Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk assessment


    Answer: Regardless of the target of the assessment, proper risk assessment methods have these things in common:

    - they define the elements that will be under risk and need assessment (in the case of ISO 27001, these elements are information confidentiality, integrity and/or availability)
    - they define how to identify risk owners (those who are responsible for risk treatment)
    - they define clear criteria for risk assessment (normally by assessing the consequences and likelihood of the risk)
    - they define how the risk is calculated
    - they define criteria for accepting risks

    So, any method you choose that have these five characteristics will fit your needs. For information about risk assessment methodologies, please see this article: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    The most common method is the qualitative assessment, and for that you can see an example in this article:
    How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    Another method that you can consider is the quantitative assessment, and for that you can see more information in this article: Qualitative vs. quantitative risk assessments in information security: Differences and similarities https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/

    2 - What are the attributes of selection of risk assessment tools and what are the best risk assessment techniques needed in such critical infrastructure especially in mitigating against an insider threat because insider threat is one of the biggest problems faced with nuclear industry today?

    Answer: For attributes to select a risk assessment tool you can consider orientations of ISO 31010, the ISO standard about risk assessment techniques. This standard defines 4 requirements to evaluate a tool:
    - Resources required to perform the assessment in terms of time to perform, expert knowledge, data gathering and cost
    - Complexity of the problem or situation to be assessed, as well as the specific methods required to be used
    - The level of uncertainty that can be accepted
    - If the method can offer a quantitative result

    In this article you can also find additional information about selecting tools: When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/

    For other tools, I suggest you to take a look at ISO 31010 (Risk management — Risk assessment techniques) at this link: https://www.iso.org/obp/ui/#iso:std:iec:31010:ed-1:v1:en

    In the second part of this question, I assume you want recommendations about risk treatment techniques. Generally speaking you can consider physical and logical segregation controls, user management practices, and physical and logical monitoring to deter, prevent and detect attempts from insiders. See this article for more information: How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

    3 - Where can I get your presentation on statement of applicability and risk treatment?

    Answer: You can see a free demo of this documents at these links:
    - Statement of Applicability https://advisera.com/27001academy/documentation/statement-of-applicability/
    - Risk Treatment Plan https://advisera.com/27001academy/documentation/risk-treatment-plan/

    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Security objectives and audit process


    Answer: You can define as many objectives as you consider needed to fulfill the needs and expectations of your interested parties, information security requirements and the results of risk assessments and risk treatments. There is no predefined number to be achieved.

    Please, see this article for more information: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

    2 - Competencies of people with roles & responsibilities ie for MD (Information Security Lead). Do you think he should do some kind of high level course to evidence he is competent? Or would some online training suffice? Does he need proven credentials ?

    Answer: For the standard, evidences of competence can be demonstrated in terms of education, training, or exp erience. So, if your IS Leader lacks a high level course but has recorded experience or certifications, this is sufficient for the standard. It's up to your organization to define which types of evidences it considers necessary for its needs.

    Please, see this article for more information: What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/

    3 - Internal audit…does the person who will be likely to do the internal audit review also need some kind of proven training and certification to ensure they are competent to do the job? If so, do you please have any recommendations of suitable training courses? I am assuming that a different person would do the audit each year and am wondering if several people should therefore be trained ( or at least a new person each year?)

    Answer: The same answer for question 2 applies here. You have to have evidences of competence for internal audit, either in terms of education, training, or experience. You do not need to have a different person to perform the internal audit each year if you can ensure there is no conflict of interest between the auditor and the audited process (the common rule is that no one should audit his own work or any work under his responsibility). The good practice recommends to have more than one auditor available so you can have a different view of the audited process (which is good to identify non conformities and opportunities for improvement) and to minimize risks regarding relying on a single person capable to perform internal audit, but this conditions are not mandatory by the standard.

    Regarding an internal auditor course, please see more information here: ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

    4 - Finally, is there any chance you could supply us with any more templates which would be helpful to use going forwards; Procedure for corrective actions and Internal audit form?

    Answer: For the procedure and and form I suggest you take a look at the free demos and verify if they can meet your needs. The links are:
    - Procedure for corrective actions https://advisera.com/27001academy/documentation/procedure-for-corrective-action/
    - Internal audit form https://advisera.com/27001academy/documentation/internal-audit-report/

    In those pages you just need to scroll down the screen a little to find the tab with the free demo preview.

    These materials will also help you regarding security objectives and audit process:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Sources of requirements


    Answer: 'Document stipulating the requirement' is any documentation with needs or expectations that can be measured in terms of information security characteristics. Examples of documents that stipulate requirements are contracts (e.g., Non Disclosure Clauses, which refers to confidentiality), service level agreements (e.g., clauses which define minimal availability to be delivered, like 99.999% availability during a year), and regulations (e.g., EUGDPR, which define how EU Citizens private information must be handle by organizations that offers services to EU, which also refers to confidentiality).

    These materials will also help you regarding sources of requirements:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - F ree online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Duration of ISO 27001 implementation


    Answer: To identify the time required to implement ISO 27001:2013 you can use our Free ISO 27001 Duration Implementation Tool, which takes into account the effect of other management systems that are implemented. The link for the tool is https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

    Now, taking into account you are also planning to implement ISO 9001:2015, you can consider saving up to 30% in the time of implementing ISO 27001, because these two standards have a lot of requirements in common. The savings may be greater if they are implemented at same time as an integrated system, but without more detailed information we are unable to properly evaluate that.

    This article will provide you fu rther explanation about ISO 27001 implementation:
    - Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
    - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

    These materials will also help you regarding ISO 27001 implementation:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    I also suggest you to take a look at Conformio, our online ISO tool that can provide you a very detailed list of steps that need to be done to implementation ISO 27001, as well as other resources to make your implementation easier. We offer a Free plan includes access for 10 users to ISO guidance, document management system, task management, social intranet, and 1 GB of storage. The link for Conformio is https://advisera.com/conformio/

  • Project risk assessment

    Quite clear now. Appreciate your response. Thanks.

  • ISO 9001:2015 documentation level


    Answer:

    Not all processes need to be documented and this version of the standard aims to decrease the amount of documentation. The documentation should be a balance between the competence of employees and complexity of processes. If you have competent employees you don't have to document every singe activity, the same is for the simple processes. Instead of writing procedures, sometimes it can be much easier to develop process flowchart or Quality Plan. For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

  • Gaining competence for ISO 9001:2015


    Answer:

    There is no requirement for the top management to get training in ISO 9001 requirements. The auditors, on the other hand, must get familiar with the standard requirements in order to be able to audit the system. They can get familiar with the standard by themselves or take some in-house or external course, but they do not have to have the certificate.

    Here you can find our free ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/

  • The transition and the document coding system


    For example, I have a flow-down list of document numbers, however it only lists one form number for a calibration list, using F-715-001. Currently we have a calibration form for each piece of lab equipment. Same form just, individual form for each thermometer, balance, etc. Would this form then be F-715-002?

    Answer:

    New version of the standard doesn't change the coding system, so you can keep the existing one and there is no reason for change. What will change during the transition are the documents themselves and their version number should be changed but they can have the same identification code.

    For more information, see:
    - New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

  • How to address life cycle perspective in providing services?

    The life cycle perspective is not relevant for every type of business in the same way, the service companies will have far less difficulties meeting this requirement. In case of logistic company, you will basically examine the steps you go through when delivering the product and determine that environmental aspects regarding each step and it will overlap with your processes such as transportation and storage.

    So, in your case you only need to identify and evaluate environmental aspects in your processes and there is no need for further assessments. For more information about life cycle perspective, see: Lifecycle perspective in ISO 14001:2015 – What does it mean? https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/

  • ISO 20000 / ISO 27001 cost of implementation

    There are two calculators which can help you:
    ISO 27001 - "Return on Security Investment Calculator" https://advisera.com/27001academy/free-tools/free-return-security-investment-calculator/
    ISO 20000 - "ITIL Return On Investment (ROI) Calculator" https://advisera.com/20000academy/itil-iso-20000-tools/roi-calculator/ (although it's ITIL calculator, it can help you with ISO 20000).
    Additionally, there are some articles which explain this topic:
    "How much does the ITIL/ISO 20000 implementation cost?" https://advisera.com/20000academy/blog/2016/12/13/how-much-does-the-itiliso-20000-implementation-cost/
    "How much does ISO 27001 implementation cost?" https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
Page 935-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +