Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Preparing for ISO 9001:2015 external audit


    Answer:

    In order to pass external audit, you need to conform to requirements of ISO 9001:2015. This means that you need to have all mandatory documents and to conduct all activities required by the standard, from evaluation of suppliers and measuring customer satisfaction to internal audit and management review. Here is one article that can help you with preparing for certification audit: How to prepare your company for the ISO 9001 certification audit https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/

  • Does internal auditor need to have a certificate?


    Answer: You will need a certificate that you have passed the internal auditor course if:
    1) Your company goes for ISO certification - in that case the certification auditor will ask the internal auditor to prove his knowledge of the standard, and prove his skills for internal auditing.
    2) If your company is required by legislation to have certified internal auditor.
    3) If you want to prove to your management that you are prepared for this job.

    If these three points do not apply to you, then it is not necessary to have a certificate for internal auditor.

  • Risk treatment plan and SoA


    Answer: Sure, in the video tutorials that came with your toolkit, there is one about how to write ISO 27001 statement of applicability that will provide you help on how to fill out all the data.

    2 - Also please clarify: Only the risk with impact number above 2 gets carried forward to the next level? E.g if we start off from the Risk assessment table and we have a risk with impact 2 and another with impact 4, this means the risk with impact 2 stays on this sheet whereas the one with impact 4 is taken to the Risk treatment sheet. Well on Risk treatment sheet we ascertain control (s) for it and re ascertain the level after controls and if the impact now becomes 2 so we will conclude the effort here and also mention it on the SoA only. And if the level becomes 3 or remains 4 even we will take it further to SoA then mention it on Residual risk and plan for its treatment on Risk Treatment plan? Is that so

    Answer: Considering that your limit value for acceptable risks is 2, all the risks which the calculation of impact and probability results are above 2 should be taken to the risk treatment plan, not only those with impact value above 2.

    Said that, after you define the applicable controls and re ascertain the risk value, you should mention all the results obtained in the risk treatment plan in the SoA, even those that still remains above the value 2.

    For the cases that are above your acceptable risk limit, justifications could be that you accept the risk as it is (the "accept" option is a valid one for risk treatment if you decide to apply no controls), or that the costs and effort to apply additional controls wouldn't be worth (in the case the applicable controls do not reduce the risk value to acceptable limits).

    This article will provide you further explanation about risk treatment plan:
    - 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

  • Segregation of duties


    Answer: If the number of persons in your organization does not allow you to split responsibilities and duties, you should consider the implementation of other controls that work as deterrent to bad behaviour or allow you to detect such situations. As examples I can list video cameras, management supervision, job rotation and systems logs.

    This article will provide you further explanation about segregation of duties:
    - Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

  • Filling SoA


    Answer: Sure, in the video tutorials that came with your toolkit, you will see for each of the documents, including SoA, how to fill out all the data.

  • Risk value calculation


    Answer: For the purpose of a single risk value calculation, there is no particular technical reason for using sum instead of multiplication, and vice versa, to calculate risk value. The decision for sum or multiplication will only matter in more complex risk calculation activities, involving probabilistic theories, which is not the case.

  • Asset inventory and risk assessment


    Answer: Actually, the inventory of assets is not needed, especially when companies are implementing the standard for the first time - it is enough to develop a list of assets in the Risk assessment table, and once this is done this list is simply copied to Inventory of assets.

    2 - Also whenever ASSETS in RISK ASSESSMENT TABLE are reviewed the INVENTORY OF ASSETS TABLE as per Annexure is reviewed, is that so?

    Answer: Your understanding is correct. Sometimes a risk review identify assets that were not accounted, so the inventory of assets should be updated to include these new assets.

    This article will provide you further explanation about asset inventory and risk assessment:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://a dvisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    These materials will also help you regarding asset inventory and risk assessment:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Risk owners empowerment


    Answer: After an introductory training, you should consider specific training covering controls according the risk owners responsibilities (e.g., controls from section A.7, HR security, for HR department, controls from A.12 controls, operations security, for IT department, etc.). This way in some cases you will reduce the number of controls to be detailed, focusing only on those that are relevant for them.

    But you should also note that according the standard, the main responsibility of the risk owner is to approve the information security risk treatment plan and accept the residual information security risks, not directly choose controls. Sometimes, depending upon the size and maturity of the organization, the best course of action is to have someone with expert knowledge in information security that can help the risk owners to make better decisions regarding controls to be applied (some organizations call them CSOs, or CISOs).

    This article will provide you further explanation about risk owners and CISO:
    - Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

    - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

    - Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

    2) Please clarify, if whole RISK MANAGEMENT in ISO 27001 is roughly bifurcated into PLANNING and IMPLEMENTATION phases then can we say that RISK ASSESSMENT, RISK TREATMENT, RISK ASSESSMENT REPORT, SOA and RESIDUAL RISK SHEET documents fall in PLANNING phase whereas RISK TREATMENT PLAN is for IMPLEMENTATION phase?

    Answer: Your assumption is partially right. Although it is not explicit anymore, ISO 27001 still follows an PDCA cycle, and some elements play different roles in different phases. All these documents you listed are outputs of the planning phase, and the risk treatment plan is an input for the implementation phase. But you should also note that they are inputs for the Performance evaluation described in the clause 9 of the standard (they provide the targets you will use to compare if your results are OK or need adjustments), and outputs from the Improvement step described in clause 10 (management decisions can demand updates in all of them).

    This article will provide you further explanation about PDCA and risk assessment process:
    - Has the PDCA Cycle been removed from the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/

    These materials will also help you regarding risk owners and risk assessment process:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Risk assessment and treatment


    Answer: You understanding is correct. The process uses this copy paste activity so that in the risk treatment table you can concentrate on the most needed information, the risks considered unacceptable in the Risk assessment table, and the adopted treatment options.

    2 - Additionally, the risk treatment table requires to set values after treatment, but how can I already do that before having a detailed plan with exact measures?

    Answer: These values you set in the after treatment columns are what you expect to achieve after controls implementation. They will help you define the details of your implementation plan (e.g., resources to be allocated, technologies to be adopted, etc.). After controls implementation, with data from performance monitoring and measurement, you can verify if these values were achieved or if your implementation needs adjustments.

    These materials will also help you regarding risk assessment process:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 954-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +