Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment methodology and assets inventory
Answer: The most common methodology you will find is the identification of assets, threats and vulnerabilities, most because it was defined by the old 2005 revision of ISO 27001, and although it is not mandatory any more we consider it very useful in many scenarios.
This article will provide you further explanation about risk assessment methodology:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to write ISO 27 001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
2- Otra pregunta que tengo acerca de estos 16 puntos es ¿porque no esta el inventario de activos de informacion? (Another question I have about these 16 points is why is there not the inventory of information assets?)
Answer: Listing all the assets is a mandatory task in the risk assessment methodology referred in the article you mentioned, so the inventory of assets is included in the risk assessment step.
This article will provide you further explanation about assets inventory:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding risk assessment methodology and assets inventory:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk assessment methodology
Answer: Defining a methodology means to define the rules which will guide you through risk assessment, exactly to answer questions like the ones you asked (others may be how calculate a risk, how decide whether accept a risk or not, etc.), so all people in your organization will have the same criteria for assessing the risks, ensuring comparable and repeatable results. And besides making your risk assessment easier to handle, in terms of the standard, it is required that you first establish your methodology.
As for qualitative and quantitative approach, you can apply both according your requirements, but in most of the cases for small and medium-sized business, the qualitative approach will be sufficient (quantitative assessment requires a complex mathematical approach justified only for few high impacting ris ks).
2 - Further, do have any practical guide on risk assessment , for example identify one assets and identify related risks , threat and vulnerabilities in detail with practical approach.
Answer: In the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment. Additionally, in the book Secure and Simple that you bought, you will find in sections 7.3 to 7.5 detailed information and examples of risk identification, and on appendix M you will find a useful catalogue of threats and vulnerabilities to help you build your risk assessment. -
Management support and approval for an ISMS
Hi, an answer to this question was posted under the title "Compliance List" -
Processes vs. Procedures
Do you have some type of template to help make the process easier to document?
Were really under the gun because we missed this when we were first looking into the transition from 2004 to 2015 and now we have to submit all paperwork to our auditor by 3-13-17.
Answer:
The process represent set of interrelated or interacting activities which transforms inputs into outputs. The key for a process is that it takes an input, performs some activities using that input, and then creates an output. On the other hand procedure is a “specified way to carry out an activity or a process.” So, when you have a process that needs to occur in one specific way, and you have specified how it is to happen, you have a procedure.
It is important to note that not every process needs to have a procedure. For instance, if you have a process that you only buy product from an approved supplier, but you do not have a defined way to add a supplier to that list, then you have a process but not a procedure to go with it.
We do have process procedures for ISO 14001:2015, they are part of our documentation toolkit, but they can also be purchased separate. Here you can download free preview of the toolkit https://advisera.com/14001academy/iso-14001-documentation-toolkit/ -
Certification benefits
Answer: Information security means the protection of information regardless the medium it refers to , and this goes well beyond IT environment (e.g., information flows through physical reports, people talk about them, etc.), and ISO 27001 can help you to ensure proper information protection in all these situations. As practical examples, I can mention that pharmaceutical companies must protect their research information , and banks must protect information about their customers. Both are non-IT organizations to which ISO 27001 is perfectly applicable.
So, I strongly recommend you to seek for certification, because besides complying with a customer demand, by implementing an Information Security Management System (ISMS) based on ISO 27001, you can achieve other benefits like enhanced competitiveness, reduction of operational costs, improved internal organization, and easiness to maintain conformity with legal requirements.
This article will provide you further explanation about certification benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding certification benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 benefits: How to obtain management support [free webinar] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
How many threats and vulnerabilities to display
Answer: Theoretically, you should include every possible option, i.e. combination of threats and vulnerabilities related to each threat, even if their value is 0. However, in my opinion you shouldn't list more than 5 threats for each asset, and more than 2 vulnerabilities for each threat.
This article will give you more explanation: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Documenting the context in internet service provider company
Answer:
The standard does not require organization to document context of the organization neither the process of determining the context. The company itself can decide how to document the context if it chooses to document it. But, since it is a new requirement, I suggest to document procedure for determining the context containing all elements of the context to be considered and using SWOT or PEST analysis as a tool for determining the context. Having documented information on context of the organization will facilitate demonstration of compliance with the requirements.
There is n predefined list of internal and external issues, the company can decide by itself what issues are relevant to its QMS. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/ -
Procedure for document control based on ISO 9001 and ISO 22000
Answer:
Requirements for document and record control in ISO 22000 are located in clauses 4.2.2 and 4.2.3 while requirements for documented information in ISO 9001:2015 are located in clause 7.5. ISO 9001 has more precise requirements for document and record control than ISO 22000 therefore, the procedure for document and record control compliant with ISO 9001:2015 will meet requirements for document and record control in ISO 22000. All you need to do is to add reference to ISO 22000 relevant clauses in the Procedure for Document and Record Control, here you can find free preview of the document https://advisera.com/9001academy/documentation/procedure-document-record-control/ -
Check within the process vs. checks of product
I was wondering if we have checks within the process to ensure the product is good, do they need to be calibrated even if we check the final product with calibrated instruments?
Answer:
The company must demonstrate that the measuring equipment is fit for purpose, therefore the measuring equipment must be calibrated or verified, or both, at specified intervals, or prior to use. Rationale that the final measures of the product will ensure its conformity and the measuring within the process doesn't have to be 100% reliable practically means that the measurement within the process is redundant. For more information, see: Monitoring and Measurement Equipment Control https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/ the article is written based on ISO 9001:2008 but the requirements are the same -
Quality Manual referencing to document management software
Answer:
The Quality Manual is no longer required by ISO 9001:2015, therefore the requirements for Quality Manual no longer exist. The article you are referring is written according to 2008 version of the standard and that is why it states all these requirements regarding the manual. For more information, s ee: The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
The fact that the manual is no longer required does not mean it's forbidden, the company can decide to keep the manual but now it has more freedom to tailor it according to its needs. So you can reference to the certain parts or features of your software in the manual or to reference to the software as a whole.