Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Performing Risk Assessment
Answer: The first thing you should do is write your risk assessment methodology, so you can have in hand all the rules, considerations and steps regarding how to identify, analyse, and evaluate the risk. After all these items are properly documented you can proceed with the assessment itself (and be sure that people will ask you about these things during the assessment).
Considering the number of people, maybe it would be better to divide them in smaller groups (at most 20 people per facilitator), grouping them by process performed (e.g., accounts receivable, accounts payable, etc.), or by offices (Assuming that this number of people do not stay at the same room), or any other criteria you can use to divide them. Try to make cycles considering the threats and vulnerabilities f or a specific asset before going to another asset. Also consider to take with you checklists to help you identify risks, and paper to take notes of all information.
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment -
Privacy and cloud computing security documents
Answer: Considering all perspectives you are working on, I suggest you consider all the documents on the ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit. This way you can have a systemic and integrated approach of all controls which cover specific clauses from both ISO 27017 (cloud computing services) and ISO 27018 (personally identifiable information in cloud services). Besides the documents you already mentioned, I can add these ones:
- Access Control Policy https://advisera.com/27001academy/documentation/access-control-policy/
- Information Transfer Policy https://advisera.com/27001academy/documentation/information-transfer-policy/
- Security Clauses for Suppliers and Partners https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/
These articles will provide you further explanation about ISO 27017 and ISO 27018:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Filling templates
Answer: The references to clauses of ISO 27001, or any other references like laws or regulations, can be included in the section two of your templates (Reference document). As for the source of the references you consider relevant to include, you should verify the content of the document "List of Legal, Regulatory, Contractual, and Other Requirements".
In the video tutorials that came with your toolkit, you can see examples of how to fill out the details of your policies and procedures. -
Organizational controls
Answer: Defining and documenting policies, or procedures, are considered organizational controls because they involve the establishment of behaviours, either in terms of rules, lik e policies, or in terms of activities to be performed, like procedures.
This material will also help you regarding organizational controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Implementation of ISO 27001
Answer: I recommend you to look at these articles:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These materials will also help you regarding Implementation of ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001: An overview of the ISMS implementation process [free webinar] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
- ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
Additionally, I suggest you to take a look at Conformio, our online ISO tool which have many resources to help you implement and manage your ISO 27001 Information Security Management System, including a list of task about what should be considered in the implementation (we have a free plan includes access for 10 users). You can access Conformio at this link https://advisera.com/conformio/ -
Procedures vs processes
Answer:
The process approach is required by ISO 14001 and it is demonstrated by applying requirements of the standard to appropriate processes. For example, clause 8.1 Operational controls, contains specific requirements for design and development and purchasing among other, more general, requirements for operational control. But, it doesn't mean that you need to create a process model or to document process procedures. If you implement only ISO 14001, you will need to document only operational controls for the processes and that only to the level you determine as necessary.
For more information about mandatory documents, see: List of mandatory documents required by ISO 14001:2015 https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-mandatory-documents-required-by-iso-140012015/ -
Process model and documentation
Answer:
The ISO 14001 standard requires process-based approach, but it doesn't require organization to describe its processes and write the procedures for them, that is partially a requirement of ISO 9001. In ISO 14001 you demonstrate to process approach by applying the requirements of the standard on your processes. For example, identification and evaluation of environmental aspects should be done process by process and activity by activity, and later when the significant aspects are determined, you will apply the operational controls to appropriate processes, e.g. in sales, design and development,purchasing, production, etc.
For more information, see: Application of the process approach in ISO 14001 implementation https://advisera.com/14001academy/blog/2017/01/30/application-of-the-process-approach-in-iso-14001-implementation/ -
Activities after the implementation
Answer:
Documenting the EMS is only one of the steps in the implementation or transition. The documents cannot be created without process based approach. For example, when you conduct identification and evaluation of environmental aspects, you need to examine all processes and activities to determine where the significant environmental aspects emerge and to define operational controls that will be applied in appropriate activities and processes to decrease or prevent the impact on the environment.
Once the documents are developed, they need to be applied in the organization. For example, document management must be conducted according to the procedure for document management, operational controls that are defined and documented need to be applied, etc. For more information, see: 5 tips to maintain your ISO 14001-based EMS after certification https://advisera.com/14001academy/blog/2016/01/11/5-tips-to-maintain-your-iso-14001-based-ems-after-certification/ -
Main objective of the EMS
Answer:
The main objectives of the environmental management system are to prevent pollution, meet compliance obligations and enhance conditions of the environment.
A systematic approach to environmental management can provide the organization with information to build success over the long term and create options for contributing to sustainable development by:
- protecting the environment by preventing or mitigating adverse environmental impacts;
- mitigating the potential adverse effect of environmental conditions on the organization;
- assisting the organization in the fulfilment of compliance obligations;
- enhancing environmental performance;
- controlling or influencing the way the organization’s products and services are designed,
manufactured, distributed, consumed and disposed by using a life cycle perspective that can
prevent environmental impacts from being unintentionally shifted elsewhere within the life cycle;
- achieving financial and operational benefits that can result from implementing environmentally
sound alternatives that strengthen the organization’s market position;
- communicating environmental information to relevant interested parties.
For more information about ISO 14001, see: ISO 14001: What is it, how does it work and why use it? https://advisera.com/14001academy/what-is-iso-14001/ -
Competence evidences for ISO 27001
Question: Does this mean the competency only needs to be assessed of
Those who put together and manage the ISMS ? I.e. Me as head of Infosec and those who write or approve any policy? Or do we need to assess the competency of anyone who has to follow the policy?
Answer: You need to assess the competency of anyone who has an impact in the performance of the ISMS, i.e. those who put together and manage the ISMS and also of those who have to follow the policies.