Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Applying ISO principles in practice
Answer:
I'm not sure what ISO principles do you mean, but I assume your thinking of ISO 9001 principles. New version of the standard has 8 principles instead of 7 in the previous version. The principles are translated into requirements of the standard and by meeting the requirements, you will apply the quality principles.
There is no requirements for expertise regarding the principles, they only need to be applied through compliant with the standard and establishing the Quality Management System. For more information on quality principles, see: Seven Quality Management Principles behind ISO 9001 requirements https://advisera.com/9001academy/blog/2014/02/04/seven-quality-management-principles-behind-iso9001-requirements/ -
Presentation for ISO 9001 tansition
Please can you assist me with a presentation on introduction to ISO 9001:2015 Transition slide to be presented for my staff and the management entirely.
Thank you for always there for always there for me.
Answer:
The first part of the presentation on the transition should explain benefits of the transition. Here you can find some useful materials:
- ISO 9001:2015 – The benefits of early implementation https://advisera.com/9001academy/blog/2015/09/29/iso-90012015-the-benefits-of-early-implementation/
- ISO 9001:2015 benefits of early transition https://info.advisera.com/9001academy/free-download/iso-90012015-benefits-of-early-transition
The second part should explain the steps in the transition and how those steps will be conducted. Here are some useful resources from our website:
- How to make the transition from ISO 9001:2008 revision to the 2015 revision https://advisera.com/0 01academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/
- Free webinar – ISO 9001:2015 - How to make the transition from ISO 9001:2008 https://advisera.com/9001academy/webinar/iso-90012015-how-to-make-the-transition-from-iso-90012008-free-webinar-on-demand/
- Twelve-step transition process from ISO 9001:2008 to the 2015 revision https://info.advisera.com/9001academy/free-download/twelve-step-transition-process-from-iso-90012008-to-the-2015-revision
The last part of the presentation should describe options for the transition, i.e. doing the transition by yourself, using consultant or some online solution. Here you can find a whitepaper that can be helpful to you:
- Implementing ISO 9001:2015 with a consultant vs. DIY approach https://info.advisera.com/9001academy/free-download/implementing-iso-9001-with-a-consultant-vs-diy-approach -
Security of remote access
Answer: I assume you are referring to security practices from IT applicable to SCADA (Supervisory Control and Data Acquisition). Information Technology (IT) and Industrial Control System (ICS), which embraces SCADA, have different business requirements, implementation architectures, and security goals, which makes direct application of security solutions from IT to SCADA unpractical. But in terms of concepts and high level approaches, they are highly compatible (you can also consider for SCADA security approaches like harden the perimeter, defense in depth and securing remote access). Considering ISO standards, ISO 27002 may help with some approaches (for remote access you have control 6.2.2 - Teleworking, and 13.1.2 - Security of network services), but ISO 27019:2013, wh ich provides guiding principles based on ISO/IEC 27002 for information security management applied to process control systems used in the energy utility industry, can provide more related information regarding Industrial Control Systems in general.
Unfortunately, we do not have some specific materials for remote access, but perhaps these materials can help you:
- How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/ -
Documenting context of the organization
Answer:
ISO 9001 has no explicit requirements regarding documented information on the context or the interested parties. However, it requires organization to monitor information over these topics and most effective way of meeting these requirements is to at minimum make a List of interested parties and their requirements.
Documenting context of the organization is not recommendable approach, but many companies choose to document the procedure that defines how the context is defined, what elements are considered, who was involved, etc. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/ -
ISMS performance evaluation
Answer: We intentionally didn't develop a special document in the toolkit for the measurement results because in most cases companies already have some system of reporting their results – e.g. they use automatic reporting from their systems (e.g. fault logs from their servers), they use their regular reports (e.g. in the reports about monthly performance they include also the security results), or in some cases they have a Balanced Scorecard system in place where they simply add the security measurement.
If you have none of these, a simple report with stated objectives, date of measurement and the measurement results will be enough – you have to decide whether this report will be sent only to the mid-level management, or to the top management during the Management review.
Considering these, the re are two documents in the documentation toolkit that will be helpful regarding the measurement and monitoring:
- In the top-level Information Security Policy, in the section 4.1 you need to specify the responsibilities for measurement and monitoring.
- Risk Treatment Plan – in the column “Method for evaluation of results” you need to specify how you will evaluate whether the implementation plan of the controls has been complied with, while in the column “Status” you need to specify whether particular control is implemented or not, which you can use for monitoring the implementation plan.
By the way, to perform the measurement first you need to develop a set of measurable objectives, and you can use our Statement of Applicability template to document the objectives for your controls (or groups of controls), and you can document the top-level objectives in your Information security policy.
These articles will also help you:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
Also, in the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment. -
Risk assessment and risk registers
Answer: For a general view of risk assessment process I suggest you to take a look at the following articles:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Regarding documentation, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/ -
Information security standards
Answer: To find all sec standards related to ISO you should consult ISO Online Browsing Platform at https://www.iso.org/obp/ui/
But you can also see this article where we complied the most related standards to information security:
- Information security & business continuity standards https://advisera.com/27001academy/knowledgebase/information-security-business-continuity-standards/ -
ISMS implementer and auditor
Answer: First thing is that ISMS is not a certification, it is a system to protect information (ISMS stands for Information Security Management System). Considering this, currently we have two types of certifications regarding an ISMS: certification of an organization's ISMS, based on the requirements of ISO 27001 standard, and certification of persons who work with an ISMS as a lead auditor or lead implementer, but only the former issues a internationally recognized certification, based on courses accredited by institutions like IRCA or RABQSA. You can find detailed information about certifications for organizations and persons here: ISO 27001 certification for persons vs. organizations https://advisera.com/27001academy/iso-27001-certification/ .
In terms of competences to be successful in an ISO 27001 lead auditor or lead implementer course, more important than the years of experience is the understanding of the link between information security, technology, and business processes (e.g., someone can pass years of a professional life seeing only one aspect of IT while other professional in a couple of years can cover aspects from network infrastructure to business intelligence).
This article will provide you further explanation about ISMS implementer:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
These materials will also help you regarding ISMS implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Mapping between ISO 27001 and ISO 27002
Answer: ISO 27002 shows in details recommendations and best practices for the implementation of the controls described in ISO 27001 Annex A, and its numbering sequence is the same as from the ISO 27001 Annex A (e.g., recommendations for Annex A section A.5 are on ISO 27002 section 5 and so on). So no additional mapping is required.
This article will provide you further explanation about ISO 27001 and 27002:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
These materials will also help you regarding ISO 27001 and 27002:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/