Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Qualifications of OHSAS 18001 internal auditor
Answer:
OHSAS 18001 doesn't define the qualification of internal auditor and it doesn't require internal auditors to attend internal auditor training, not even from the CB. The only requirement regarding the internal auditor is to ensure objectivity and impartiality of the audit process (clause 4.5.5).
For more information about internal audit, see: How to perform internal audits in OHSAS 18001 https://advisera.com/18001academy/blog/2015/09/23/how-to-perform-internal-audits-in-ohsas-18001/ -
Risk assessment details
Answer: The level of details to be included in a risk assessment will depend upon the context of the organization. The industry where the organization operates, the laws and regulations which it must comply, and the complexity of its products and services are the main aspects that will define which details you should consider. For example, aviation industry requires a high level of security, and risk details should provide enough information so the risks can be properly handled.
2 - Which is the easiest risk tools for beginner?
Answer: We have a Risk Assessment Toolkit which covers the essential steps to perform a risk assessment in a easy and uncomplicated way. You can see a free demo through this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
Additionally, you may take a look at our Free ISO 27001 Gap Analysis Tool in this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
These articles will provide you further explanation about risk assessment:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 and SOC
Answer: While SOC has the purpose to assist in reporting to customers that an organization has met established security criteria, ISO 27001 assists an organization in a broader way, by providing a framework which helps to ensure security criteria and controls that are established according organizations needs, and that they are properly verified and improved over the time. So, in a way, SOC is covered by ISO 27001, and you might tell them that by adopting ISO 27001 they will not only cover the reporting aspects of SOC but also will be able to justify any adjustments required by the business needs as well as respond properly to changes in the risk scenario and ineffective controls.
This article will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These mat erials will also help you regarding ISO 27001 Benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 implementation project
Answer: The main point you should consider to include or not the business process description and scoping as a deliverable in your ISO implementation is if there are other projects or initiatives under way, or in the near future, that will require business process description and scoping (e.g., a information system development, or processes' re-engineering). Depending upon the scope of these other projects, it may be better to treat business process description and scoping as a separated project that will provide input for your ISO implementation. If this is not the case, you may include the business process description and scoping as a deliverable in your project, reducing the administrative load to run two projects. This article will provide you further explanation about ISO 27001 project: - ISO 27001 project – How to make it work https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ These materials will also help you regarding ISO 27001 project: - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Financial benefits of ISO 27001
Some examples of how the right kind of software can help decrease operational costs are:
- increasing the number of automatized activities (i.e., fewer people required to perform the same number of tasks)
- improving response time to handle incidents or deviations in processes results (by means of monitoring features)
- providing information for decision making (by means of standard or customized reports and dashboards)
For further information, see:
- When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/
-
ISO 27001 awareness material
Answer: Sure. We do have a free download presentation called "Why ISO 27001 – Awareness presentation" you can access through this link: https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation .
Additionally, you could check this article about topics for ISO 27001 awareness presentations:
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
These materials will also help you regarding topics for ISO 27001 awareness presentations:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Cross Function Security Teams
Answer: Yes. Provided that the mandatory topics are addressed (e.g., results of tests, controls performance, etc.) and it is possible to identify a periodicity in the conduct of the meetings, there is no mandatory form for holding meetings.
2 - Can CFST meetings be replacement for BCC?
Answer: If for BCC you refer to Business Continuity Coordinator, this meeting cannot be a replacement. BCC is a function, while the meeting is an activity, so there must be an person in the meeting with the responsibilities of the BCC.
This article will provide you further explanation about the relationship between ISO 22301 and ISO 27001:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/ -
27001 certification process
In any case, I think the answer is probably somewhere in between, and it’s maybe a shared ownerships. We’re attempting to draw clear boundaries though in terms of who does what, and I was wondering if you’ve ever seen a RACI chart of the various activities that are involved in certification. This would help us to create clear areas of responsibility, but in the end I still believe that security should ultimately “own” this as it’s an information security standard.
Answer: Your assumption about shared responsibilities is right. ISO 9001 and ISO 27001 share a lot of clauses that can be both management by the security team as well as the quality team, and this is cl earer now with the new structure of ISO management standards. I particularly never saw a RACI chart in the way you are asking, but who is ultimately responsible for the ISMS/ISO 27001 project is typically someone responsible for security, generally the CISO (Chief Information Security Officer). Regarding other responsibilities, by following the new structure of ISO management standards, you could consider this:
4. Context of the organization - since in this case the context aims to issues that can prevent the ISMS to achieve its desired outcomes, security team should be accountable for the deliverables related to it (e.g., ISMS scope).
5. Leadership - Security team should be accountable for the information security policy elaboration and definition of security responsibilities, as well as ensuring top management commitment to information security. The quality team should be accountable for the integration of security processes to other organizational processes.
6. Planning - This section refers to information risk management and the security team should be accountable for the deliverables related to this section.
7. Support - Quality team should be accountable for almost all this section (e.g., provision of resources and competences), the exception to communications, because this is related to what, when, to whom, and by whom information security issues should be communicated.
8. Operation - The day to day security activities should be held accountable by the security team and those with defined in the procedures.
9. Performance evaluation - These processes could be integrated to the processes already managed by the quality team, so this team could be held accountable.
10. Improvement - These processes also could be integrated to the processes already managed by the quality team, so this team could be held accountable.
In short, common processes and deliverables already implemented by ISO 9001, like internal audit, control of documents and records, and management review could be designated to the quality team, and those specific related to information security could be designated to security team, but it is important to note that for the processes managed by the quality team, the security team becomes a interested party that should be listened.
This article will provide you further explanation about integrated management systems:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
These materials will also help you regarding responsibilities in the ISO 27001 certification process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Gap Analysis for ISO 22301
Answer: Unfortunately we do not have a Gap Analysis tool for ISO 22301, but you may take a look at this free white paper "Clause-by-clause explanation of ISO 22301", which helps understand ISO 22301 and may help you in a gap analysis. Here is the link: https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-223012008
This material will also help you regarding ISO 22301 requirements:
- Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Assigning value to assets
Can asset list consists of asset as office networks or it has to be segregated into further components/devices.