Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Aspects and risks
Answer:
First difference is in fact that environmental aspects must be documented while risks and opportunities don't. Regarding environmental aspects the company must define methodology for their evaluation and criteria for determining their significance. The process of identification and evaluation of environmental aspects is focused primarily on processes and their environmental impacts while risks can emerge from any part of context of the organization.
Addressing risks and opportunities according to ISO 14001 does not require documented procedure, established methodology or even a registry of records, it only requires to take actions to address them and to monitor effectiveness of these actions.
For more information, see: ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/ -
Guide for the implementation of ISO 27001
Answer:
Of course! We have an easy method to implement the standard, composed by 16 steps. This method is applicable for any company, including a medium size insurance company:
1.- Obtain management support
2.- Treat is as a project
3.- Define the scope
4.- Write an ISMS Policy
5.- Define the Risk Assessment methodology
6.- Perform the risk assessment & risk treatment
7.- Write the Statement of Applicability
8.- Write the Risk Treatment Plan
9.- Define how to measure the effectiveness of controls
10.- Implement the controls & mandatory procedures
11.- Implement training and awareness programs
12.- Operate the ISMS
13.- Monitor the ISMS
14.- Internal audit
15.- Management review
16.- Corrective and preventive actions
For more information about these steps, please read this article “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
And this diagram can help you to start the implementation of the standard in your organization “Diagram of ISO 27001:2013 Implementation (PDF)” : https://advisera.com/27001academy/iso-management/begin-the-implementation/
Finally, these materials will help you to know more about how to implement the standard:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Approving the security policies
Answer: ISO 27001 specifically calls these documents "policies", so if you select those controls as applicable then you should call them this way; of course, you can write also additional guidelines which would be much more detailed whereas you can leave policies rather general.
The reason I ask is because our Board has to endorse all policies and for just ISMS, these are becoming quite heavy. As you can imagine, yearly endorsements of all policies within the company is a tremendous job anyway. Any advice would be helpful & appreciated.
Answer: I'm not sure why would your board need to approve all the policies - you can define a rule by which they need to approve only the top-level documents like the Information Security Policy, implementation s trategy or the budget; you can specify in that rule that detailed policies can be approved by someone else in your organization.
These articles might also help you:
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures// -
Methodology for risk assessment in ISO 27001
Answer:
ISO 27001:2013 do not define risk methodology, only requirements on risk assessment and risk treatment process. There are many examples for risk methodologies, I would only generally divide them in quantitative and qualitative (or combine) risk assessment.
This article give you couple of examples of qualitative methodology: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
These materials will also teach you how to define the risk assessment methodology:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Question on List of legal, regulatory, contractual and other requirements
Should we list these contracts with partners in the “List of Legal regulatory contractual and other requirements”?
Answer: You should list them only if in those contracts there are some clauses where you have the responsibilities to protect the information.
When selling our product to a company coming from another country, it’s not clear to me if we should list these country’s laws and regulations…
Answer: Only if those regulations are applicable to your company - for example, if you are selling some consumer products to other countries, then you probably need to comply with their local legislation; if you are selling some business-to-business products, then the chances are you do not need to comply with local legislation in foreign countries.
We have an helpdesk system h osted by another company were we store confidential information about our customers. Should the contract between us and this helpdesk company be listed too?
Answer: I assume in this contract there are some security obligations for the hosting company, but not for you - if this is the case, then you do not need to list this contract in the List of legal, contractual and other requirements.
By the way, did you know we have a free online course that explains all the important elements of ISO 27001? It is called ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
IO 9001:2015 and production process
Thanks for the reply Strahinja.. That helped..
coming to pt 2 ; No it is not using wrong equipment.. But a fixture that is now obsolete but has not been identified properly & hence stands chance of being used by mistake. So which ISO clause is applicable ?? -
OHSAS 18001 and ISO 45001
Answer:
Purpose of both standards is to provide framework for establishing occupational health and safety management system, the difference is that OHSAS 18001 is published by BSI (British Standardization Institute) and ISO 45001 will be published by ISO organization (keep in mind that it isn't published yet).
Unlike the case with ISO 9001 and ISO 14001 where was a change in the version so we entered the transition period when every company must make the transition and update it system to meet requirements of the new versions, Publication of ISO 45001 won't force companies to migrate to it and abandon OHSAS 18001, but it will be in line with other ISO standard which will facilitate the integration and it will be modern standard that is up to date with current requirements for occupation health and safety so it will eventually replace OHSAS 18001 but the migration won't be so strict as in case of transition of ISO 9001 and ISO 14001.
For more information, se e: First glance at ISO/DIS 45001 – How different is it from OHSAS 18001? https://advisera.com/18001academy/blog/2016/01/20/first-glance-at-isodis-45001-how-different-is-it-from-ohsas-18001/ -
SoA and A.16 controls
Would it be acceptable justify the implementation of all A.16 controls using "All risks" instead of a specific risk?
Answer:
Basically, you are right - Incident management as described in section A.16 is applicable because of any risk that you have. You could have some exceptions to that rule - e.g. A.16.1.7 Collection of evidence might be applicable to only some types of incidents; however in general for each control you can say that the reason for their applicability is all the risks that you identified. -
Lean and ISO 9001
Answer:
Although there is a lot of overlapping between ISO 9001 and Lean in terms of purpose and principles, they are different in many ways.
Lean is the set of management practices based on the Toyota Production System (TPS). The Toyota Production System, a.k.a. Lean is defined as having three primary pillars:
1. Just-in-Time (improving flow)
2. Quality at the source
3. Waste reduction
On the other hand, ISO 9001 is a management system that is focused on quality of products and services and customer satisfaction. ISO 9001 represents a set f requirements that organization needs to meet in order to establish quality management system, while Lean represents set of tools and practices that should enable company to reduce waste, ensure quality and improving processes. If you ask a consultant to implement ISO 9 001 you will get one one type of the system, and if you ask him to implement Lean you will get another type of the system. They can be implemented at once to create one system and they are good at supplementing each other but they are not the same.
For more information, see: ISO 9001 vs. Lean: How they compare and how they are different https://advisera.com/9001academy/blog/2014/07/22/iso-9001-vs-lean-compare-different-2/ -
Excluding physical location from the ISMS scope
Again, you should approach this issue from the point of view of protecting your most sensitive information.
If your sensitive information is located in that office, or if this office is crucial to protect the access to your information, then you should include the office in your scope. The fact that the office is leased doesn't prevent you from either (a) asking the owner to invest in physical controls, or (b) invest in physical controls yourself.
Perhaps this article could help you: Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/