Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 and ISO 9001 and information security


    Answer: No. While ISO 27001 focus is indeed information security, ISO 9001 purpose is quality management (if you note, nowhere in ISO 9001 the word "security" is mentioned). Regarding the aspects covered, they are similar in some aspects (e.g., document and record control, internal audit, management review, etc.) but completely different in others (e.g., only ISO 27001 covers information security risk assessment while only ISO 9001 covers product and service provision).

    These articles will provide you further explanation about how to work with ISO 27001 and ISO 9001 together:

    - Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
    - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

    This material will also help you regarding how to ISO 27001 and ISO 9001 together:
    - Free webi nar ISO 27001 implementation: How to make it easier using ISO 9001 https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/

  • Missed aspect

    Thank you !

  • Preparing for ISO 9001:2015 external audit


    Answer:

    In order to pass external audit, you need to conform to requirements of ISO 9001:2015. This means that you need to have all mandatory documents and to conduct all activities required by the standard, from evaluation of suppliers and measuring customer satisfaction to internal audit and management review. Here is one article that can help you with preparing for certification audit: How to prepare your company for the ISO 9001 certification audit https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/

  • Does internal auditor need to have a certificate?


    Answer: You will need a certificate that you have passed the internal auditor course if:
    1) Your company goes for ISO certification - in that case the certification auditor will ask the internal auditor to prove his knowledge of the standard, and prove his skills for internal auditing.
    2) If your company is required by legislation to have certified internal auditor.
    3) If you want to prove to your management that you are prepared for this job.

    If these three points do not apply to you, then it is not necessary to have a certificate for internal auditor.

  • Risk treatment plan and SoA


    Answer: Sure, in the video tutorials that came with your toolkit, there is one about how to write ISO 27001 statement of applicability that will provide you help on how to fill out all the data.

    2 - Also please clarify: Only the risk with impact number above 2 gets carried forward to the next level? E.g if we start off from the Risk assessment table and we have a risk with impact 2 and another with impact 4, this means the risk with impact 2 stays on this sheet whereas the one with impact 4 is taken to the Risk treatment sheet. Well on Risk treatment sheet we ascertain control (s) for it and re ascertain the level after controls and if the impact now becomes 2 so we will conclude the effort here and also mention it on the SoA only. And if the level becomes 3 or remains 4 even we will take it further to SoA then mention it on Residual risk and plan for its treatment on Risk Treatment plan? Is that so

    Answer: Considering that your limit value for acceptable risks is 2, all the risks which the calculation of impact and probability results are above 2 should be taken to the risk treatment plan, not only those with impact value above 2.

    Said that, after you define the applicable controls and re ascertain the risk value, you should mention all the results obtained in the risk treatment plan in the SoA, even those that still remains above the value 2.

    For the cases that are above your acceptable risk limit, justifications could be that you accept the risk as it is (the "accept" option is a valid one for risk treatment if you decide to apply no controls), or that the costs and effort to apply additional controls wouldn't be worth (in the case the applicable controls do not reduce the risk value to acceptable limits).

    This article will provide you further explanation about risk treatment plan:
    - 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

  • Segregation of duties


    Answer: If the number of persons in your organization does not allow you to split responsibilities and duties, you should consider the implementation of other controls that work as deterrent to bad behaviour or allow you to detect such situations. As examples I can list video cameras, management supervision, job rotation and systems logs.

    This article will provide you further explanation about segregation of duties:
    - Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

  • Filling SoA


    Answer: Sure, in the video tutorials that came with your toolkit, you will see for each of the documents, including SoA, how to fill out all the data.

  • Risk value calculation


    Answer: For the purpose of a single risk value calculation, there is no particular technical reason for using sum instead of multiplication, and vice versa, to calculate risk value. The decision for sum or multiplication will only matter in more complex risk calculation activities, involving probabilistic theories, which is not the case.

  • Asset inventory and risk assessment


    Answer: Actually, the inventory of assets is not needed, especially when companies are implementing the standard for the first time - it is enough to develop a list of assets in the Risk assessment table, and once this is done this list is simply copied to Inventory of assets.

    2 - Also whenever ASSETS in RISK ASSESSMENT TABLE are reviewed the INVENTORY OF ASSETS TABLE as per Annexure is reviewed, is that so?

    Answer: Your understanding is correct. Sometimes a risk review identify assets that were not accounted, so the inventory of assets should be updated to include these new assets.

    This article will provide you further explanation about asset inventory and risk assessment:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://a dvisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    These materials will also help you regarding asset inventory and risk assessment:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 954-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +