SBS - The Best Value in QMS software

Working in a company where we try to implement ISO 27001

weakness

Starting to get Involved
#1
Hi,

I'm working in a company where we try to implement ISO 27001
We prepare assets inventory form
But how we determine cia profile
Operator instruction?
Process form, etc.?
Thank you for your support.
 
Last edited by a moderator:
Elsmar Forum Sponsor
#2
Re: Working in a company we try to impement ISO 27001

Welcome:

Before you start developing anything to meet ISO27000, what are you trying to achieve? Do you want to be Certified, for example? Does your highest level of management including your CISO in agreement with the need for an Information Security Management System? Have you had a "Gap Analysis" performed for you, so in addition to the obvious things that ISO 27001 requires, you know everything else you need to work on and have a plan, including some external help?

Without these things, you will not get very far, even with us here, helping you!
 

weakness

Starting to get Involved
#3
I have implementation gantt chart for certification.We prepared an assets inventory form for determine
-asset inventory
-risk assesment
-SOA etc..
But we are in first step determine assets.
Operation instructions for example.Operator instruction prepares in process than quality department approved and shared with related document how can we decide this CIA profile.
 
M

Michalm

#5
Are you sure?
What about Annex A - A.8.1.1
Assets associated with information and information processing
facilities shall be identified and an inventory of these assets shall

be drawn up and maintained.
 

John Broomfield

Staff member
Super Moderator
#7
Hi,

I'm working in a company where we try to implement ISO 27001
We prepare assets inventory form
But how we determine cia profile
Operator instruction?
Process form, etc.?
Thank you for your support.
weakness,

First define the types of information you want to secure. For example, you could start with the intellectual property of customers and yourselves.

Then analyze the processes that generate, use and share such information and this will determine the assets that need to be made secure. Remember that information may be documented or in the form of prototypes. People who steal intellectual property are adept at reverse-engineering innovative products.

This also defines the scope of your ISMS.

Do not just make a list of the assets you happen to have. Quite separately from info sec your IT department should know this already.

John
 

Richard Regalado

Trusted Information Resource
#8
Before defining the type information, an organization needs to understand and realize why they need information security. Normally there are 3 requirements to start off with:

- legal requirements

- contractual requirements

- the organization's own business requirements

Once the reason is clear, decide whether or not infosec is for you.
 
G

griffo

#9
In the 2013 version of ISO 27001 you don't need to identify assets.
However, it cannot hurt if you decide to identify your assets.

For me, planning to migrate from the 2005 version soon, I'm having hard time trying to imagine what the RA process would look like without a list of all assets. What is your thought on that? How do you tackle this challenge?
 

Richard Regalado

Trusted Information Resource
#10
I agree with you griffo. I started with BS7799 and asset-based RA. I'm developing 2 approaches right now to address the 'relaxed' requirements for RA of the 2013 version.

One approach is to determine risks per process within the scope.

2nd approach is the outright identification of risks. This would entail referencing from a list of risks and determining if a particular risk exists in the organization.

I'll be honest to say though that I find the asset-based approach more thorough in ensuring that the most relevant risks are identified and assessed, processed and eventually modified to meet the risk acceptance criteria.

Add:
For companies using the 2005 version, there already exist a list of risks. But they have to go back to the initial assessment as some of the risks may have been treated along the way and taken off the radar.
 
Thread starter Similar threads Forum Replies Date
V What qualification is needed for working as QMS Engineer in a software company? Training - Internal, External, Online and Distance Learning 6
S Does your company allow the use of Personal cell phones during working hours? Coffee Break and Water Cooler Discussions 51
B 3-phase supply, overvoltage catogory, line-to-neutral and working voltage (IEC 61010-1) IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
John Broomfield Guidance on Safe Working During Covid-19 Pandemic Misc. Quality Assurance and Business Systems Related Topics 5
S Experience working with TUV SUD or Rheinland, and/or BSI Registrars and Notified Bodies 5
G Working on a Root Cause Problem Solving, Root Cause Fault and Failure Analysis 11
M Informational TGA-led IMDRF Personalised Medical Devices working group meets in Canberra Medical Device and FDA Regulations and Standards News 0
M Informational EU – Minutes of the 24 July 2019 SCHEER Working Group on safety of breast implants in relation to anaplastic large cell lymphoma (BIA-ALCL) meeting Medical Device and FDA Regulations and Standards News 0
Watchcat MDD, MDR/IVDR, Working Groups, Expert Panels, MEDDEVs and Other EU Guidances EU Medical Device Regulations 32
T Is anyone working with N299.1 (Supply/service to nuclear power plants)? Various Other Specifications, Standards, and related Requirements 0
M Informational EU – 12th Meeting of the Working Group on Guidelines on benefit – risk assessment of Phthalates in Medical Devices Medical Device and FDA Regulations and Standards News 0
G Anyone working with or planning to do business in the CBD (cannabidiol) industry? US Food and Drug Administration (FDA) 1
M Applicability of Means of Protection, working voltage in an Automated External Defibrillator IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
Sidney Vianna ISO 9001 News Tirelessly Improving the Brand Integrity of ISO 9001 - Working Group under ISO TC 176 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 42
E Feeling ill when working with adhesives Occupational Health & Safety Management Standards 2
M Informational EU – SCHEER – Minutes of the Working Group meeting on guidelines on the benefit-risk assessment of the presence of phthalates in certain medical devic Medical Device and FDA Regulations and Standards News 1
T IEC60601-1: Isolation for an applied part with working voltage of 1500Vp. IEC 60601 - Medical Electrical Equipment Safety Standards Series 8
Rameshwar25 Min working experience for IATF 16949 third party auditor IATF 16949 - Automotive Quality Systems Standard 5
J AS9100 - Working Outside of Scope of Certification AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
S ISO 13485 Cl. 6.2 Human Resources - Personnel working within the QMS ISO 13485:2016 - Medical Device Quality Management Systems 4
K Outsourced Major Processes - Working for Two Sister Companies AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
A Working for multiple CB's (Certification Bodies) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 17
N Anyone working on NIST SP 800-171 (Network and Information Security)? Records and Data - Quality, Legal and Other Evidence 4
O Cleaning API Rotary Shoulder Connections Working Mates exposed to Outside Weather General Measurement Device and Calibration Topics 1
R Working on a 510(k) that is very similar to the predicate device Other US Medical Device Regulations 4
L How many working hours to required to implement ISO 14001 ? ISO 14001:2015 Specific Discussions 6
R How to Determine Working Voltage & Tolerance for Isolation Barriers? IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
S OHSAS 18001 - 4.3.2 Legal and Other Requirements - Working document or template Occupational Health & Safety Management Standards 2
D How Working Standard Calibration result use in Verification of Equipment General Measurement Device and Calibration Topics 7
B Any future for someone working as Lead Quality right these days? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
W Control of Document - Working Instruction and Checklist ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
C "PEAK WORKING VOLTAGE" with a 220-240VAC nominal Power Supply IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
C What is an acceptable bioburden level or count when working in cleanroom ISO class7 ISO 13485:2016 - Medical Device Quality Management Systems 1
AnaMariaVR2 IMDRF Working With ICH on Harmonized Electronic Submission System for Drugs, Devices Other Medical Device Regulations World-Wide 0
J0anne US Working Permit Requirements for European Consultants Career and Occupation Discussions 2
E What are the major difficulties when working as a consultant in your industry? Consultants and Consulting 20
B Need help on an application we are working on Coffee Break and Water Cooler Discussions 4
A I am working in QA. How can I gain knowledge and skills on EHS system? Career and Occupation Discussions 4
K What are the challenges of working in UAE as an Auditor ? General Auditing Discussions 2
X Shall not exceed 2 working weeks = shall not exceed within 10 working days? IATF 16949 - Automotive Quality Systems Standard 2
I IEC 60601-1 Least Favourable Working Conditions for Medical Equipment IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
L Working closer and better with Suppliers - Practical ideas to improve? Supplier Quality Assurance and other Supplier Issues 8
J Frequency of Re-Testing Working Standards (Secondary Reference Standard) Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
R Supplier Satisfaction Survey about Working with us as a Customer Supplier Quality Assurance and other Supplier Issues 7
R Informational How to consider the Working Voltage for splitting 2MOPP IEC 60601 - Medical Electrical Equipment Safety Standards Series 39
M Working Styles - The lazy, last minutes type Career and Occupation Discussions 13
R Determining Working Voltage - Drawing a Medical Device Insulation Diagram IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
Q Quality Working Documents in same QMS Folders? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
J Audit of Supplier who is working toward AS9100 certification General Auditing Discussions 5
R Metrology Control Charts for Reference and Working Standards General Measurement Device and Calibration Topics 6

Similar threads

Top Bottom