Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Auditing ISO 9001 and ISO 27001
Answer:
Auditing of ISO 9001 and ISO 27001 can be done according to the same procedure since the requirements for planning and conducting the audit are the same as well as the records needed to meet requirements of both standards. The only thing that is different is the audit criteria, in first case it is ISO 9001 and in the other it s ISO 27001.
For more information, see: How to integrate ISO 9001 and ISO 27001 https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/ -
Implementing ISO 9001 and ISO 14001 and getting the employees on board
2. HOW TO OVERCOME WITH IMPLEMENTATION PROCESS OF ISO FROM NEGATIVE NOTION OF THE EMPLOYEES WHOP ARE OVER BUR DON WITH WORK.
Answer:
1. The best way to start implementing integrated management system according to ISO 9001 and ISO 14001 is by identifying common requirements of both standards and incorporating those findings into the project plan for the implementation. This way you will save the time and effort, avoid doubling the steps or missing something out. For more information, see: How to integrate ISO 14001 and ISO 9001 https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
2. Employees often resist to changes and this often happen when implementing standard. You will need to explain them that the standards will benefit the company and the additional tasks won't be so numerous. If you manage to implement the standard in a way that is most adequate to your compa ny, the standards won't represent a bureaucratic burden but a powerful tool that will help you improve the company. For more information, see: What are the benefits of ISO 9001 for your employees? https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/ -
Preventive Action
Yes, you can still use the preventive actions as a part of the QMS but they will be redundant since you will have a new process for addressing risks and opportunities. -
ISMS scope for a Hospital
Answer:
If you can protect the patient data, you can include it in your scope, but you can also identify what areas, processes, information systems, etc. that are related to this information, For example, the information is stored in a server? Human Resources area has information about employees involved in the treatment of information?
Basically you should define the scope as information, systems, processes, areas, etc. but not in terms of controls.
This article can help you “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
And to avoid problems defining the scope, this article can be also interesting for you “Problems with defining the scope in ISO 27001” : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Finally, these materials will help you to know more about the scope:
- free online training I SO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
ISO 27017/ISO 27018 Implementation
Answer:
You are right, I mean, you can certify ISO 27001 for a limited scope of your organization, and you can exclude, for example, the cloud environment. But, if you have implemented ISO 27017/2018, which is simply a code of best practices with specific controls related to the cloud, it is very easy to extend the scope of the ISO 27001 to the cloud environment, because these standards only include some new security controls. So, in this case, our recommendation would be to extend the scope of the ISO 27001 to the cloud environment.
Regarding your second question, there are some certification bodies offering certifies against ISO 27017/27018, although are not regular certificates like ISO 27001, ISO 9001, etc.
These articles can be interesting for you:
“ISO 27001 vs. ISO 27017 - Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
“ISO 27001 vs. ISO 27018 - Standard for protecting privacy in the cloud” : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
“Resolving cloud security concerns by defining clear responsibilities according to ISO 27017” : https://advisera.com/27001academy/blog/2016/08/23/resolving-cloud-security-concerns-by-defining-clear-responsibilities-according-to-iso-27017/
Finally, these materials will help you to know more about the ISO 27001:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Cloud Service Provider assessment considerations
Answer:
One of the most useful CSA's resources is the Cloud Controls Matrix, currently on version 3.0.1. It is a mapping of CSA recommended practices to the most known standards and regulations regarding information protection. Considering ISO standards, this matrix maps CSA practices to:
ISO/IEC 27001:2013 (information security management)
ISO/IEC 27002:2013 (information security practices)
ISO/IEC 27017:2015 (information security in cloud environments)
ISO/IEC 270018:2015 (protection of PII)
So, if someone whishes to create a vendor assessment guideline alignend with CSA practices, he can use the Cloud Controls Matrix to identify which CSA recommendations are mapped to supplier management practices from ISO 27001 (items marked with A.15.x.x) and ISO 27002 (items marked with 15.x.x), and choose those that are best fit for his organization. He also can use the same method to align his guideline to ISO 27017 (s ecurity in cloud services) and ISO 27018 (protection of PII).
The Cloud Controls Matrix can be found in this link: https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ -
Policies vs. Procedures
Answer:
Policies are clear, simple statements of how your organisation intends to conduct its services, actions or business. They provide a set of guiding principles to help with decision making. Policies don't need to be long or complicated – a couple of sentences may be all you need for each policy area.
Procedures describe how each policy will be put into action in your organisation. Each procedure should outline:
- Who will do what
- What steps they need to take
- Which forms or documents to use.
Procedures might just be a few bullet points or instructions. Sometimes they work well as forms, checklists, instructions or flowcharts.
Policies and their accompanying procedures will vary b etween workplaces because they reflect the values, approaches and commitments of a specific organisation and its culture. But they share the same role in guiding your organisation.
In terms of ISO 9001 it is more common to write a procedure for HR, Biomedical Engineering, IT, Purchasing and Warehouses, and so forth because they fit better with the attributes of a procedure mentioned above.
For more information, see:
- How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/ -
Mapping all controls with risks
Answer:
No. First of all, most companies won't have risks related to every control, which means that most companies won't find all controls applicable - see this article which explains that logic: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Second, you might find some controls applicable even though there are no related risks: there are cases when you have to comply with some laws or regulations - e.g. applying encryption - even though the risk assessment does not show any related risks.
By the way, this article will explain you how this applicability is documented: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Asset value
Answer:
Basically the asset value is the same that the impact value, and can be calculated as an assessment of impact of loss of confidentiality, integrity and availability of information.
This article can be interesting for you “How to assess consequences and likelihood in ISO 27001 risk analysis” : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
And also this article “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Finally, these materials will help you to know more about the assets value and the calculation of risks:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Gu ide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/