Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Examples of risks and opportunties
Can you help to complete few generic examples of risk and opportunities so that I can pick-up form there. What I am not clear is do I need to list down risks separately and opportunities separately and actions to mitigate them.
Answer:
When identifying risks and opportunities, you need to focus on those risks and opportunities related to conformity of products and service you provide, your quality management system and customer satisfaction. Basically, you need to ask yourself what can go wrong in the processes and what can be improved. For example, for sales process risk can be misplaced order, and opportunity can be to determine what period in the year is best for selling your products and develop marketing strategy to seize that opportunity.
The standard does not define how you will document risks and opportunities so you can do it in any way that you find the most appropriate for your company.
For more informat ion about risks and opportunities, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Risk assessment, information labelling and security committee
During implementation of ISO 27001, we had a risk as follows:
When a customer requesting a live demo, the development team most probably are late or not available (has other tasks) to develop this demo. This led to the loss of opportunity in some cases. The mitigation of this risk is to develop an OLA (Operational Level Agreement) of this service (developing a demo). My question is:
Is this risk related to ISMS (ISO 27001)? If yes, as per classification, under which control in ISO 27002 it can be considered?
Answer: Development team late or not available to deliver a demo, leading to loss of opportunity, is a risk related to the process of providing a product, so it is more related to a Quality Management System (QMS), or to a Business Continuity Management System (BCMS), than to an Information Security Management System (ISMS).
Question 2:
Regarding to labelling of information classification:
1- If I use SAP as an ERP. Is it a must for me to customize it to label all generated reports with the classification (confid ential, internal,....)?
Answer: You can define that reports generated by information systems should include classification labels when they have functionalities that allow this to be done in a cost effective way (considering the relevance of associated risks).
2- If I use non-customized software, how can I label its generated reports?
Answer: When labelling functionalities are not available, or their implementation is not cost effective, you can insert the classification level in the textual part of the report (e.g., as the first top line), or you can define in the Classification policy that this particular report must be considered with an specific classified by default, or someone can add classification label by hand writing it on this report after printing.
3- Can we have a code like: If there is no label on any documents, this means it is of the type "Internal use"
Answer: Yes, you can have, but as means to reduce your administrative effort and costs, you should apply it to the most common classification attributed to an information in your organization, which may be or not "Internal use".
4- If the classification of a printed document changed, what should I do for labeling? (the best implementation for such case)
Answer: if the classification of a printed document is changed, it has to be substituted by a new version, with the new classification label, and the old one must be handled accordingly the procedure for documentation control.
5- In a meeting, one of employees said that when we label any document with 'Confidential', we give the theft a sign to steel it. So, he does not like to apply label classification. Another one replied "We have to do for the sake of ISO 27001. We believe it is useful in some cases but has great side effects that make us not interested in applying this control". What do you think?
Answer: first, you do not have to do it "for the sake of ISO 27001", but for the sake of your business. Said that, if a document is classified and marked as confidential, and protected as such, how would a thief get to it? If he can access the document, this means that at some point the access control doesn't work properly.
Question 3:
Instead of having CISO, an Information Security Committee has been formulated. The members are HR, QA and IT Managers. The head of this IS Committee is the HR Manager. This committee will play the role of CISO. Are there any concerns about that?
Answer: ISO 27001 allows you to have team responsibilities for information security, but I think this is a bad idea - when several people are responsible, this actually means that no one is responsible. My suggestion would be to nominate one person who will act as CISO (this person can perform other functions as well), and this person will be responsible for the whole ISMS. Of course, you can still have this committee which will make some bigger decisions.
These articles will provide you further explanation about these issues:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
These materials will also help you regarding about these issues:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISMS scope definition
Answer: Theoretically you can, but in terms of added value this may not be the most effective way because the most sensitive business information will be probably left outside of this scope, since information also exists and flows outside information systems, and the IT department cannot be responsible for the information it doesn't own or control.
Besides that, when considering small and mid-sized business, the costs and effort involved to limit the scope very often will be higher then implementing the ISMS in the whole company.
This article will provide you further explanation about ISMS scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding ISMS scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Annual auditing of controls
Answer: After the certification, both the internal audits and the surveillance audits (from the certification body) are mandatory - therefore, you cannot avoid any of them.
2- The other question is what you do see as the benefit of having a minimal annual system penetration testing performed as part of the internal audit?
Answer: Penetration testing, by effectively trying to breach the system, offers the benefit of increasing the assurance that operational systems are well developed, configured and up to date regarding vulnerabilities patching, something that simple documentation review cannot offer.
This article will provide you further explanation about auditing of controls:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/ surveillance-visits-vs-certification-audits/
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
These materials will also help you regarding auditing of controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Do we have to use the control A.12.1.4 for all software development processes?
Thank you for your time and informative reply. So, we should evaluate not to implement relevant contro by using the outcome of risk mangement. This makes quite sense. Thanks again -
ISO 27001 implementation benefits
Answer: Implementing ISO 27001 can bring benefits regarding enhancement of competitive edge, expenses reduction, easiness to achieve compliance, and improvement of internal organization.
The consequences of not being certified will depend on the industry in which you operate, but may include not being able to negotiate with customers which require certification from suppliers, or even not being able to operate in the industry, if laws and regulations require this kind of certification.
This article will provide you further explanation about ISO 27001 implementation benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding ISO 27001 implementation benefits:
- ISO 27001 benefits: How to obtain management support [ free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
IGSOC
I would like to purchase the same -
ISMS maintenance
Answer: For ensure the maintenance of a certified ISMS you should cover these general points:
1 - ensure that all the activities described in your policies and procedures are performed accordingly
2 - ensure monitoring and measurement of ISMS performance
3 - perform internal audits, management review, and corrective actions
And inside all these points you must ensure risk assessments are reviewed and documentation is updated, or you may finish with an obsolete ISMS.
This article will provide you further explanation about ISMS maintenance:
- How to maintain the ISMS after the certification https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/
These materials will also help you regarding ISMS maintenance:
- Book ISO 27001 Risk Managemen t in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Determining root cause of nonconformity
What Might be the root cause of the above?
Your assistance will be much appreciated.
Answer:
There are several methods for determining the rot cause but the most popular is 5Why method that requires you to ask the question "Why" five times to determine what caused the nonconformity. In this particular case, there can be various reasons why the report wasn't written, tit can be, for example, because the internal auditor didn't have enough experience and forgot to write the report but it is hard to make assumptions without proper investigation.
For more information about root cause identification, see: How to use root cause analysis to support corrective actions in your QMS https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/