Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Checklist during an internal audit
Answer:
It is not mandatory, I mean, a checklist during the internal audit can be a best practice, but it is not mandatory, so the external auditor cannot raise a non-conformity about this (he can raise a non conformity if you for example don’t have an internal audit program).
You can see a complete list of mandatory documents (and non mandatory) here “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Anyway, if you want to develop a checklist for the internal audit, this article can help you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Finally, Finally, these materials will help you to know more about the internal audit:
- free online training ISO 27001 Internal Auditor Co urse https://advisera.com/training/iso-27001-internal-auditor-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Alcance de un SGSI
Tambien tengo la duda, sobre que tan detallado debo definir el alcance, como es una empresa pequeña pienso declarar en el documento que el alcance será toda la empresa, luego de manera detallada indicar cuales departamentos, cuales servicios y cuales procesos serán contemplados. Mi duda es si tengo que entrar en detalle de especificar por ejemplo: cuales equipos , dispositivos móviles, personas, documentos, serán incluidos?
Por último, ¿debo crear un apartado que se llame interfaces y dependencias? y que debo indicar en ese apartado? tengo la idea que se debe analizar todos los canales por donde fluye la información al exterior, como en el caso del router que conecta con el proveedor de TI .
Respuestas:
Con respecto a la primera pregunta, lo importante para la ISO 27001 es la protección de la información, independientemente de donde esté. Por tanto, tu router puede estar incluido en el alcance, pero también el servidor (si lo controlas tú), porque también contiene información, aunque algunas cosas son gestionadas por tu proveedor, puedes establecer algunas políticas a tu proveedor que tendrá que implementar. Y puedes incluir una sección "Conexiones e interfaces" en tu documento de alcance, incluyendo cómo está conectada tu infraestructura con la infraestructura de tu proveedor.
Con respecto a la segunda pregunta, no es necesario que especifiques personas, documentos. etc. simplemente puedes definir áreas, procesos o departamentos, etc.
Con respecto a la tercera pregunta, sí, puedes incluir en tu documento de alcance una sección "Interfaces y dependencias" (aunque esto no es obligatorio en el estándar), y básicamente tienes que considerar las interfaces y las dependencias entre el alcance de tu SGSI y el exterior. Por ejemplo, puedes dibujar en un diagrama tus procesos dentro de un círculo, y todos los procesos externos (proporcionados por tu proveedor), en otro círculo.
Este artículo te puede resultar útil “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Y también este otro “Problems with defining the scope in ISO 27001” : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Finalmente, estos materiales te ayudarán a conocer más sobre cómo definir el alcance:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Meaning of "ISO"
Answer:
It is very common misconception that ISO is abbreviation of the full name of ISO organization that is International Standardization Organization. In fact it is a short from Greek word "isos" which means equal and the reason for that is the ISO organization wanted to emphasize it's mission of creating same set of rules for entire world. -
Inspection and traceability of implantable devices
Answer:
I assume you are asking regarding ISO 13485 and not ISO 9001 since requirements for inspection and traceability only exist in ISO 13485.
ISO 13485 requires organization to document procedure for traceability defining extent of the traceability in accordance with applicable regulatory requirements and the records to be maintained. Specific traceability requirements for implantable devices include records of components, materials and, in some cases, conditions for the work environment used. All requirements regarding traceability of implementable devices can be found in clause 7.5.9.2 in ISO 13485:2016.
The only additional requirement for inspection regarding implementable medical devices includes recording the identity of personnel performing inspection or testing, the rest of requirements for inspection and testing are located in clause 8.2.6 of ISO 13485:2016. -
Problems with very narrow ISMS scope
The company is divided into 2 main parts, the computer operations centre and the rest of the company. If the scope of the ISO27001 project was going to be for the Security operations Centre (SOC) exclusively then am i correct in stating that any dependencies that the SOC has on IT for example server infrastructure in the company domain would result in the company data centre having to to be included into the scope?
Answer: I'm not really sure if it makes sense to include only your SOC in the ISMS scope, but this is theoretically possible. In a case of such a narrow scope, the main thing is to make sure you have interfaces to the "outside world" - in your case this outside world would be the rest of the company. So if you include server infrastructure in the scope, it would be extremely difficult to create an interface towards other users in your company - therefore, it is better to exclude the server infrastructure from such scope.
If we put the AD and in fra structure the SOC needs into a DMZ that is shared by the SOC and company, than how does that effect the scope for the 27001 implementation?
Answer: Basically, the logic is the same as described above - probably the best idea is to keep the AD outside of the scope. Of course, this opens the question what would be included in the scope then? Which leaves us with the conclusion that such a small scope doesn't make much sense.
Also, if the scope is set to be exclusively for the SOC, than it can be extended to the rest of the company right? or is it best to have 2 separate isms's one for comapny and one for SOC?
Answer: Yes, your scope can be extended to other parts of the company; it is a very bad idea to have two separate ISMS's in a company.
See also these articles:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
This book will also help you with setting the scope: Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Developing a cryptography policy
Answer:
You can include in this policy basic rules related to cryptographic controls, for example:it is necessary the use of software tools to encrypt hard disks, software tools to encrypt the information in emails, encryption for external connections, etc.
For more information, this article can be interesting for you “How to use the cryptography according to ISO 27001 control A.10” : https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
And our template can be also interesting for you (you can download a free version clicking on “Free demo” tab) “Policy on the Use of Cryptographic Controls” : https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/
Finally, these materials will help you to know more about the ISO 27001 and the cryptography controls:
- free online training ISO 27001 Foundatio ns Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Implementation of ISO 13485
Answer:
Implementation process of ISO 13485 is not so different from other management system standards. After obtaining management support for the implementation, you need to conduct GAP analysis to determine to what extent your company is already compliant with ISO 13485 and determine what needs to be done to achieve full compliance with the standard.
Next step is to develop project plan where you will define all activities to be taken and documents to be created, as well as responsibilities, resources and deadlines. Then you can start implementing new processes and changing existing ones and creating necessary documentation.
Once you implement the standard, you need to conduct internal audit and management review to make sure that your system is compliant with the standard and finally you can hire certification body to conduct certification audit and issue your company the certific ate. For more information, see: Diagram of ISO 13485:2016 Implementation Process https://advisera.com/9001academy/free-downloads// -
PDCA cycle in ISO 9001
Answer:
PDCA (Plan-Do-Check-Act) cycle is one of the most important principles of ISO 9001:2015, clauses and requirements are arranged according to this cycle.
Clauses from 4 to 7 are part of the "Plan" phase, they require you to determine context of the organization, define quality policy, address risks and opportunities, establish quality objectives and provide resources for the QMS.
Clause 8 belongs to "Do" phase, here you need to operate and control your key processes, form sales and purchasing to design and development to production.
Clause 9 represents "Check" phase that includes monitoring and measuring of your processes, measuring customer satisfaction, conducting internal audit and management review. For more information, see: How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/
Clause 10 represents "Act" phase where you define and execute corrective actions and other actions aiming continual improvement of the QMS.
For more information, see: Plan-Do-Check-Act in the ISO 9001 Standard https://advisera.com/9001academy/knowledgebase/plan-do-check-act-in-the-iso-9001-standard/ -
PII and free text fields in information systems
Answer:
The concern is valid. A sugested protection in this case would be to include a text in the page that contains the free text field explictly informing that in that specific text filed no PII is required and that by including PII the user is assuming the risk to exposed his/her information. Of course, this solution should be review by a lawyer regarding legal issues you organization must be compliant with.