Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Filling the risk assessment table
Answer: Sometimes the protective effect only takes place when several controls are applied together (e.g., for physical protection, implementing security perimeter without entry controls, or vice versa, does not make much sense). If one fails, the whole protection may be compromised. In cases like this it is enough to put the result on a single row. So, you should assess the effect of all controls implemented for a particular risk to decide how to record them in your Risk Treatment Table.
By the way, together with the toolkit you have received access to video tutorial called How to Implement Risk Treatment According to ISO 27001 which explains exactly how t his is done - I would recommend you watch this tutorial because it will explain you what does the standard require, what options do you have, how to fill out the data, etc. -
Risk treatment options
If I was to find security risks and vulnerabilities, what type of methods and security configurations would be appropriate to protect and prevent impact to systems?
According to the results of the Risk Assessment, one or more of the following treatments should be considered:
- Decrease the risk: implementation of controls to reduce probability of occurrence and/or impact of the risk, thus reducing overall risk (e.g., antivirus decreases the probability to get infected by malware, and backup decreases the impact of data loss)
- Avoid the risk: stop performing the activity that causes the risk (e.g., ban BYOD because the risks of unauthorized access to the device are too high)
- Share the risk: transfer the risk to another party (e.g., buy an insurance policy for you house against fire)
- Retain the risk: accept the risk as it is, because you have no other viable alternative to apply.
This article will provide you further explanation about risk treatment:
- 4 mitigation options in risk treatment according to ISO 27001 http:/ /advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/Also, what types of ways can I implement and design ISMS to comply with ISO 27001?
Generally speaking, you may have three implementation alternatives to consider:
- Implementation using your own employees: you do not use any external help, only the knowledge and the capacity of your own employees.
- Using a consultant: you hire an expert from outside the organization who has experience with the implementation
- Implementation by your own with external support: your employees do most of the implementation, getting help only on specific issues from an external party
This article will provide you further explanation about ISMS implementation alternatives:
- 3 strategies to implement any ISO standard https://advisera.com/articles/3-strategic-options-to-implement-any-iso-standard/
These materials will also help you regarding risk treatment and ISMS implementation alternatives:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Tools for ISO 27001 risk assessment and internal audits
Answer: Depending upon the size and complexity of your scope, simple spreadsheets can help you a lot to demonstrate a risk assessment and what you should do to conduct an internal audit. Since you asked for what you can use, I suggest you to take a look at these free document previews:
- Risk Assessment Table https://advisera.com/27001academy/documentation/risk-assessment-table/
- Internal Audit Checklist https://advisera.com/27001academy/documentation/internal-audit-checklist/
These articles will provide you further explanation about risk assessment and internal audit:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- Ho w to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding risk assessment and internal audit:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Supplier security according ISO 27001
Answer: The mentioned guideline refers to ISO 27001 Annex A.15 (Supplier Relationships). You must implement controls related to your suppliers only if:
1- Your Risk Assessment identified any supplier-related risks your organization considers unacceptable
2- Your organization decided to implement supplier controls for any other business reason not related to information security.
3 - Your customers requirements, or any legal or regulatory requirement, demands you to implement supplier control.
If your situation is not in any of these alternatives, you do not need to implement supplier-related controls.
This article will provide you further explanation about handling supplier security:
- 6-step process for handling supplier security according to ISO 27001https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
These mat erials will also help you regarding handling supplier security:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Conducting internal audit for the first time
I recently completed an internal audit training and this is my first official audit that I will conduct. Can you please guide me what to look at and what kind of questions should I ask?
Answer:
First you need to read the standard and understand the requirements related to the processes you are about to audit. Then you need to read all procedures and records from the processes and see if they are compliant with the requirements of the standard. Afterwards you need to formulate questions to be asked during the audit. The question should provide you with "yes or no" answers and each question should be relate to ether requirement of the standard or activity within the processes you are auditing. Once you prepared the checklist and got familiar with the standard requirements and procedures used in the processes you are ready for the audit.
Here are some articles about internal audit that might be interesting to you:
- Five Main St eps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- How to create a check list for an ISO 9001 internal audit for your QMS https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/
- Writing an Audit Checklist for ISO 9001 Processes https://advisera.com/9001academy/blog/2014/11/25/writing-audit-checklist-iso-9001-processes/ -
Definition of terms
Answer:
By control, I assume you think of operational control in ISO 14001. Operational Controls describe specific operations
for controlling and managing the activities, processes, products, and services associated with the significant environmental aspects.
By influence, I assume you think of environmental impact. The definition of environmental impact is change to the environment, whether adverse or beneficial, wholly or partially resulting from an organization’s environmental aspects.
For more information about terms and definitions within ISO 14001, see: Glossary of Environmental Management Words https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/glossary-of-environmental-management-words/ -
Integrating ISO 9001, ISO 14001 and OHSAS 18001
Answer:
The best way to start the integration is to identify common requirements of those three standards and try to meet them trough the same documents. This includes a big part of ISO 14001 and ISO 9001 since they now have the same structure and similar requirements. For more information, see Free webinar - How to integrate ISO 9001:2015 and ISO 14001:2015
OHSAS 18001 still has the old structure that is different form ISO 9001 and ISO 14001 but there are still a lot of common requirements, from policy, objectives and targets, document and record control, internal audit, etc. And all these requirements can be met through same process. For more information, see: ISO 14001 vs. OHSAS 18001: What is different and what is the same? https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-vs-ohsas-18001-what-is-different-and-what-is-the-same/ -
Defining operational controls
Answer:
The most important thing with defining operational control is what negative effect you want to prevent. For example if it is an emission of polluting gases in the air, you will need to put filters to prevent that, or if you want to prevent wrong disposal of electrical waste such as printer toners, you will sign a contract with the company that disposes and/or recycles such waste.
For more information about operational controls, see: Defining and implementing operational control in ISO 14001:2015 https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/ -
SMETA Certificate
Answer:
The Sedex Members Ethical Trade Audit (SMETA) was developed by the Sedex Associate Auditor Group (AAG). SMETA is designed to reduce duplication of effort in ethical trade auditing, benefiting retailers, consumer brands, and their suppliers. It was developed in response to member demand for an ethical audit report format that could more easily be shared.
SMETA is not a code of conduct, a new methodology, or a certification process, but describes an audit procedure which is a compilation of good practice in ethical audit technique.
Unfortunately, we do not have any materials regarding it, since we are focused on ISO and ITIL standards. -
PIR
The answer:
You noticed right, Post Implementation Review (PIR) is a must in case of unsuccessful changes. There is no out-of-the box solution how to do it. That depends on the, e.g.:
- company size
- type of change
- available resources...etc.
But, once you define further activities (you mentioned - recommended actions) in order to make things right (i.e. change implementation) and learn the lesson, I see few things to do:
- analysis - usually Change Advisory Board (CAB) will do that. Make minutes and define responsibilities
- preparation - you will need to take new attempt. Be sure that something changed from last time (what - well, that depends on your analysis). Define all steps you need to do, take a trial if possible.
- implementation - when you get to this point, you'll be familiar with new implementation. Be sure to track all activities (and have all responsibilities defined).
- review - review new attempt. I f it was a success - compare it to unsuccessful attempt and look for difference -that's your lesson learned.
Read the article "
Post Implementation Review – Buzzword, or mighty tool?" https://advisera.com/20000academy/blog/2015/02/03/post-implementation-review-buzzword-or-mighty-tool/ to learn more about PIR.