Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Interested parties and leadersip
Answer:
In order to identify relevant interested parties you need to consider all institutions, organizations and people that affect your EMS (Environmental Management System) or can be affected by it. There are internal and external interested parties. Interested parties include employees, top and mid management while external interested parties include customers, suppliers, regulatory bodies and local community. The organization must, not only identify interested parties but also to decide what interested parties are relevant to the organization and determine their needs and expectations towards company's EMS. For more information, see: How to determine interested parties according to ISO 14001:2015 https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/
The standard requires from top management to define Environmental Policy and environmental objectives, to assign roles and responsibilities within EMS and to provide r esources for functioning of the EMS. Most of those requirements are meet by actions rather than by documents and procedures and they are also audited accordingly. All these requirements are placed in clause 5 Leadership and basically, the top management must only define the policy and that is the only requirement beside the objectives that must be documented. For more information about the leadership, see: How to demonstrate leadership according to ISO 14001:2015 https://advisera.com/14001academy/blog/2015/10/05/how-to-demonstrate-leadership-according-to-iso-140012015/ -
Managing records kept
Hi Jack,
Yes, several procedures can reference to the same record. You don't have to list the record in every procedure, but in the body of the procedure you need to make reference to the record. -
Compliance with ISO 27001
Answer: For the identification of the mandatory documentation needed for compliance with ISO 27001 I suggest you to take a look at this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Regarding the identification of documentation importance, I suggest you to take a look at this article:8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Regarding the actions to be taken to ensure an ISMS compliance is ready for certification, I suggest you to see this article: ISO 27001 implementatio n checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
2 - Also, during the assessment, there might be chances that some of the solutions i.e. Access Control, Incident management, completely does not exist. In that case what would be action item, because due to the budget constraint, some of the solution deployment may not be feasible this year? Is there any alternative available to make us complaint without putting actual solution in place.
Answer: In some cases, it is possible to implement a control at some later time - however you need to fulfill the following: (1) there is no major risk with pending treatment, (2) the Risk Treatment Plan clearly defined that the control will be implemented at a later date, and (3) risk owners have accepted the risks related to control that will be implemented later.
These materials will also help you regarding compliance with ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk assessment methodology and assets inventory
Answer: The most common methodology you will find is the identification of assets, threats and vulnerabilities, most because it was defined by the old 2005 revision of ISO 27001, and although it is not mandatory any more we consider it very useful in many scenarios.
This article will provide you further explanation about risk assessment methodology:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to write ISO 27 001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
2- Otra pregunta que tengo acerca de estos 16 puntos es ¿porque no esta el inventario de activos de informacion? (Another question I have about these 16 points is why is there not the inventory of information assets?)
Answer: Listing all the assets is a mandatory task in the risk assessment methodology referred in the article you mentioned, so the inventory of assets is included in the risk assessment step.
This article will provide you further explanation about assets inventory:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding risk assessment methodology and assets inventory:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk assessment methodology
Answer: Defining a methodology means to define the rules which will guide you through risk assessment, exactly to answer questions like the ones you asked (others may be how calculate a risk, how decide whether accept a risk or not, etc.), so all people in your organization will have the same criteria for assessing the risks, ensuring comparable and repeatable results. And besides making your risk assessment easier to handle, in terms of the standard, it is required that you first establish your methodology.
As for qualitative and quantitative approach, you can apply both according your requirements, but in most of the cases for small and medium-sized business, the qualitative approach will be sufficient (quantitative assessment requires a complex mathematical approach justified only for few high impacting ris ks).
2 - Further, do have any practical guide on risk assessment , for example identify one assets and identify related risks , threat and vulnerabilities in detail with practical approach.
Answer: In the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment. Additionally, in the book Secure and Simple that you bought, you will find in sections 7.3 to 7.5 detailed information and examples of risk identification, and on appendix M you will find a useful catalogue of threats and vulnerabilities to help you build your risk assessment. -
Management support and approval for an ISMS
Hi, an answer to this question was posted under the title "Compliance List" -
Processes vs. Procedures
Do you have some type of template to help make the process easier to document?
Were really under the gun because we missed this when we were first looking into the transition from 2004 to 2015 and now we have to submit all paperwork to our auditor by 3-13-17.
Answer:
The process represent set of interrelated or interacting activities which transforms inputs into outputs. The key for a process is that it takes an input, performs some activities using that input, and then creates an output. On the other hand procedure is a “specified way to carry out an activity or a process.” So, when you have a process that needs to occur in one specific way, and you have specified how it is to happen, you have a procedure.
It is important to note that not every process needs to have a procedure. For instance, if you have a process that you only buy product from an approved supplier, but you do not have a defined way to add a supplier to that list, then you have a process but not a procedure to go with it.
We do have process procedures for ISO 14001:2015, they are part of our documentation toolkit, but they can also be purchased separate. Here you can download free preview of the toolkit https://advisera.com/14001academy/iso-14001-documentation-toolkit/ -
Certification benefits
Answer: Information security means the protection of information regardless the medium it refers to , and this goes well beyond IT environment (e.g., information flows through physical reports, people talk about them, etc.), and ISO 27001 can help you to ensure proper information protection in all these situations. As practical examples, I can mention that pharmaceutical companies must protect their research information , and banks must protect information about their customers. Both are non-IT organizations to which ISO 27001 is perfectly applicable.
So, I strongly recommend you to seek for certification, because besides complying with a customer demand, by implementing an Information Security Management System (ISMS) based on ISO 27001, you can achieve other benefits like enhanced competitiveness, reduction of operational costs, improved internal organization, and easiness to maintain conformity with legal requirements.
This article will provide you further explanation about certification benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding certification benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 benefits: How to obtain management support [free webinar] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
How many threats and vulnerabilities to display
Answer: Theoretically, you should include every possible option, i.e. combination of threats and vulnerabilities related to each threat, even if their value is 0. However, in my opinion you shouldn't list more than 5 threats for each asset, and more than 2 vulnerabilities for each threat.
This article will give you more explanation: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Documenting the context in internet service provider company
Answer:
The standard does not require organization to document context of the organization neither the process of determining the context. The company itself can decide how to document the context if it chooses to document it. But, since it is a new requirement, I suggest to document procedure for determining the context containing all elements of the context to be considered and using SWOT or PEST analysis as a tool for determining the context. Having documented information on context of the organization will facilitate demonstration of compliance with the requirements.
There is n predefined list of internal and external issues, the company can decide by itself what issues are relevant to its QMS. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/