Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 implementation requirement

    First is important to note that ISO 27001 does not specify the PDCA cycle.

    Please note that the best practice is to consider Risk assessment as part of the Plan phase, since its main objective is to identify and prioritized relevant risks to be treated, so you can plan why controls to implement.

    In the Do phase, you implement and operates the controls.

    This article will provide you a further explanation about ISO 27001 and PDCA cycle:
    - Has the PDCA Cycle been removed from the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/

  • Can private hardware used for business purposes be excluded from the scope?

    ISO 27001/ISO 27017/ISO 27018 allow the usage of private hardware, and you can exclude this hardware from the ISMS scope - this is pretty common in companies that have remote workers. 

    Once you specify in your ISMS scope document that private hardware is out of the scope, you need to ensure compliance with security rules by signing agreements with workers that use such hardware where you will specify specific security rules for using such hardware.

    In your toolkit, you will find the document "Security clauses for suppliers and partners" in folder 08 Annex A Security Controls - A.15 Supplier relationships - you can use clauses from this document in the agreement with your workers.

  • Device asset tracking

    ISO 27001 does not prescribe information to be used to track an asset, so organizations can define the information they see best fits their needs.

    In general, for tracking an asset you should consider information that is unique for each asset, and the serial number information fits these criteria, so it is a good choice for tracking information.

    This article will provide you with a further explanation of asset management:

  • Creating, reviewing, and approving documents

    Except by the top-level Information Security Policy, which is required to be approved by top management, ISO 27001 does not prescribe who needs to create, review, and approve documents for ISO 27001, so organizations can define these roles as best they fit their needs.

    Considering that, operationally speaking, you can justify that the reduction of the number of signatories will make the approval process more efficient.

    Good practice is that one person from the top management approves the document, and a couple of relevant people review the document before it is approved - this makes the process faster, and the documents better.

    For further information, see:
    - How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

  • Ensuring Quality Objectives

    For a general question I can only give a general answer. Please check this free webinar on demand about Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar-on-demand/
     
    Check particularly the slides about the improvement journey.
     
    The following material will provide you more information:

  • Risk re-evaluation processes Risk Treatment and Annex A controls

    In the situation where you review the risks (i.e., the ISMS is already fully implemented), you need to go through your Risk assessment table and Risk treatment table and conclude if there are any new risks and/or new controls that need to be addressed - if yes, you need to update these documents, and also reflect this change in the Statement of Applicability. If there are no new risks, you need to document this fact, the best way to do this is to inform the top management at the next management review so that this is recorded in the Management review minutes. 

  • Document editing

    We apologize for these problems - you are right, these elements of the IT Security Policy are not best suited for fully remote organizations, and we are working on making the appropriate corrections. 

    There are three options you can take: 

    (1) develop the IT Security Policy from a Word template where you can edit everything according to your preferences (we will send you the template free of charge) and then upload this document to Conformio, or 

    (2) declare the control A.11.2.9 Clear desk and clear screen policy as not applicable in your Statement of Applicability (you can do this only if there are no larger risks or requirements from interested parties), and then the sections "3.12.1. Clear desk policy" and "3.12.3. Protection of shared facilities and equipment" will be automatically deleted from the IT Security Policy, or 

    (3) adapt the text in Conformio's IT Security Policy according to the suggestions below:

    - 3.12.1. Clear desk policy - leave the text as it is, because your remote employees might have some paper documents in the future (e.g., printed unlock keys for encrypted disks, Disaster Recovery Plans, etc.). 

    - 3.12.3. Protection of shared facilities and equipment - write the following "Facilities for dispatch and receipt of postal email are not existing in employee's home offices, and are protected by (this is not applicable)."

    - 3.17 Teleworking - write the following "Teleworking must be authorized by the CEO by signing the employment contract."

  • Question about toolkit

    Incredible points. Great arguments. Keep up the great work.
Page 95-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +