Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Procedure for document control and ISO 27002 controls


    Answer: Actually, procedure for document control is related to the management part of information security - i.e. it is related to the main part of ISO 27001, and not to security controls listed in ISO 27002.

    So in my opinion, it wouldn't make sense to try to fit it anywhere in ISO 27002 controls - document control belongs to the management part of information security.

    These articles will help you:
    - ISO 27001 vs ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
    - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

    These materials will also help you regarding document management:
    - book Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
    - Free o nline training ISO 27001 Foundations Course
    https://advisera.com/training/iso-27001-foundations-course/

  • Auditing of the new version


    Answer:

    The auditing techniques would be the same, you will still review the documentation, interview employees and observe processes. But, since the new version requires less documentation then the previous one, it is reasonable to assume that documentation review wouldn't provide the same results as with previous version of the standard. This means that most of the evidences will be gathered through interviewing employees and observing processes and activities.

    This again depends on how you document your QMS, if it remains heavily documented like in previous version, the job of the auditors will be facilitated because they will have the most of the information on paper.

    For more information about internal audit, see: Five Mai n Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/

  • Regulations and work instructions


    Answer:

    There is no need for work instruction to contain text of the regulation. It can be even counterproductive because the most of the employees would not even understand what they need to do. The purpose of the work instruction is to ensure that the regulations are followed on the work place, so they need to be clear and simple and explain how activities are preformed according to the regulations.

    For more information, see: Demystification of legal requirements in ISO 14001 https://advisera.com/14001academy/blog/2014/10/01/demystification-legal-requirements-iso-14001/

  • Prioritizing hazards


    Answer:

    There is no requirements in OHSAS 18001 that define how to prioritize implementation of operational controls, but basically there are two approaches. You can either start with the controls that are the easiest to implement, such s administrative controls (i.e. writing work instructions), or you can start with the controls that address the most severe consequences regardless of the effort needed to implement them.

    Keep in mind that some of the operational controls are mandated by law and they should be implemented first, without any delay.

    For more information, see: 5 levels of hazard controls in OHSAS 18001 and how they should be applied https://advisera.com/18001academy/blog/2015/09/02/5-levels-of-hazard-controls-in-ohsas-18001-and-how-they-should-be-applied/

  • Forms for admin department


    Answer:

    There are no particular requirements in ISO 14001 for documentation within the Admin department. The amount of documentation will depend on the type of operational controls that you apply in the department and this will depend on significant environmental aspects emerging from processes within this department.

    In most cases Admin department has significant environmental aspects as waste paper, electronics and maybe batteries, this means that you will probably need some record about waste disposal and maybe a work instruction on how to store the waste prior to disposal.

    For more information, see: How to identify environmental aspects in your office using ISO 14001 https://advisera.com/14001academy/blog/2015/05/18/how-to-identify-environmental-aspects-in-your-office-using-iso-14001/

  • Alternative site safe distance


    We are planning to build a Secondary Data Center for xxxxxx the current distance is only less than kilometre and in a there will be 20 flights will come and go it is is xxxxx – please advise

    Answer: Placing a data center near an airport never is a good idea, but if you do not have alternative, you should consider placing the data center out of the airport's flight paths and at a distance where air planes still are in a good altitude, starting landing procedures (something between 20 and 100 miles for large air crafts, and a minimum of 3 miles for small ones). this way you reduce likelihood to almost the same as for other builds being hit in case of a disaster.

    Impacts related to an incident involving an air craft goes from total destruction of the site, to interruption of operations because support services are disrupted (e.g., power lines, water supply, etc.)

    This article will provide you further explanation about how ide ntify related impacts and site location:
    - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
    - Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

    These materials will also help you regarding how identify related impacts:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/

  • Risk management


    1. What is the objective of Risk Assessment?

    Answer: The objective of risk assessment is to identify and prioritize risks you are exposed to, according predefined criteria. This way you will have an overview which one your should handle first and why.

    2 What are the methods of Risk Remediation?

    Answer: There are 4 general risk remediation options: 1) decrease the risk; 2) share the risk; 3) avoid the risk; and 4) retain the risk. See more information in this article:
    - 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

    3. Why risk assessment is conducted?

    Answer: A risk assessment may be conducted to fulfil a legal requirement (e.g., law, standard or contractual clause) or an organization's decision. In either case, the purpose is to use its results to make better decisions considering the organizational resources available and the main risks to which is exposed.

    4. What are the steps to conduct the risk assessment?

    Answer: According to ISO 27001, the risk assessment process includes 6 steps: 1) risk assessment methodology; 2) risk assessment implementation; 3) risk treatment implementation; 4) risk assessment report; 5) Statement of Applicability; and 6) Risk treatment plan. For more information, see this article: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    5. Is it a good idea to define policies/procedure/guidelines before risk assessment or vice versa of it?

    Answer: You should define policies/procedure/guidelines for treating risks after the risk assessment, so you will define only what is needed to handle the risks you are exposed to. Only the documentation related to risk assessment methodology should be defined first, so everyone performing the assessment do that the same way.

    This article will provide you further explanation about risk management:
    - What is an Information Security Management System (ISMS) according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/23/information-security-management-system-isms-according-iso-27001/

    These materials will also help you regarding management:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • ISO 27001 Implementation- A8 Assets Management


    I am documenting the assets inventory template as per the purchased ISO 27001 toolkit.

    Under assets category, mostly the INFRASTRUCTURE and OUTSOURCED SERVICES.

    1 - In the company, we have workstations, and for each workstation we got different assets like PC, Monitor, keyboard, mouse etc. So my question is while documenting this, should I state the workstation as an asset or should I list all the components mentioned as assets for the document to be ISO 27001 compliant?

    Answer: If there is no specific reason to list the individual assets separately you can refer to them as workstation in your inventory. You only have to include in the notes column a comment describing the parts that make up the workstation.

    This article will provide you further explanation about assets management implementation:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    2 - My other question concerns the outsourced services, in my case the office space and the data centers are leased from 3rd parties. So is the policies and ISO 27001 certificates enough evidence to be used?

    Answer: No. Regarding outsourced services you also should include the contracts or agreements you have with them, which should include clauses covering security measures the outsourced services should fulfil.

    This article will provide you further explanation about handling suppliers:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • ISO 27005 toolkit


    Answer: The risk assessment and treatment templates in our ISO 27001 toolkits are fully compliant with ISO 27005, you can use them if you want to be compliant with this standard.

    You can take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit and see if it fulfills your needs. The link for the toolkit is https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    It is composed by the following templates: (1) Risk Assessment and Risk Treatment Methodology, (2) Risk Assessment Table, (3) Risk Treatment Table, (4) Risk Assessment and Treatment Report, (5) Statement of Applicability, and (6) Risk Treatment Plan.

    This article will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatmen t-6-basic-steps/

    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Page 925-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +