Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27005 and ISACA RiskIT
Answer: Unfortunately we do not have this kind of material in our toolbox, but RiskIT framework material provided by ISACA, in Appendix 2 has a high-level comparison with other risk management standards and frameworks, including ISO 27005. To download this material you only have to have a site login, you can obtain one free of charge. What I can inform you without incur in Intellectual Property Rights violation is that ISO 27005 processes (Risk analysis, identification, estimation, and evaluation) are covered by RiskIT process RE2 (Analyse Risk), but since RiskIT is a more specific framework, it has a deeper level of detail than ISO 27005. -
Certification audit findings
I am confusing about that, I have seen many report samples on google but every one is different from the other. Should I submit the stage 1 report with the mention of all non-conformists and it's corrective actions or I should just submit a list of what I find whatever it was negative or positive.
Answer:
During both stages of certification audit, the auditor can find minor and major nonconformities and observations. If you found any nonconformity during the 1st stage audit, you should write them in your report, but you shouldn't write corrective actions because it is up to organization to decide what kind of corrective action will it take to address the nonconformity.
For more information, see: How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/ -
Audit checklist
Answer: External audit phase 1 verifies if your documentation (e.g., policies and procedures) complies with ISO 27001:2013 mandatory requirements (e.g., is there an information security policy?), so you have to verify if you attend all "must" statements presented in the standard. The phase 2 looks for evidences that support the procedures are implemented and achieving the expected results. The main checklists you have are the Statement of Applicability, where all the controls considered relevant are listed, and the Risk Treatment Plan, which lists how they are implemented. From there you will find which documents and records you have to present to the auditor.
These articles will provide you further explanation about audit readiness:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Becoming ISO 27001 certified – How to prepare for c ertification audit https://advisera.com/27001academy/iso-27001-certification/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
These materials will also help you regarding audit readiness:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27017 and ISO 27018 implementation
I mean company just develop and deploy our software in cloud and give access to our different customers. We are NOT a cloud hosting company like xxx or xxx.
Answer: As you said, you provide the SaaS service to your customers, it does not matter if you use a third party infrastructure to do that. If their contractual relationship is with you, any problem your customers have caused by the cloud service provider you selected, they will charge from you. So, I would recommend you to implement both ISO 27017 and ISO 27018, so you have means to ensure that cloud service provider you use to provide your SaaS service properly protects both its cloud infrastructure and your customers data.
This article will provide you further explanation about supplier managem ent:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
This article will provide you further explanation about ISO 27017 and ISO 27018:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
These materials will also help you regarding supplier management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
EU GDPR
Answer: An interesting question. In Article 4, definitions, in any moment the regulation mentions the type of media that contains the information. The definitions covers what is done with the information. So, in a broader sense, EU GDPR is applicable to physical data. You may note that when data is not on transit it is stored in some physical place, e.g., a server or a back up media, that must be protected properly. 2 - What eugdpr saya about channels like cloud, mobile?? Answer: EU GDPR does not make reference to specific technologies (when they are referred, the term used is only technology or technologies). Thus, for EU GDPR, it does not matter where information travels or by what means it is processed. If you deal with personal information from EU citizens, the EU GDPR applies. This article will provide you further explanation about EU GDPR: - What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/articles/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/ - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/ -
Management Representative in ISO 27001:2013
There is no universal rule about which role should be in a higher position (e.g., both can answer to top management, CISO may answer to MR, both can answer to other different roles in the organization, etc.), so you have to evaluate your organizational context to define which case is more adequate to your organization.
Regarding policies and procedures elaboration, both roles are required to have competency in elaborating policies and procedures, with CISO specialized in information security requirements and the MR specialized in management system requirements (in an ISMS with no MR, the CISO has to cover both information security and management system requirements).
As for documentation approval, generally policies and procedures which have overall impact on the organization are approved by top management (e.g., quality policy, information security policy, procedure for control of documents and records, etc.), specific information security related policies and procedures are approved by CISO, and other policies and procedures are approved by the MR.
These articles wi ll provide you further explanation about CISO and document management:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Document control
Answer:
The standard requires the documents to be available on place of application, so the approved versions of procedures, work instructions and records must be available where they are needed. Original or approved version of document can be kept in the library but the copies must be distributed to the place of application.
This requirement raises many other issues as availability of right version of the documents, withdrawal, update and distribution of the documents and records. For that reason, the standard defines all these activities and for every document there should be information about the valid version as well as distribution list so when the document is updated the company knows where are the documents that need to be withdrawn and replaced with new ones.
For more information about document control, see:
- Some Tips to make Document Control more useful for your QMS https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/ -
ITIL for Network Management Station
Answer:
ITIL Service Operation lifecycle contains function which correspond to your question - IT Operations function, which consist of two parts: Facility Management and Operations control.
Operations Control is what we consider daily job in maintenance of IT services and its task is execution and monitoring of operative activities and events.
Read the article "IT Operations Management Function in ITIL" https://advisera.com/20000academy/knowledgebase/operations-management-function-itil/, and
"Is the NOC (Network Operations Center) still viable according to ITIL?" https://advisera.com/20000academy/blog/2015/04/21/is-the-noc-network-operations-center-still-viable-according-to-itil/ to learn more. -
ISO 27001 Internal auditor course vs Lead auditor course
Answer: Certainly, if you finish the Internal auditor course, it will be easier for your to finish the Lead auditor course because Internal auditor course is a "mini" version of Lead auditor course. Other than this I don't think you need any other preparation.
These materials might also help you:
- free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
- webinar ISO 27001 Lead Auditor Course preparation training https://advisera.com/training/iso-27001-lead-auditor-course/
- article What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/ -
Evidencing organizational knowledge
Answer:
The standard requires organizations to determine knowledge necessary for operating processes and achieving conformity of products and services. This includes necessary work instructions and other documents needed for operating processes but also the competence level of employees. Another requirement is to make the knowledge available where necessary and this can be addressed by providing those work instruction on place of application.
Since the requirement regarding this clause are very vague, the auditor cannot require documented procedure or anything of that sort, the company itself can decide how the knowledge will be defined, maintained and updated. The best the auditor can do is to do an interview with Quality Manager and talk about the clause and how it is met.
For more information about organizational knowledge , see: How to manage knowledge of the organization according to ISO 9001 https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/