Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Security in suppliers relationship
Answer: When handling with external suppliers you should ensure security clauses are included in the service agreement or contract, so you can have a legal base in case of complaints or disputes. The other point is that you have to ensure the implemented policies, procedures and controls on the suppliers processes are aligned with those of your organization, or if they can at least ensure a security level your organization considers acceptable.
This article will provide you further explanation about security in supplier relationship:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
These materials will also help you regarding supplier relationship:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 implementation and certification and ISO 9001
Answer: Roughly speaking, ISO 27001 implementation steps can be resumed in: 1) getting management buy-in for the project; 2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties; 3) development of risk assessment and treatment methodology; 4) perform risk assessment and define risk treatment plan; 5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.); 6) people training and awareness; 7) controls operation; 8) performance monitoring and measurement; 9) perform internal audit; 10) perform management critical review; and 11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist advisera.com/27001academy/knowledgebase/iso-27001-implementation-check list/
Regarding integration with ISO 9001 QMS, after releasing of Annex SL and new versions of ISO 9001:2015 and ISO 27001:2015, integrating both standards became a much easier task. Since your question refers to ISO 9001:2008 I suggest you first consider a gap analysis between ISO 9001:2008 and ISO 9001:2015. This way you ensure your QMS will be ready when the transition period is over (this will happen on September 2018), and your QMS will be prepared with most of clauses also required by ISO 27001, like documented information control, internal audit and nonconformities and corrective actions treatment
This article will provide you further explanation about differences and similarities between ISO 9001 versions 2008 and 2015:
- ISO 9001:2015 vs. ISO 9001:2008 matrix https://info.advisera.com/9001academy/free-download/iso-90012015-vs-iso-90012008-matrix
This article will provide you further explanation about using ISO 27001 and ISO 9001 together:
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
These materials will also help you regarding using ISO 27001 and ISO 9001 together:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 implementation: How to make it easier using ISO 9001 https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
Residual risk
Thank you very much for the information. -
Risk standards comparison
Answer: In a general manner, risk standards cover in different levels of details these steps listed in ISO 31000: context establishment, risk identification, risk analysis, risk evaluation and risk treatment.
While ISO 31000 is more focused on general risk management structure (it does not define specific methods, although you can find examples in ISO 31010), OCTAVE focus on risk management, on a strategic and planning level, and FAIR addresses security practice weaknesses. Another risk management framework I can tell about is used by NIST (National Institute of Standards and Technology). Documents SP 800-30 and 800-37 are focused on helping implementation in US federal systems, presenting great level of details regarding risk levels, security and assurance controls.
The European Network and Information Security Agency has an old, but still useful, content about Risk Management / Risk Assessment Methods you may find useful: ENISA Inventory of R isk Management / Risk Assessment Methods: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods
This article will provide you further explanation about risk standards:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/ -
ISO 27001 and COBIT 5 relationship
Implementing COBIT 5 and ISO 27001 together is not a mandatory requirement of the ISO standard, but COBIT practices provide a good framework to guide IT process and make information security implementation easier. This article will provide you a further explanation about COBIT and ISO 27001:- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
-
Are residual risks mandatory?
Answer: Clause 6.1.3 f) of ISO 27001 requires risk owners to accept the residual risks, therefore you need to identify the residual risks, and evaluate the level of those residual risks.
See also this article: Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/ -
Questions regarding Management Representative
Since, the QMR (Quality Management Representative) is no longer a mandatory function in ISO 9001:2015, the QMS must be qualified for the roles and responsibilities assigned to him. In most cases, QMR is responsible for maintaining the system, conducting internal audits and reporting to the top management, therefore it must be familiar with requirements of the standard and auditing techniques although the standard does not require some formal education or certificate for QMS. For gaining these competences, please see our free online coures regarding ISO 9001:2015:
- ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/
2. QMR must attend training course purposely for QMR? Is it recommended?
All the QMR needs is to get familiar with requirements of the standard, this can be achieved with Internal Auditor Training or QMR train ing
3. QMR must have good skill in language fluency especially English?
QMR must speak the language used in the company where he works, he doesn't have to speak English if it is not offical language in the company.
4. QMR must read through and understand all the Quality Manuals, Std procedures and other working instructions?
Since, QMR is responsible for the QMS, he must be familiar with all QMS documents, but process procedures and work instructions are responsibility of process owners. For more information, see: What is the job of the quality management representative? https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/ -
ISO 27001 implementation
Answer: The best help you can expect from consultants is their experience they have on situations regarding ISO 27001 implementation, which will reflect in less time needed for the implementation, and less rework regarding the choice of controls alternatives.
These articles will provide you further explanation about consultants:
- 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
- Do you really need a consultant for ISO 27001 / BS 25999 implementation? https://advisera.com/27001academy/blog/2011/12/06/do-you-really-need-a-consultant-for-iso-27001-bs-25999-implementation/
2) How to perform internal audits?
Answer: Internal audits are not so different from certification audits. You have to perform a compliance verification of the documentation, regarding compliance with the ISO 27001 standard and other relevant requirements defined by the organization, and verify evidences that the processes and controls required are implemented and delivering the expected results. From these information you will conclude for the compliance of the audited process and the identification of nonconformities to be treated.
These articles will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
3) How to know if we are building right system and not just a certificate compliance?
Answer: To build a system that will add value to an organization, you must ensure its alignment with the main organizational concerns about information security, as well as the concerns of other interested parties (e.g., customers, supplies, workforce, etc.). You can evidence this alignment trough the systems scope and objectives.
These articles will provide you further explanation about aligning ISMS and organization:
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
4) Time planning needed when we as the client support the consultant in ISMS implementation."
Answer: Talking about time planning it is a bit complicated, because every implementation is unique in terms of the scope and resources available. It is more convenient to plan considering the deliverables a consultant has to deliver to ensure a successful implementation, such as procedures, policies, controls and training.
These articles will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist advisera.com/27001academy/knowledgebase/iso-27001-implementation-check list/
- ISO 27001 project management: Implementing complex security controls using Work Breakdown Structure (WBS) https://advisera.com/27001academy/blog/2015/10/19/iso-27001-project-management-implementing-complex-security-controls-using-work-breakdown-structure-wbs/
- 3 phases of delivering an ISO 27001/ISO 22301 consulting job https://advisera.com/27001academy/blog/2015/09/28/3-phases-of-delivering-an-iso-27001iso-22301-consulting-job/
These materials will also help you regarding ISMS implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Impacts of EU GDPR
Answer: EU GDPR only will come to force on 25 May 2018, so there are no companies penalized for not being in compliance to it until this moment. Regarding penalties, depending on the situation, the penalties may vary from 2% up to 4% of total worldwide annual turnover of the preceding financial year.
2 -I want to know is what is the impact of EUGDPR on India based companies operating in EU?
Answer: All organizations that handle personal data from EU citizens, even those not established in the EU will need to be compliant with EU GPDR if they will want to provide goods and services in the EU or to EU citizens.
3 - How privacy sheild will work parallely with this?
Answer: The EU-U.S. Privacy Shield is more of a U.S. EU initiative to help companies outside the EU to be compliant with EU GDPR, so in many points, by attending the Privacy Shield an organization will be compliant with EU GDPR. But both, content a nd approval of the Privacy Shield are a point of discussion, so the suggested alternative is to get legal support to identify were these frameworks may differ to take proper measures.
This article will provide you further explanation about EU GPDR:
- What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/27001academy/blog/2016/10/03/what-is-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
These articles will provide you further explanation about privacy controls and EU GPDR:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Risks identification and treatment
Thanks! I think I got the point. It seems that it is required to be pragmatic in the assessment...