Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Determining physical boundaries of the scope
Answer:
Physical boundaries of the scope of EMS are necessary to be determined if you decide to limit your scope only to certain departments or processes in your company and not the entire company. In that case, you need to specify which department and offices and facilities are included in the scope of EMS. -
Internal and external issues for processes
Answer:
Internal and external issues don't have to be determined on the process level, they should be determined on the global level for the entire company and QMS. What can be determined for each process are risks and opportunities and those should be related to quality of process outputs. For example you can determine what are the risks for nonconformities to occur in the process or what are opportunities to improve the process performances.
For more information, see:
- ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/ -
Gap analysis for ISO27001 and ISO 22301
Answer: As though ISO 27001:2013 and ISO 22301:2013 share the same basic structure, based on Annex SL, they have some slightly text differences in chapters 5,6,7,9 and 10, and are totally different in chapter 8, which makes it unpractical to use the Advisera's Free ISO 27001 Gap Analysis Tool to perform a gap analisys for ISO 22301.
2 - Can the "ISO 27001/ISO 22301 Internal Audit Toolkit" be used as a GAP analysis as well?
Answer: In general, an internal audit toolkit can act as a gap analysis tool, because one of its contents is the internal audit checklist. Especifically about the ISO 27001/ISO 22301 Internal Audit Toolkit you mentioned, it has sections dedicated to both ISO 27001 and ISO 22301 requirements (sections 1 and 2, respectively), and you can use these sections to perform a gap analisys regarding an ISMS or BCMS.
This material will also help you regardi ng ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
ISO 27001 Annex A controls and the Statement of Applicability
Answer: According to ISO 27001:2013, clause 6.1.3.d, all the 114 controls described in the Annex A must be listed in SoA. The controls which are not needed, because there are no related risks or requirements of interested parties to justify their implementation, can be marked as non applicable.
This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding the Statement of Applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Information Security Policy review
Answer: There is no need to elaborate a new version of the Information Security Policy if there is no changes in the ISMS scope, but you also must consider that other changes on internal or external elements that can affect the ISMS can require an Information Security Policy review, like changes on the organizational context, the purpose of the organization or on the information security objectives. One way to verify this need is through management reviews.
These articles will provide you further explanation about inforamtion security policy review: - What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/ - Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and -iso-22301/
These materials will also help you regarding: - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
-
RA and BIA in a single document
Answer: I assume you are referring to place Risk Assessment and Business Impact Analysis in a single document. I would not recommend to place them in a single document for two reasons: the first, as you said, both may become large documents by themselves, making a single document unpractical to use; the second, and the most relevant reason, is that since they are used in different contexts, and for different purposes, documenting them togheter would mean that someone accessing one information (RA or BIA) would unnecessarily have access to the other, increasing risk of unauthorized information disclosure.
This article will provide you further explanation about risk assessment and business impact analysis:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
These materials will also help you regarding :
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
FFIEC business continuity Planning and ISO framework
Answer: The Federal Financial Institutions Examination Council (FFIEC) Business Continuity Planning (BCP) and ISO 22301 has many similarities in a high level. For example, both cover business analisys impact, risk management, business continuity planning, incident response, and other topics. But while ISO 22301 focus on requirements to the establishiment, implementation, maintenance and improvement of a Business Continuity Management System, the FFIEC has a focus on providing guidance both on evaluating risk management processes to ensure the availability of critical financial services and to the implementation of their business continuity planning processes. You may think them as complementary material to development of a robust business continuity infrastracture.
This material will also help you regarding ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Assets grouping and mapping of controls
Answer: ISO 27001:2013 let you free to use any methods you consider proper to assess information security risks as long as they meet clause 6.1.2 (information security risk assessment). So, you can assess a set of assets as a single one to identify and evaluate common risks as long as they are under a similar environment (in the case of your set of assets, the similar environment are the offices). Another example of this approach you can think about is assessing risks for servers and network equipment on multiple data centers. The only point you have to pay attention is when recording this set of assets in you inventory. You will have to make sure that from the "set of assets" registry you can identify all the assets that form that set, s o in an event the set changes you can identify the need for a risk assessment review.
2 - Secondly given these common risks, vulns and likely existing controls is it the expectation that we map all ISO controls into the risk assessment process or that some will not be mapped but still implemented?
Answer: During your risk assessment you might not identify some controls as necessary, but they were implemented even though there are no related risks, because other reasons like: requirements of interested parties; they are related to other management systems (e.g., ISO 14001); or simply because they are considered of good practice. In these situations, those controls are not going to be displayed in Risk treatment process, but they will be displayed in the SoA, refering to those reasons.
This article will provide you further explanation about documentation development: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
This article will provide you further explanation about risk assessment: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding assets management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Asset inventory question
Answer: For risk assessment it is enough to have a generic asset class "employee laptops", and list threats and vulnerabilities for this single asset. If you already have a comprehensive list of laptops, this is something you can do, but this is not mandatory according to ISO 27001.
Now regarding processes, do I have to include a process like "transferring data from Server A to Server B" - Such a process is very important for the organisation.
Answer: If you use asset-based risk assessment, then listing processes is not needed - basically all this data that you are transferring is already covered in the r isk assessment as assets, so you don't need to duplicate them. The focus of information security is protecting the information, not protecting the processes.
These materials will also help you with risk assessment:
- article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Achieving ISO 14001 certificate
Answer:
In order to achieve ISO 14001 standard you need to implement the standard first and then to hire a certification body to conduct certification audit and issue your company the certificate.
The implementation consists of two main phases. First you need to develop the EMS (Environmental Management System) documentation which includes mandatory documents prescribed by ISO 14001 and other documents that you find necessary for operating your EMS. For more information about mandatory documents, see: List of mandatory documents required by ISO 14001:2015 https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-mandatory-documents-required-by-iso-140012015/
Second part of the implementation is to update your processes and activities and align them with the requirements of ISO 14001 and the documentation you develo ped. For more details about implementation steps, see: List of ISO 14001 implementation steps https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/