Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How often should the controls be audited
1. Do we need to annually test every control that is in scope in the SoA? Or do we do this over a 3 year period?
Answer: If your question is about internal audit, then it would be better if you audit all controls each year, but you can also do it in the 3-year period. If your question was about control A.14.2.8 System security testing or A.12.6.1 Management of technical vulnerabilities (which could also include e.g. pen tests), those activities should be performed continuously or at least periodically, but certainly not only once in 3 years.
2. How should we best structure our audit plan? Should the audit scope reflect the department or the control objectives being reviewed? For example I could see it would make sense for the audit scope in the plan to be 8 Asset management and then using the checklist provided we can assign the specific tests and responsibilities to the auditors. I could then make up an annual checklist for each control area. What do you think?
Answer : You can do it both ways - by controls or by departments. If the auditor has more experience, it is probably better to do it by department; if he/she has less experience, then it will be easier by controls.
By the way, this free online training will teach you everything about performing internal audit: ISO 27001 Internal Auditor Course: https://advisera.com/training/iso-27001-internal-auditor-course/ -
Incident Management implementation duration
Answer:
Incident management (as any other ITIL process) implementation duration depends on many parameters which are case i.e. company specific:
- existing process - use this free ITIL Gap Analysis tool to check how your process complies with ITIL recommendations https://advisera.com/20000academy/itil-iso-20000-tools/itil-gap-analysis-tool/
- know-how - knowledge level of our staff influences pace of the implementation
- tool - if you use a tool you will speed-up the implementation
- organizational set-up - depending on complexity of your company, length of the implementation can vary (usually, bigger organizations need more time).
- people - this includes people that you have (number of supporting employees/customers, as well as people you can involve in incident management process).
This articles can help you with more details:
How much does the ITIL/ISO 20000 implementation cost? https://advisera.com/20000academy/blog/2016/12/13/how-much-does-the-itiliso-20000-implementation-cost/
Is it possible to calculate ROI for ITIL? https://advisera.com/20000academy/blog/2016/09/13/is-it-possible-to-calculate-roi-for-itil/ -
EU ePrivacy review
Answer: The European Union Commission, on 10th January 2017 adopted a proposal for a Regulation on Privacy and Electronic Communications to replace the 2009 Directive, the last update on Directive 2002/58. You can find the proposal on the following link:
https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications
These articles will provide you further explanation about EU GDPR:
- What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/27001academy/blog/2016/10/03/what-is-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/ -
Risk management process flow chart
Answer:
The ISO 27001 risk management process has the steps that are described in the following article: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
And regarding the manual, this document is usually called the Risk assessment methodology, you can see how it is created in this article: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
These materials will also help you regarding ISO 27001 risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Revising Quality Manual
Answer:
It depends on how your existing Quality Manual is structured. If you've followed the clauses of the standard in your Quality Manual structure, you need to restructure the numbering it and add new clauses to the manual. If your manual doesn't follow the structure of the standard, you only need to add information about context of the organization and address risks and opportunities and to compare your manual to requirements of ISO 9001:2015 and make adjustments.
Here you can find more information about Quality Manual and new version of the standard:
- The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/ -
BCP and ISMS
While as per ISO 27001:2013-BCP to be implemented in information security aspect of ISMS.
Could you please give example so that i could understand above statement .
Answer: ISO 27001:2005 A.14 controls had the objective to ensure the continuity of business operations in case the failure of information systems and to ensure their timely resumption, and these controls basically refer to the same approach of ISO 22301, the ISO standard for business continuity management. On the other hand, ISO 27001:2013 A.17 controls have the objective to ensure only the continuity of the information security capabilities (confidentiality, integrity and availability) in case of a disruptive event.
So, while the old version had a higher objective (continuity of business operations), requiring the development of a full business continuity management, the new version covers only the set of capabilities required to ensure continuity of information security capabilities, which can be achiev ed by the elaboration of a business continuity plan that may not depend of a organizational business continuity approach (ideally it is better to be integrated to a organizational approach).
As a practical example, if a data center has access control based on electronic locks and it is hit by a disruptive event that makes all energy sources unavailable, one solution to ensure information security continuity, in this case protected by access control, is to designate a security guard to protect the data center entrance until the electronic locks start to work again. Another example is the use of backup media to protect information availability. -
BIA scope
Answer: The most suitable people to answer what activities should be considered related or unrelated to your main services are the processes owners and the key users (people that have the best knowledge of the process).
In your example, you should ask the person who handles salaries which activities he relies on to deliver his results (e.g., salaries payment), or what would be the worst thing that could happen that would prevent the salaries to be paid. From the answers of these two questions you can identify activities you should consider related to your main process.
Regarding more examples, in the video tutorials that came with your toolkit, you will see how to make considerations for what is related or not to your main process while filling out all the data regarding BIA. -
Risks and opportunities in processes
I work for a company that applies coatings on certain surfaces, that is also the scope of the current ISO 9001:2008 certificate we have; applying coatings on certain surfaces and metalizing objects. I'm really not sure how to address risks and opportunities regarding those activities. For example, do I need to address the risk a wrong kind of coating can be applied or is that too specific? I'm a little lost in the terminology that's being used.
Answer:
The standard requires organization to determine the risks and opportunities that need to be addressed to:
a) give assurance that the quality management system can achieve its intended result(s);
b) enhance desirable effects;
c) prevent, or reduce, undesired effects;
d) achieve improvement.
This includes risks and opportunities within the processes and especially the risks regarding nonconforming products that you've mentioned. You can decide to use some methodology for identification and evaluation of risks and opportunities, such as FMEA or you can just talk with people involved in the processes and find out what are the risks they are facing on day-to-day basis. Once you determine the risks, you need to take actions to address them, the actions can include documenting procedure or work instruction, sending people to training, changing the process or activity to avoid the risk, etc.
The risk you've mentioned is not too specific, actually it is the kind of the risk that should be addressed. For more information about risks and opportunities, see:
- How to address risks and opportunities in ISO 900 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
IT assets
>Can asset value (single subjective value high, medium, low) can be assigned on the CIA value?
Answer: The asset value, in terms of business objectives, results and operations, is used to help define the CIA value, not to be directly assigned to them, since a same asset maybe have different impacts on CIA, depending upon its purpose. For example, a website intended to provide relevant public information should have an availability value greater than its confidentiality value.
>Which is best formula for evaluating the asset value
>Asset value = Max (CIA)
>OR
>Asset value = average of CIA
>Asset Value = C I A
Answer: The most practical formula to evaluate the asset value in terms of CIA is MAX (CIA), where with a single value you cover the worst case scenario for CIA. Attributing for the asset a value for each aspect of the CIA allows you to better allocate resources if there is a great difference between the values (e.g., C=3, I-1, and A=1), but it makes your asset management more complex, so you should use this method only if you can justify adding such complexity in return for better resources allocation.
You should not use average of CIA because an average value can hide a high value of one aspect of CIA, which can result in an asset with less protection than needed. For example, with C=3, I-1, and A=1, the average would be 1,67, a value well bellow the value 3 attributed to confidentiality.
This article will provide you further explanation about valuing assets:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
This materials will also help you regarding valuing assets:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Difference between internal and lead auditor courses
Answer: Yes. While the Internal Auditor course main purpose covers the planning and performing of single audits, the Lead Auditor course also covers planning and management of an entire audit program (multiple audits), and the coordination of a team of auditors before and during an audit. Additionally, passing an accredited Lead Auditor course also is a prerequisite for auditors who wants to work for certification bodies.
This article will provide you further explanation about the difference between internal and lead auditor:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/