:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Becoming an ISO 27001 and information security expert
Answer: The path to become an ISO27001 and an Information Security Expert goes through acquiring theoretical and practical knowledge on information security and accumulation of experience solving daily problems.
So, you should consider buying documents like ISO 27001 standard (https://www.iso.org/isoiec-27001-information-security.html), attend courses about ISO 27001 and other related to information security, and apply those knowledges to implement security controls and solve daily situations like incidents.
Some organizations also measure an expert by the certification he holds, so you also should consider to include some certifications in your curriculum (e.g., ISO 271001 Lead Auditor, CISSP, etc.).
These articles will provide you further explanation on what consider in information security competences development:
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
- How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
These materials will also help you regarding training resources:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Access control over Risk Assessment and Treatment Tables
Answer: Risk assessment and treatment tables should be accessed only by those who need to know them to plan, implement, monitor and improve controls to protect information. So, only a few people should have access to them, since most of organization's people will be users, with not active participation on controls management.
This article will provide you further explanation about access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
These materials will also help you regarding access control:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 per industry
According to last ISO Survey, the industries most interested in ISO 27001 are Information technology, Transport, storage and communication, Electrical and optical equipment and Health and social work. You can access the results of ISO Survey at this link: https://www.iso.org/the-iso-survey.html
This article will provide you further explanation about ISO 27001 applicability:
- Applicability of ISO 27001 across industries https://advisera.com/27001academy/blog/2015/06/29/applicability-of-iso-27001-across-industries/
These materials will also help you regarding ISO 27001 applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 implementation
Answer:The sequence for ISO 27001 implementation does not change if you already have ISO 9001:2008 certification. What happens is that some steps became quicker, like elaboration of documents and internal audit. You can find a detailed list of steps for ISO 27001 implementation here: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
This article will provide you further explanation about using ISO 9001 to support ISO 27001 implementation:
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
Risk assessment webinar
Answer: Yes, the risk assessment webinar covers all steps from risk identification through risk treatment plan, including preparation of SOA, but you should note that for a checklist SOA will only provide information about which controls are implemented and why. The auditor should prepare another checklist considering what to audit regarding the implementation.
This article will provide you further explanation about risk assessment and SOA:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding risk assessment and SOA:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 and ISO 22301
Answer: ISO 27001 is no predecessor for ISO 22301. These standards fulfill different purposes (business continuity for 22301 and information security for 27001), but there is a set of controls in ISO 27001, in Annex A section A.17 - Information security aspects of business continuity management, that can be covered by ISO 22301 requirements.
Since that these standards have different purposes, we cannot say which one is better. This perception will depend upon the organizational context and its purposes, what can tell you which one is more appropriate.
This article will provide you further explanation about the relationship between ISO 27001 and ISO 22301:
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
These materials will also help you regarding ISO 27001 and ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
Excluding design and development
Answer:
If the organization does not have design and development process within scope of the QMS, it can exclude the clause 8.3 from the scope. When excluding clauses of the standard, you need to document the exclusions in the document about the scope of the QMS and provide justification for exclusions.
You should also consider excluding clause 7.1.5 because I assume you do not use monitoring and measuring equipment in your processes. For more information about exclusions in ISO 9001:2015, see: What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/ -
Legal requirements and documentation
Is there a requirement to document specific work instructions relating to our key legislation i.e. a work instruction dedicated to the CRC Regulations or Clean Air Act and how they relate to our processes on site?
Answer:
The environmental aspects that are regulated by the legislation automatically become significant and operational controls should be applied. The level of documentation to be produced will depend on the requirements of the legislation (i.e. does the legislation itself requires some records to be produced) and the type of the operational control you decide to apply. If there are no legal requirements to produce records or to document procedure or work instruction it sis completely up to organization to decide whether to document them or not.
For more information about legal r equirements and ISO 14001, see: Demystification of legal requirements in ISO 14001 https://advisera.com/14001academy/blog/2014/10/01/demystification-legal-requirements-iso-14001/ -
Organizational knowledge
Kindly supply me with information on the Organizational Knowledge which is really tough to implement and meet ISO 2015 requirements.
I would appreciate it if you could clarify the following points:
1 What exactly the meaning of Organizational Management?
By organizational management I assume you meant organizational knowledge. Organizational knowledge includes all information and know how necessary to deliver product or service. For example, if you have a bakery, the recipe for making bread or cookies represent organizational knowledge. For more information, see: How to manage knowledge of the organization according to ISO 9001 https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
2 Does ISO 2015 means the experience knowledge only?
By ISO 2015, I assume you meant ISO 9001:2015. Organizational knowledge includes experience and know hoe on how to deliver product or serv ice. Some of it will be in written form like work instructions, some will be part of competence and experience, for example if employee has a driving licence, he doesn't need to attend additional training neither he needs work instruction on how to drive a vehicle.
3 Do existing written knowledge including documentation and records are also required as part of 7.1.6. Organizational Knowledge?
The clause 7.1.6 doe not require producing some additional procedures and records. You only need to identify the organizational knowledge and to maintain it. In some cases, it can be beneficial to have documented procedure or reference to the documents that contain organizational knowledge.
4 How can we capture, store and made this knowledge available for users?
This can be done in numerous ways, you can document the work instructions and distribute them to relevant people or you can have the knowledge available on the intranet in the company. It will depend of the needs of the company, number of employees, locations, etc.
5 How can we audit this process (clause 7.1.6)?
Since the clause doesn't require documented information, the most of the auditing will be done by interviewing and observing. The purpose of auditing clause 7.1.6 is to determine whether the organization has identified and maintain the organizational knowledge and the questions asked during the audit should go in that direction.