Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment in OHSAS 18001 and ISO 9001
Thx -
Performing Risk Assessment and Treatment
Answer: I assume you are referring to the Risk Assessment Table and the criteria provided in the Risk Assessment and Treatment Methodology document. The existing controls must have to be taken into account when determining the total risk, and they must be informed in the "Existing Controls" column from the Risk Assessment Table.
2 - For example, if I do consider existing controls and assume they are good enough so that when combined with impact the total risk is 0, 1, or 2 – which I have defined as acceptable – would I have to write anything in “Means of implementation” on the Risk Treatment Table?
Answer: If a risk you identified in the Risk Assessment Table already has a control implemen tend to treat it, you only would have to include it in the Risk Treatment Table if the existing control needs to be improved. Otherwise, you can keep the record only in the Risk Assessment Table.
3 - If the existing control that I have judged to be strong is a control that directly matches a control in the ISO Appendix A, do I say on the Statement of Applicability that it is applicable?
Answer: Yes, if you can macth the implemented control with a control in the ISO 27001 Appendix A, you can state that that control is applicable in the Statement of Applicability.
4 - Do my questions make sense?
Answer: Yes, your questions make all sense, and your perception of what should be done is right. :)
These materials will also help you performing the risk assessment and treament:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Continuing Professional Education (CPE) and ISO 270001
Answer: The total CPE points you will earn after completing a ISO 27001 educational activity will depend upon the duration of the activity you attended (e.g., lead auditor training course, lead implementer training course, ISO 27001 workshops, etc.). The general rule is you will get one CPE point for each hour of learning activity, but you have to check the CPE earning rules used by the organization to which you will report the activity.
These articles will provide you further explanation about some ISO 27001 educational activities:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
Documenting the control A.17.1.2
Answer: ISO 27001:2013 in its Annex A has control A.17.1.2 which says "organization shall ... document ... procedures ... to ensure the required level of continuity".
By the way, in the article you're referring to we have said "Please note that documents from Annex A are mandatory only if there are risks which would require their implementation." - this means that control A.17.1.2 needs to be applied (and documented) only if it is applicable according to the results of the risk assessment.
These materials will also help you regarding business continuity and information security:
- article How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
- webinar ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/es/webinar/iso-27001-iso-22301-why-is-it-better-to-implement-them-together-free-webinar-on-demand/ -
PCI DSS documents and standards
Answer: PCI DSS documents and standards can be found at PCI's Document Library page (https://www.pcisecuritystandards.org/document_library). In this page you can find specifications, tools and other resources to help securely handle cardholder information.
2) Do we need to purchase it ?
Answer: PCI DSS standards are free of charge, but you have to accept a license agreement in order to download them. Other PCI DSS related documents (e.g., supporting documents, reporting templates and FAQs you can download normally.
These articles will provide you further explanation about PCI DSS:
- PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences - https://advisera.com/27001academy/knowledgebase/pci-dss/
- PCI-DSS vs. ISO 27001 Part 2 – Implementation and Certification - https://advisera.com/27001academy/knowledgebase/pci-dss/ -
Implementing ISO 27001 polices
Answer: I assume you are referring to Information Security Policy. Like other policies, a successful information security policy implementation involves properly aligning it with your needs (e.g., requirements and objectives), writing it in a clear and understandable way, and ensuring it is communicated to, understood by, all who needs to follow it.
This article will provide you further explanation about policy implementation: Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
These materials will also help you regarding policy implementation :
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Good Documentation Practice - GDocP
But I cannot find a direct link to them. Is this a completely separate thing from ISO? Does a separate body do the auditing and registration for this?
Answer:
Good documentation practice (commonly abbreviated GDP, recommended to abbreviate as GDocP to distinguish from "good distribution practice" also abbreviated GDP) is a term in the pharmaceutical industry to describe standards by which documents are created and maintained. GDocP has a lot of similar requirements as ISO 9001 but they have a lot of additional requirements and ISO 9001 would not be enough to cover GDocP.
GDocP is published by FDA (U.S. Food and Drug Administration) and WHO (World Health Organization) and it is not related to ISO, so other independent bodies are conducting the audit and they are called GMP regulators. -
SOP for threats and vulnerability assessment
Answer: In ISO 27001 implementation, the procedure for implementing threats and vulnerabilities assessment (together with the rest of risk assessment) is usually written in the Risk assessment methodology - you can see a sample here: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
You'll find these articles also useful:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Why are some documents mandatory?
Answer: I assume you're referring to controls A.8.1.1 and A.8.2.1 - ISO 27001 defines what must be documented by saying "documented" or some similar expression. In case of A.8.1.1 it says "... an inventory of these assets shall be drawn up..." whereas A.8.2.1 doesn't say anything about documenting.
This article will provide you further explanation: Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/