Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Information security in project management


    Answer: Unfortunately we do not have a template covering Information Security in Project Management, but there are many similarities with implementing an ISMS that you can use to drive the implementation of this control:

    1 - You have to define information security objectives and include them in the project objectives, the same way you define information security objectives for an ISMS aligned with organization's objectives, the only difference is that these objectives are restri cted to the scope of the project.

    2 - You have to perform at the beginning, and periodically, information risk assessments in the project, like you would do it with other business processes, to identify necessary controls

    3 - You have to ensure that information security practices are part of all phases of the project (e.g., from the issue of the project charter to project closing).

    In short, you can think the inclusion of information security in project management as if you are going to implement a small ISMS that will fit the projects needs and be proportional to the project's lifetime and budget.

    Regarding your question related to different entry points for new projects, I would recommend you to define a project management policy, establishing rules for project approval and the need to include information security as part of the project activities.

    This article will provide you further explanation about Information security in project management:
    - How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/

  • Clause 5.1 i)


    Answer:

    Requirements of this clause are really hard to audit and to demonstrate compliance with. The best way to meet these requirements is for top management to assign roles, responsibilities and authorities within the EMS (Environmental Management System). People can only demonstrate leadership if they are authorized to make decisions.

    For more information about leadership, see: How to demonstrate leadership according to ISO 14001:2015 https://advisera.com/14001academy/blog/2015/10/05/how-to-demonstrate-leadership-according-to-iso-140012015/

  • ISO 9001 in accounting


    Answer:

    ISO 9001 has requirements only for the processes that affect directly quality of the products and services and customer satisfaction. Therefore, the standard doesn't have any requirements regarding the accounting and it is often left out form the scope of the QMS (Quality Management System) because it makes no difference.

    You can develop procedures for accounting in order to ensure that the processes are carried out as planned and make it part of QMS.

    For more information about the scope of the QMS, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/

  • Internal and external records


    Answer:

    The organization needs to control internal and external documents related to the QMS. Regarding the internal documents, the organization needs to define distribution, access, retrieval and use, along with storage, preservation, control of changes and retention and disposition. As far as external documents are concerned, the organization needs to identify them and control them.

    In ISO 9001:2015 there are no requirements for documenting the way of document control or to maintain any record about the document and record control. For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

  • Communication requirements of ISO 9001:2015


    Answer:

    There is no one way to meet requirements of clause 7.4. Depending on the needs of the organization, you can develop one centralized communication process and develop a procedure for communication where you will define what will be communicated, when, with whom, how and by who. The second option is to define these information for each process within the process procedures.

    In my opinion, the second option is better because all relevant people will have necessary information about the communication within their own process procedure and there will be no need for additional communication procedure. For more information, see: Communication requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2016/11/01/communication-requirements-according-to-iso-9001-2015/

  • Organizational context and Risk Assessment Report


    Answer: Clauses 8.2 and 8.3 from the standard require you to document the results of the risk assessment - they don't specifically require the "Report", but some kind of document that shows what risks were assessed and treated at a particular date, and excel sheets or tools used on operational activities are not very good for this purpose because they are intended to be changed any time to included changes in the risk environment.

    Besides that, you also provide a document to top management where you can present the risk assessment methodology and compile, highlight and present the main risks and treatments in a forma t they are used to read (executive summary, main findings, recommendations, etc.).

    In the video tutorials that came with your toolkit, you can see examples of how to fill out all the Risk assessment and Risk treatment Report.

    2 - For the part “Understanding the organization” there is something called “Internal and external issues”. I think I understand but I am not sure. Can you please give me some examples of internal and external issues?

    Answer: Examples of internal issues are organizational culture, assets, methodologies and policies. External issues examples are new technologies, geographical location, market conditions, and
    government's laws.

    This article will provide you further explanation about internal and external issues:
    - Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

  • Controls applicable to suppliers

    Answer: Basically you will have to apply the same controls your risk assessment identified as applicable if you were running the operation yourself, plus the controls related to supplier management, identified in Annex A.15 of ISO 27001

    This article will provide you further explanation about controls applicable to suppliers:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    These materials will also help you regarding controls applicable to suppliers:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Procedure for management of NC and CA


    Answer: Yes. New versions of both ISO 14001 and ISO 27001 have a lot of requirements in common, and treatment of non conformities and corrective actions is one of them. You will only have to take care to adjust some expressions in the procedure to also refer to information security non conformities and corrective actions, and include the proper records in the section management of records. But if you want to take a look at a free demo of a procedure wrote specifically for ISO 27001 ISMS you can access this link: https://advisera.com/27001academy/documentation/procedure-for-corrective-action-2/

    You only have to scroll down the screen a little to find the free demo tab.

    These materials will also help you regarding procedure for management of non conformities and corrective actions:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 O n Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Expanding ISMS scope

    Thanks for the prompt reply

  • Risk treatment and SOA


    1- Controls that were already implemented before the Project for ISO 27001 Implementation started, how should they be mentioned in the Statement of Applicability?

    Answer: They should be stated as applicable like all other controls identified as necessary by your risk assessment. The one thing that will change is the justification, since they were not based on the results of risk assessment. You can say, for example, that they were implemented by customer request, legal requirement, or as a best practice of the industry.

    This article will provide you further explanation about the Statement of Applicability:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    2 - In the Risk Treatment Table: If more than one control can be implemented to reduce a Risk, is implementing one control suffi cient?

    Answer: If you evaluate that after the implementation of the first control the risk level will decrease to an acceptable value you do not need to implement other controls. You only have to verify after the effective implementation if you achieved the desired security level. After evaluating the results you can confirm that other controls are not necessary or if you have to make some additional implementation.

    This article will provide you further explanation about Risk treatment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding Risk treatment and the Statement of Applicability:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Page 930-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +