Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Segregation of duties
Answer: If the number of persons in your organization does not allow you to split responsibilities and duties, you should consider the implementation of other controls that work as deterrent to bad behaviour or allow you to detect such situations. As examples I can list video cameras, management supervision, job rotation and systems logs.
This article will provide you further explanation about segregation of duties:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/ -
Filling SoA
Answer: Sure, in the video tutorials that came with your toolkit, you will see for each of the documents, including SoA, how to fill out all the data. -
Risk value calculation
Answer: For the purpose of a single risk value calculation, there is no particular technical reason for using sum instead of multiplication, and vice versa, to calculate risk value. The decision for sum or multiplication will only matter in more complex risk calculation activities, involving probabilistic theories, which is not the case. -
Asset inventory and risk assessment
Answer: Actually, the inventory of assets is not needed, especially when companies are implementing the standard for the first time - it is enough to develop a list of assets in the Risk assessment table, and once this is done this list is simply copied to Inventory of assets.
2 - Also whenever ASSETS in RISK ASSESSMENT TABLE are reviewed the INVENTORY OF ASSETS TABLE as per Annexure is reviewed, is that so?
Answer: Your understanding is correct. Sometimes a risk review identify assets that were not accounted, so the inventory of assets should be updated to include these new assets.
This article will provide you further explanation about asset inventory and risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to handle Asset register (Asset inventory) according to ISO 27001 https://a dvisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding asset inventory and risk assessment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk owners empowerment
Answer: After an introductory training, you should consider specific training covering controls according the risk owners responsibilities (e.g., controls from section A.7, HR security, for HR department, controls from A.12 controls, operations security, for IT department, etc.). This way in some cases you will reduce the number of controls to be detailed, focusing only on those that are relevant for them.
But you should also note that according the standard, the main responsibility of the risk owner is to approve the information security risk treatment plan and accept the residual information security risks, not directly choose controls. Sometimes, depending upon the size and maturity of the organization, the best course of action is to have someone with expert knowledge in information security that can help the risk owners to make better decisions regarding controls to be applied (some organizations call them CSOs, or CISOs).
This article will provide you further explanation about risk owners and CISO:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
2) Please clarify, if whole RISK MANAGEMENT in ISO 27001 is roughly bifurcated into PLANNING and IMPLEMENTATION phases then can we say that RISK ASSESSMENT, RISK TREATMENT, RISK ASSESSMENT REPORT, SOA and RESIDUAL RISK SHEET documents fall in PLANNING phase whereas RISK TREATMENT PLAN is for IMPLEMENTATION phase?
Answer: Your assumption is partially right. Although it is not explicit anymore, ISO 27001 still follows an PDCA cycle, and some elements play different roles in different phases. All these documents you listed are outputs of the planning phase, and the risk treatment plan is an input for the implementation phase. But you should also note that they are inputs for the Performance evaluation described in the clause 9 of the standard (they provide the targets you will use to compare if your results are OK or need adjustments), and outputs from the Improvement step described in clause 10 (management decisions can demand updates in all of them).
This article will provide you further explanation about PDCA and risk assessment process:
- Has the PDCA Cycle been removed from the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/
These materials will also help you regarding risk owners and risk assessment process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk assessment and treatment
Answer: You understanding is correct. The process uses this copy paste activity so that in the risk treatment table you can concentrate on the most needed information, the risks considered unacceptable in the Risk assessment table, and the adopted treatment options.
2 - Additionally, the risk treatment table requires to set values after treatment, but how can I already do that before having a detailed plan with exact measures?
Answer: These values you set in the after treatment columns are what you expect to achieve after controls implementation. They will help you define the details of your implementation plan (e.g., resources to be allocated, technologies to be adopted, etc.). After controls implementation, with data from performance monitoring and measurement, you can verify if these values were achieved or if your implementation needs adjustments.
These materials will also help you regarding risk assessment process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk assessment and treatment process
1- Are any of these documents filled and maintained in parallel? Or do they have to be filled strictly in sequence i.e. RISK TREATMENT TABLE then SoA then ACCEPTANCE OF RESIDUAL RISK then RISK TREATMENT PLAN etc.
Answer: Considering the risk of rework, you could fill in parallel the risk treatment table and the risk treatment plan. The advantage of filling them in parallel is that when presenting information for acceptance of residual risk, you can have more detailed information about risk treatments and this can facilitate the decision on accepting the residual risks and speed up your process. The disadvantage is that if the residual risk value is not accept ed you will lose all the effort and time you allocated. To minimize this risk I would suggest you to ask risk owners what information they would need to make their decision regarding residual risk, and when elaborating the risk treatment plan you start only with a general overview of the solution, focusing on what is to be delivered instead of what is to be done.
This material can provide you information on how to prepare an general overview of a risk treatment plan:
- ISO 27001 project management: Implementing complex security controls using Work Breakdown Structure (WBS) https://advisera.com/27001academy/blog/2015/10/19/iso-27001-project-management-implementing-complex-security-controls-using-work-breakdown-structure-wbs/
2 - How can we comment upon “after treatment figures of likelihood and severity of risk” in RISK TREATMENT TABLE without ascertaining the method of control implementation as per SoA and without creating a RISK TREATMENT PLAN in parallel to assign cost and resources?
Answer: These values you set in the after treatment columns are what you expect to achieve after controls implementation. They will just help you define the details of your implementation plan (e.g., resources to be allocated, technologies to be adopted, etc.). After controls implementation, with data from performance monitoring and measurement, you can verify if these values were achieved or if your implementation needs adjustments.
3- Can a single example case be shared on which these complete set of documents were filled from start till end?
Answer: Sure, if you watch the video tutorials that came with your toolkits, you will see for each of the documents (e.g. for Risk treatment table, for Risk treatment plan) how to fill out all the data. -
ISO 9001 internal auditor in health care domain
I would be grateful if you can provide me an insight into the role of a healthcare professional having 15 years of domain knowledge experience and carrying a PMP and Certified Lean Six Sigma Greenbelt certifications and a Certified Coding Professional certification,
1. What is the primary role of an ISO:9001 auditor in hospitals/healthcare organizations?
The role of the internal audit is the same as in any other type of business, to conduct internal audits and report on the audit results.
2. What are the roles that can be shouldered with an ISO:9001 auditing certification?
Having internal auditor certificate will demonstrate that you are familiar with ISO 9001 standard requireme nts and competent to conduct internal audits. This means that you can be management representative for QMS or Quality Manager. Basically you can do any activity related to ISO 9001 except conducting certification audits. For more information, see: What is the job of the Quality Manager according to ISO 9001? https://advisera.com/9001academy/blog/2016/08/23/what-is-the-job-of-the-quality-manager-according-to-iso9001/
3. What are the employment prospects and benefits having an ISO:9001 auditing certification.
As I mentioned above, with ISO 9001 auditing certificate you can be in charge of any activity withing the QMS, it is usually addition to the existing job position but in many cases it can be separate job, e.g. Quality Manager. Especially in bigger companies.
4. How would this role face competition with peers who have compliance certifications in healthcare?
Our ISO 9001 internal auditor course is accredited by third party so it has credibility, it is in line with other accredited ISO 9001 internal audit certificates.
I would sincerely appreciate your reply and this would certainly enable me to resolve my conflicts that I have with ISO:9001 auditor certification. -
Documenting EMS scope
Answer:
ISO 14001 does not require organizations to develop procedure for determining scope of the EMS (Environmental Management System), however, it requires organizations to document it. The scope can be documented within EMS Manual or as a separate document. Such document should contain information about all locations, processes and products and services covered with the scope of EMS.
For more information about EMS scope, see: How to determine the scope of the EMS according to ISO 14001:2015 https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/