Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS scope for a Hospital
Answer:
If you can protect the patient data, you can include it in your scope, but you can also identify what areas, processes, information systems, etc. that are related to this information, For example, the information is stored in a server? Human Resources area has information about employees involved in the treatment of information?
Basically you should define the scope as information, systems, processes, areas, etc. but not in terms of controls.
This article can help you “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
And to avoid problems defining the scope, this article can be also interesting for you “Problems with defining the scope in ISO 27001” : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Finally, these materials will help you to know more about the scope:
- free online training I SO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
ISO 27017/ISO 27018 Implementation
Answer:
You are right, I mean, you can certify ISO 27001 for a limited scope of your organization, and you can exclude, for example, the cloud environment. But, if you have implemented ISO 27017/2018, which is simply a code of best practices with specific controls related to the cloud, it is very easy to extend the scope of the ISO 27001 to the cloud environment, because these standards only include some new security controls. So, in this case, our recommendation would be to extend the scope of the ISO 27001 to the cloud environment.
Regarding your second question, there are some certification bodies offering certifies against ISO 27017/27018, although are not regular certificates like ISO 27001, ISO 9001, etc.
These articles can be interesting for you:
“ISO 27001 vs. ISO 27017 - Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
“ISO 27001 vs. ISO 27018 - Standard for protecting privacy in the cloud” : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
“Resolving cloud security concerns by defining clear responsibilities according to ISO 27017” : https://advisera.com/27001academy/blog/2016/08/23/resolving-cloud-security-concerns-by-defining-clear-responsibilities-according-to-iso-27017/
Finally, these materials will help you to know more about the ISO 27001:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Cloud Service Provider assessment considerations
Answer:
One of the most useful CSA's resources is the Cloud Controls Matrix, currently on version 3.0.1. It is a mapping of CSA recommended practices to the most known standards and regulations regarding information protection. Considering ISO standards, this matrix maps CSA practices to:
ISO/IEC 27001:2013 (information security management)
ISO/IEC 27002:2013 (information security practices)
ISO/IEC 27017:2015 (information security in cloud environments)
ISO/IEC 270018:2015 (protection of PII)
So, if someone whishes to create a vendor assessment guideline alignend with CSA practices, he can use the Cloud Controls Matrix to identify which CSA recommendations are mapped to supplier management practices from ISO 27001 (items marked with A.15.x.x) and ISO 27002 (items marked with 15.x.x), and choose those that are best fit for his organization. He also can use the same method to align his guideline to ISO 27017 (s ecurity in cloud services) and ISO 27018 (protection of PII).
The Cloud Controls Matrix can be found in this link: https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ -
Policies vs. Procedures
Answer:
Policies are clear, simple statements of how your organisation intends to conduct its services, actions or business. They provide a set of guiding principles to help with decision making. Policies don't need to be long or complicated – a couple of sentences may be all you need for each policy area.
Procedures describe how each policy will be put into action in your organisation. Each procedure should outline:
- Who will do what
- What steps they need to take
- Which forms or documents to use.
Procedures might just be a few bullet points or instructions. Sometimes they work well as forms, checklists, instructions or flowcharts.
Policies and their accompanying procedures will vary b etween workplaces because they reflect the values, approaches and commitments of a specific organisation and its culture. But they share the same role in guiding your organisation.
In terms of ISO 9001 it is more common to write a procedure for HR, Biomedical Engineering, IT, Purchasing and Warehouses, and so forth because they fit better with the attributes of a procedure mentioned above.
For more information, see:
- How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/ -
Mapping all controls with risks
Answer:
No. First of all, most companies won't have risks related to every control, which means that most companies won't find all controls applicable - see this article which explains that logic: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Second, you might find some controls applicable even though there are no related risks: there are cases when you have to comply with some laws or regulations - e.g. applying encryption - even though the risk assessment does not show any related risks.
By the way, this article will explain you how this applicability is documented: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Asset value
Answer:
Basically the asset value is the same that the impact value, and can be calculated as an assessment of impact of loss of confidentiality, integrity and availability of information.
This article can be interesting for you “How to assess consequences and likelihood in ISO 27001 risk analysis” : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
And also this article “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Finally, these materials will help you to know more about the assets value and the calculation of risks:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Gu ide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Updating Quality Manual to match ISO 9001:2015
I didn't know if I should have our quality manual follow the same format as the new ISO:2015. i.e have the following clause headings.
0) Introduction
1) Scope
2) Normality references
3) Terms and definitions
4) Context of organization
5) Leadership
6) Planning
7) Support
8) Operation
9) Performance evaluation
10) Improvement
Is it advisable though to update to reflect new versions of the ISO?
Answer:
There is no requirement for Quality Manual to follow structure of the standard. The reason why companies decide to do so is because it helps them see how each of the clauses are met in their Quality Management System. Other than this, there are no reasons for adopting the clause headings of the standard in the manual.
Furthermore, the standard no longer requires organizations to have documented Quality Manual, so if you find it redundant for your QMS, you can even exclude it from your system. For more information, see: The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/ -
Evaluating risks
Answer:
In order to evaluate risks you need to define criteria. Criteria can be based on one or several features. Usually the criteria for evaluation of risk is a severity or consequence of the risk, if the risk has big severity or consequence, it is ranked higher on the list of risks or it can be labeled as significant risk in opposition to insignificant risks with small severity or consequence.
Another feature that can be taken as a criteria for risk evaluation is frequency of occurrence or probability. Some risk can have a big consequence but it rarely happens, so such risk can be considered as insignificant or low on the list of priorities. The risk with high probability and big consequence should be considered as significant, or unacceptable and such risk should be addressed.
There are additional criteria for evaluation of risk, such as detection, that can be used but the number and type of criteria to be used will depend on the needs of the company. Smaller companies will use simpler criteria that can be qualitative or quantitative and bigger and more complex companies will use more criteria and qualitative methodology.
For more information, see: Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/ -
Transition from BS 25999 to ISO 22301
Answer:
ISO 22301 was developed taking into consideration BS 25999, so there are very similarities between both standards. This article can help you to know more about these similarities, and also about the differences “ISO 22301 vs. BS 25999-2 - An Infographic” : https://advisera.com/27001academy/blog/2012/05/22/iso-22301-vs-bs-25999-2-an-infographic/
And another standard related to the business continuity, commonly used in USA, is the NFPA 1600. This article can be also interesting for you “NFPA 1600 vs. ISO 22301 - Similarities and differences” : https://advisera.com/27001academy/blog/2013/11/05/nfpa-1600-vs-iso-22301-similarities-and-differences/
Finally, this ebook about the ISO 22301 can be also interesting for you “Becoming resilient, the definitive guide to ISO 22301 implementation” : https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/