iso 9001 2015 and risk assesment

7/24/2019 ISO 9001 2015 and Risk Assesment

1/33

ISO 9001:2015 How

to apply Risk-basedThinking to !ality"#o$esses %"a#t I&Why taking a risk-based approach is arequirement of ISO 9001

Risk-based thinking is a sore point among many Quality professionals. Even so,

identifying risk, analyzing the consequences, probability and level of risk (i.e. risk

analysis and risk evaluation using formal techniques are becoming increasingly

important tasks in the global business !orld.

"#$ %&&')&'* incorporates !hat the draft version of the "nternational #tandard has

termed +Risk-based hinking in its requirements for the establishment,

implementation, maintenance and continual improvement of the quality management

system. "f you are already familiar !ith the "# or have read the many discussions on

the sub/ect that have appeared on 0inked"n groups and else!here, you !ill already be

a!are that formal risk management is not mandated. 1o!ever, organizations can, in


2/33

the !ords of the 2 '34 2ommittee5s draft standard (6ay )&'7 +8choose to

develop

a more e9tensive risk-based approach than is required by this "nternational #tandard,

and "#$ :'&&& provides guidelines on formal risk management !hich can be

appropriate in certain organizational conte9ts.

" am sceptical about the sub/ect of demonstrating risk-based thinking to a certi;cation

auditor !hen they assess your quality management system. $f course, it5s possible that

you !on5t be sub/ect to an intensive grilling if the #tandard does not require you to

produce the outputs from your risk assessment processes or evidence of a formal riskmanagement system. uidance documents that, along !ith the "#$ %&&')&'* #tandard, are yet to be

published. nobody yet kno!s e9actly !hat they !ill be asking for C and they don5t kno!


3/33

themselves either, unless they are the ones !riting the guidelinesD, and (b a useful !ay

of identifying, evaluating and treating the kind of risks that apply to the processes used

in Quality 6anagement.

Starting point for risk-based approachapp"ied to qua"ity processes

"n my post "#$ %&&')&'* C he likely impact (Fart "", Gebruary 7, )&'*, " suggested the

follo!ing basic checklist of tasks8

'nalyse and p#io#iti(ethe risks and opportunities in your organisation

What is acceptab"e!

What is unacceptab"e!

hen plan a$tionsto address the risks.


4/33

he "#$ %&&' "# says that "#$ :'&&& provides guidelines on formal risk management

!hich can be appropriate in certain organizational conte9ts.

his fact !ill be !ell understood by those !orking for large, indeed global entities that

have long since adopted risk management methodologies and have risk managers on

their team !ho are familiar !ith "#$ :'&&&.

Iut !hat is "#$ :'&&& attempting to achieve, and is it relevant to the ma/ority of

organizations that are trying to gain or transition to "#$ %&&'H

"#$ :'&&& describes an +overall approach to risk management, not /ust risk analysis or

risk assessment. "t deals !ith the links bet!een risk management process and both

strategic direction and day to day actions and treatments1. =hich on the face of it

sounds an ideal recipe for risk-based thinking. Fick up the #tandard and read it, and this

thought is quickly dispelled, since "#$ :'&&& takes a generic approach that has to be

developed C in considerable detail C to be useful in a given conte9t.

>reat for the #trategic aims of the senior management, but not of any great value to the

@poor bloody infantry5 of quality managers out there.

Ferhaps the ;rst (and most frustrating conclusion that you !ill come to, having spent

J')& (K'?& L# on your personal copy is that you ne9t need to buy "#$."E2 :'&'&)&&%

C Risk management C Risk assessment techniques. < slightly steeper J))4 from I#", or

K::3 L#, on )7M&:M'*.

#o your boss says, +$N, buy the one that you actually need, but don5t come back to me

asking for any more. =e5ve got by !ithout @risk-based thinking5 in the past Ainsert

number of years or decadesO surely !e !ill do so this timeH


5/33

here is no point in making life more complicated than it needs to beO thus

"n general terms, suitable techniques should e9hibit the follo!ing characteristics

it shou"d be /ustiab"e and appropriate to the situation or organiation

under consideration it shou"d pro#ide resu"ts in a form which enhances understanding of the

nature of the risk and how it can be treated

it shou"d be capab"e of use in a manner that is traceab"e. repeatab"e and

#eriab"e2 3Ibid4

>reatD

Iy no!, you5re probably ;red up !ith the possibility of ;nding a suitable risk

assessment technique that ;ts the conte9t of your organization and its quality

management systemH Pou can5t !ait to get started on the /ob.

(2ome on 8 humour meD

Pou turn to8

'nne) '

(informative

*o+pa#ison o, #isk assess+ent te$hni!es


6/33

12 5rainstorming

+2 Structured or semi-structured inter#iews

)2 6e"phi

72 %heck-"ists

82 rimary haard ana"ysis:2 Haard and operabi"ity studies ;H

?2 Haard

102 Scenario ana"ysis

112 5usiness impact ana"ysis

1+2 Foot cause ana"ysis

1)2 Dai"ure mode e&ect ana"ysis

172 Dau"t tree ana"ysis182 A#ent tree ana"ysis

1:2 %ause and consequence ana"ysis

1?2 %ause-and-e&ect ana"ysis

1@2 'ayer protection ana"ysis ;'O

192 6ecision tree

+02 Human re"iabi"ity ana"ysis

+12 5ow tie ana"ysis

++2 Fe"iabi"ity centred maintenance

+)2 Sneak circuit ana"ysis

+72 Garko# ana"ysis

+82 Gonte %ar"o simu"ation

+:2 5ayesian statistics and 5ayes ets

+?2 D cur#es

+@2 Fisk indices

+92 %onsequenceprobabi"ity matri(

)02 %ostbenet ana"ysis

)12 Gu"ti-criteria decision ana"ysis ;G%6

Bot everybody of course !ill have the resources and capabilities !ithin the organizationto attempt some of these C e.g., Gault tree analysis, 2ause M consequence analysis,

6onte-2arlo analysis, Iayesian analysis.

Quality managers !orking for smaller enterprises (#6Es may only dream of conducting

analysis at the level required by some techniques in the list. he sheer comple9ity of

some types of risk assessment !ill render the tool useless in most organizations


7/33

employing bet!een ' and )*& people. 1o!ever, that doesn5t mean to say that "#$

:'&'& isn5t a valuable reference should you ever be required to think about risk in these

terms.

Iear !ith me, though, because in the ne9t fe! posts, " am going to sho! you a method

to assess risk by turning 2omple9ity into #implicityD

1 ro/ect risk management guide"ines* managing risk with ISO )1000 and IA% :+19@. 6a"e D %ooper.

et a". Wi"ey. +0172

ISO 9001*+018 $ How to

app"y Fisk-basedEhinking to Jua"ityrocesses 3art II4ISO )1000 Fisk management techniques*

< se"ection of risk assessment too"s youmight "ike to consider


8/33

"n my vie!, this doesn5t have to be an

onerous task even at the high-risk end of the conte9t spectrum. 1o!ever, to completely

ignore the risks and opportunities aspect of planning your Q6# Asee 4.', regardless of

the degree of risk involved, !ould surely be to risk a ma/or non-conformityH

"#$ %&&' Risk-based thinking could(and " am not saying that it should be

demonstrated by sho!ing the outputs from one or more of the risk assessment tools in

"#$ :'&'& in your +documented information.

o give you a avour of !hat these tools are intended to achieve and ho! they !ork, "

intend to describe a selection of the :' listed in "#$ :'&'&.


9/33

'OOK L GAEHO6SCheck-lists

< simple form of risk identi;cation. < technique !hich provides a listing of typical

uncertainties !hich need to be considered. Lsers refer to a previously developed list,

codes or standards.

2heck-lists and revie!s of historical data are, naturally enough, a sensible step if you are

serious about identifying the risks and opportunities in accordance !ith the

requirements of "#$ %&&')&'* 2lause 4.', and intend to plan and implement the

appropriate actions to address them.


10/33

SLOFEIM GAEHO6SStructured interview and brainstorming

< means of collecting a broad set of ideas and evaluation, ranking them by a team.

Irainstorming may be stimulated by prompts or by one-on-one and one-on-many

intervie! techniques.

So what shouldwe plan to collect in terms of ideas and evaluation?

'ets remind ourse"#es rst of what ISO 9001*+018 sayswe shou"d do2

=hen planning for the quality management system, "#$ %&&')&'* requires

organizations to consider the issues referred to in 7.' ALnderstanding the organization

and its conte9t and the requirements referred to in 7.) ALnderstanding the needs and

e9pectations of interested parties and determine the risks and opportunities that need

to be addressed, in order to

a give assurance that the quality management system can achieve its intended

result(sOb prevent, or reduce, undesired eectsO

c achieve continual improvement.

=e should integrate and implement the actions into the organization5s quality

management system processes (see clause 7.7 and evaluate their eectiveness.


11/33

Irainstorming as a technique could be particularly useful !hen, for e9ample, identifying

risks of ne! technology !here there is no data or !here novel solutions to problems

are needed. o quote "#$ :'&'& +8it encourages imagination !hich helps identify ne!

risks and novel solutions. 1o!ever, it is not applicable to risk analysis tasks of

consequence, probability or level of risk. "t therefore has its limitations and along !ith

the @0ook-Lp 6ethods5 of 2heck-lists and Frimary hazard analysis, and most of the@#upporting 6ethods5 of #tructured intervie!s, elphi technique, #="G (#tructured

+!hat if and, it does not provide any quantitative output C although this is not a

requirement of "#$ %&&'.

ABote in the section @#upporting 6ethods5, 1uman reliability analysis (1R


12/33

What can we "earn from ISO )1000 riskassessment processes!

"#$ :'&&& states that risk assessment attempts to ans!er the follo!ing fundamental

questions

S !hat can happen and !hy (by risk identi;cationH

S !hat are the consequencesH

S !hat is the probability of their future occurrenceH

S are there any factors that mitigate the consequence of the risk or that reduce

the probability of the riskH

Froviding that you adhere to this basic structure, you are follo!ing the frame!ork that

is set out in the "nternational #tandard "#$ :'&&&)&&%.

Rather than spending several days reading the #tandard and having long meetings !ith

colleagues to see ho! it might be applicable, !hy not look for methods that !ould help

you to meet the requirements of "#$ %&&'H

Gor me, a good start !ould be

ocumenting the results of any @consideration of risks and opportunities5 e9ercise as

evidence of your management team5s +risk-based thinking.

Even if it is clear from the design of your processes that you have taken account of

2lause 4.' and determined the risks and opportunities that need to be addressed,having a record of your risk assessment processes might prove useful, if only as a

reminder to keep matters under revie!D

hen, evaluate the risk assessment tools (numbering :' in total in "#$ :'&'& to see if

they are applicable to your organizational conte9t.

"t5s probably not the time to use them in anger yet (see belo!, but at least you !ill kno!

they e9ist and that some tools could help to identify risks and opportunities and be

useful in carrying out risk analysis (if you consider consequences, probability and level

of risk and risk evaluationH


13/33

developed list available of hazards, risks or control failures, either resulting from a

previous risk assessment or past failures,- !here do you beginH his is likely to be a

especially ve9ing question for organizations that are ne! to "#$ %&&' quality

management and have to develop appropriate documented information for their

quality processes.

1o!ever a cautionary note

Iefore you despair and start !riting out check-lists based on your o!n observations in

an eort to tick the bo9, remember that your colleagues in other departments and

business units may already be using some of the formal techniques of risk assessment

and risk management process (in a @silo-centric5 !ay of course, !ithout you even

kno!ing about this.

o quote from the "ntroduction to "#$ :'&&&)&&%

+he current management practices and processes of many organizations includecomponents of risk management, and many organizations have already adopted

a formal risk management process for particular types of risk or circumstances1.

"t follo!s therefore that it is !orth intervie!ing them (in a structured or unstructured

!ay or bringing them together for a brainstorming session C if only to ;nd out !hat

qualitative and quantitative risk assessments have been made that could help you to

address the requirements of "#$ %&&'D

=hether or not though anyone is carrying out risk assessments, !ith or !ithout the use

of the tools in "#$ :'&'&, "#$ %&&')&'* e9pects the organization to understand its

conte9t (see clause 7.' and determine the risks and opportunities that need to be

addressed (see clause 4.'.

Gor e9amplehe "#$ assume that one of the key purposes of a quality management

system is to act as a preventive tool, taking account of identi;ed risks. 2onsequently, "#$

%&&')&'* does not have a separate clause or sub-clause titled @Freventive action5.

Rather, the !ording states unequivocally

+he concept of preventive action is e9pressed through a risk-based approach to

formulating quality management system requirements.+


14/33

negotiating contract conditions, or developing contingency plans C O but even so,

thinking about risks and opportunities is central to their !ork).

"G it can reasonably be argued that managing risk is an integral part of good

management (and " think that it can and that risk-based thinking is fundamental to

achieving good business and pro/ect outcomes and the eective procurement of goodsand services, 1EB identifying, analysing and evaluating risk should be processes

familiar to all quality managersH

Bot everyone agrees !ith this statement of course, but understanding the conte9t (see

clause 7.' and determining the risks and opportunities that need to be addressed

(clause 4.' are requirements of "#$ %&&')&'*. herefore, before you re/ect the idea of

using risk assessment tools on the grounds that they are too complicated and +not part

of your /ob, it5s !orth pondering this quote from the "ntroduction to the "#$

:'&&&)&&%

+he generic approach described in this "nternational #tandard provides the principlesand guidelines for managing any form of risk in a systematic, transparent and credible

manner and !ithin any scope and conte9t.7

/otes

1"#$ :'&&&)&&% C Frinciples and >uidelines on "mplementation+raft I# EB "#$ %&&' Quality 6anagement #ystems C Requirements, ate '7 6ay

)&'7, Gebruary '3, )&'*


15/33

What ,documented information isrequired by ISO 9001*+018!

denes documented information as that which is

Prequired to be contro""ed and maintained by the organiationQ2

Ehe otes make it c"ear that this documented information can be in any format

and media and from any source2 It can refer to the qua"ity management system;)2))>. inc"uding re"ated processes ;)21+>. or it can be information ;)280> created

for the organiation ;)201> to operate ;i2e2 documentation>2 It can a"so be

e#idence of resu"ts achie#ed ;records>2

Ehe source for the abo#e references is ISO 6IS 9000*+017. )2@2121212


16/33

ISO 9001*+00@ was designed to a""ow an organiation greater e(ibi"ity in the

way it chooses to document its qua"ity management system ;JGS>2

%"ause 72+212 Menera" pro#ided an e(p"anation of what qua"ity management

system documentation and records were required specica""y*

a> documented statements of a qua"ity po"icy and qua"ity ob/ecti#es

b> a qua"ity manua"

c> documented procedures required by this Internationa" Standard

d> documents needed by the organiation to ensure the e&ecti#e p"anning.

operation and contro" of its processes. and

e> records required by this Internationa" Standard

In +01+. the ISO 6ocument ISOE% 1?:S% + 8+8F+. tit"ed* ISO 9000

Introduction and Support ackage* Muidance on the 6ocumentation

Fequirements of ISO 9001*[email protected] the question ,What is a PdocumentQ! and

dened at "east some of the main ob/ecti#es of an organiations documentation2

Ehese were*

a> %ommunication of Information

b> A#idence of conformity

c> Know"edge sharing

In terms of category a>. both the type and e(tent of documentation depended on

R the nature of the organiation s products and processes. the degree of

forma"ity of communication systems and the "e#e" of communication ski""s within

the organiation. and the organiationa" cu"ture2 3Ibid. page 142

Out with the o"dN in with the new ISO9001 terms and denitionsWhich terms and denitions are going to be dened and used when ISO

9001*+018 is pub"ished!


17/33

Dor a start. due to the introduction of

format ;e2g2 "anguage. software #ersion. graphics> and media ;e2g2 paper.

e"ectronic>

re#iew and appro#a" for suitabi"ity and adequacy2

6ocumented information shou"d a"so be contro""ed to ensure*

a> it is a#ai"ab"e and suitab"e for use. where and when it is needed

b> it is adequate"y protected ;e2g2 from "oss of condentia"ity. improper use.

or "oss of integrity>2


18/33

Eo address these requirements. the fo""owing acti#ities are necessary*

a> distribution. access. retrie#a" and use

b> storage and preser#ation. inc"uding preser#ation of "egibi"ity

c> contro" of changes ;e2g2 #ersion contro">

d> retention and disposition2

Tou shou"d a"so identify and contro" documented information of Pe(terna" originQ

which is necessary for the p"anning and operation of your JGS2

It is $ and wi"" continue to be $ necessary to regu"ar"y re#iew documents to make

sure they are up-to-date. suitab"e and reect your practices2 Fe#iew processes

shou"d a"so check for changes in re"e#ant standards. regu"ations. specications

and other e(terna" documented information2

6ocumented information wi"" be used to support the operation of processes andbe retained Pto the e(tent necessary to ha#e condence that the processes are

being carried out as p"annedQ 3. !ality +anage+ent syste+and its

p#o$esses42 !

Who is responsib"e for distributing documented information to where it is

needed $ both e"ectronica""y ;e2g2 #ia intranet access. document attachments.

down"oad "inks. etc> and in paper form!


19/33

Is documented information from e(terna" sources. such as re"e#ant

standards. current "egis"ation. product specications from your supp"iers.

being re#iewed. updated and made a#ai"ab"e #ia contro""ed processes!

hosted on your ser#er or in the c"oud isworth considering before you transition2

In our ear"ier post ;see abo#e> on the sub/ect of using a 6GS #ersus other

approaches. we showed how %ogni6o( maps to the "ist in Gark Hammars post to

gi#e you much greater contro" o#er your documented information2

Garks usefu" tips wi"" he"p to make your contro"s better suited to your

organisations needs2 He "ists them under the fo""owing se#en categories*

12


20/33

2 Eip 8 is supported by embedded metadata in the

documents. so readers can see what they are using2 WeR d "ook to "imited

partner access andor the e(tranet porta" functiona"ity for :2 Dina""y. tip ? can

be achie#ed by marking the document as obso"ete2

Increased e(ibi"ity in terms of the documented information required by ISO

9001*+018 wi"" not "essen the daunting cha""enge of contro""ing the "arge amount

of data contained within your qua"ity management system2 < 6GS can great"y

impro#e the eXciency and e&ecti#eness of your JGS2

5ut regard"ess of how you manage documented information. it wi"" soon be time

to say a heartfe"t ,Hasta "a #istaU to your trusty Jua"ity Ganua"2

Sources referenced p"us recommendedreading

Ehe fo""owing sources are usefu" in understanding the de#e"opment process that

has "ed to the pub"ication of the ISO 9001 %ommittee 6raft ;the ,6IS>. inc"udingthe much debated topic of ,risk-based thinking2

Dirst"y. the 6raft Internationa" Standard ;6IS> issued for pub"ic comment*

#a,t S 3/ ISO 9001 !ality 4anage+ent Syste+s Re!i#e+ents.

6ate* 17 Gay +017. which is a#ai"ab"e from the ISO Store. 5SI Shop. IE

Mo#ernance 'td. and other distributors wor"dwide2

A#en though the D6IS ;na" draft internationa" standard> is e(pected soon. $

possib"y "ater this month! $ the ISO6IS 9001 draft issued in Gay +017 makes forinteresting and necessary reading. $ especia""y the %"ause 028 , Fisk-based

thinkingand the schematic ;Digure + on page 9> with the bo( "abe""ed "an the

rocess ;A(tent of p"anning depends on FISK>U
http://www.iso.org/iso/home/store.htmhttp://shop.bsigroup.com/http://www.itgovernance.co.uk/?gclid=CJP-uuTuz8MCFazKtAodFhsAKghttp://www.itgovernance.co.uk/?gclid=CJP-uuTuz8MCFazKtAodFhsAKghttp://www.iso.org/iso/home/store.htmhttp://shop.bsigroup.com/http://www.itgovernance.co.uk/?gclid=CJP-uuTuz8MCFazKtAodFhsAKghttp://www.itgovernance.co.uk/?gclid=CJP-uuTuz8MCFazKtAodFhsAKg


21/33

Dor those "ooking for straightforward answers to the simp"e questions regarding

the +018 #ersion and transition process. I recommend 5SIs D e(p"anation of Fisk-based Ehinking. #iew theirs"ideshare presentation at*

http*www2s"ideshare2nettimdwi""iso9001-risk-basedthinking

ote s"ide 7 of 1+* What is Prisk-based thinkingQ! which features a #ersion of the

statement found in the 6IS. %"ause 028. PFisk-based thinkingQ i2e2 Pthe concept
http://www.bsigroup.com/LocalFiles/en-CA/ISO%209001-%20FAQ%20fact%20sheet%20July%202014.pdfhttp://www.bsigroup.com/LocalFiles/en-CA/ISO%209001-%20FAQ%20fact%20sheet%20July%202014.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001/ISO-9001-Whitepaper-Risk-in-quality-management.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001/ISO-9001-Whitepaper-Risk-in-quality-management.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001%20Whitepaper%20-%20Understanding%20the%20changes%20July%202014.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001%20Whitepaper%20-%20Understanding%20the%20changes%20July%202014.pdfhttp://www.fr.com/files/Uploads/attachments/RISC/Report_Avanesov.pdfhttp://www.slideshare.net/timdwill/iso9001-risk-basedthinkinghttp://www.bsigroup.com/LocalFiles/en-CA/ISO%209001-%20FAQ%20fact%20sheet%20July%202014.pdfhttp://www.bsigroup.com/LocalFiles/en-CA/ISO%209001-%20FAQ%20fact%20sheet%20July%202014.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001/ISO-9001-Whitepaper-Risk-in-quality-management.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001/ISO-9001-Whitepaper-Risk-in-quality-management.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001%20Whitepaper%20-%20Understanding%20the%20changes%20July%202014.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001%20Whitepaper%20-%20Understanding%20the%20changes%20July%202014.pdfhttp://www.fr.com/files/Uploads/attachments/RISC/Report_Avanesov.pdfhttp://www.slideshare.net/timdwill/iso9001-risk-basedthinking


22/33

of risk has a"ways been imp"icit in ISO 9001 $ this re#ision makes it more e(p"icit

and bui"ds it into the who"e management systemQ2

Ehe ISO white paper on the same sub/ect of ISO 9001 and Fisk can be

down"oaded from ,ub"ic information on the ISO E%1?:S%+ Home age*

http*isotc2iso2org"i#e"ink"i#e"inkopentc1?:S%+pub"ic

ote the frequent"y quoted "ine* PFisk-based thinking has a"ways been in ISO

9001 - this re#ision bui"ds it into the who"e management system23Source* ISO

6ocument 1+++. Yu"y +017. page +4. $ which appears. in a "onger and more

detai"ed form. in the committee draft of the standard2

!hat does the Chair of the "S# $%%& subcommittee haveto say?

Watch the #ideo of the Moog"e hangout where ige" %roft. %hair of the ISO

subcommittee responsib"e for ISO 9001 ta"ks to us about how the re#ision is

progressing*www2youtube2comwatch!#Z5r97[ogFST

Ehis addresses the thorny sub/ect of risk-based thinking. which as he points out.

does not necessari"y mean using forma" risk management2

In sma"". "ow-risk organisations. the ,risk-based thinking may simp"y be

Pintuiti#eQ in others. a fu"" risk management process may be appropriate

%yber Assentia"s* Whyyour organisationshou"d ,Met 5adgedU $

art IV
http://isotc.iso.org/livelink/livelink/open/tc176SC2publichttp://isotc.iso.org/livelink/livelink/open/tc176SC2publichttps://www.youtube.com/watch?v=BrP94_ogRSYhttp://isotc.iso.org/livelink/livelink/open/tc176SC2publichttp://isotc.iso.org/livelink/livelink/open/tc176SC2publichttps://www.youtube.com/watch?v=BrP94_ogRSY


23/33

Fequirement +2 Secure conguration. and)2 Lser access contro"

he second 2yber Essentials Requirement references @secure con;guration5.


24/33

efault installations of computers and net!ork devices can provide cyber

attackers !ith a variety of opportunities to gain unauthorised access to an

organisation5s sensitive information, often !ith ease. Iy applying some simple

security controls !hen installing computers and net!ork devices (a technique

typically referred to as system hardening, inherent !eaknesses can be

minimised, providing increased protection against commodity cyber attacks.

asi$ te$hni$al $ybe# p#ote$tion ,o# se$!#e $ong!#ation

2omputers and net!ork devices (including !ireless access points should be

securely con;gured. shou"d be remo#ed or disab"ed2

+2 shou"d be remo#ed or disab"ed2

72 Ehe auto-run feature shou"d be disab"ed ;to pre#ent software programs

running automatica""y when remo#ab"e storage media is connected to a

computer or when network fo"ders are accessed>2

82 < persona" rewa"" ;or equi#a"ent> shou"d be enab"ed on desktop %s and

"aptops. and congured to disab"e ;b"ock> unappro#ed connections by defau"t2

%ommentary*

Gor #6E organisations employing U*& people, among the ;rst things that " !ouldde;nitely recommend checking are the default con;gurations of routers, including

converged !ireless routers !ith access points (


25/33

%hange the defau"t "ogin username. if permitted ;refer to the users

guide>. and password2 ;Ehe defau"t passwords are pub"ished in

manufacturers pub"ications and are readi"y accessib"e2>

%onduct G


26/33

8. se# a$$ess $ont#ol

Ob6e$ti7es Lser accounts, particularly those !ith special access privileges (e.g.

administrative accounts should be assigned only to authorised individuals,

managed eectively and provide the minimum level of access to applications,

computers and net!orks

Lser accounts !ith special access privileges (e.g. administrative accounts typically

have the greatest level of access to information, applications and computers.

=hen privileged accounts are compromised their level of access can be e9ploited

resulting in large scale corruption of information, aected business processes and

unauthorised access to other computers across an organisation.

o protect against misuse of special access privileges, the principle of least

privilege should be applied to user accounts by limiting the privileges granted and

restricting access.

asi$ te$hni$al $ybe# p#ote$tion ,o# se$!#e $ong!#ation

Lser accounts should be managed through robust access control.


27/33

Pou put yourself in the position of an attacker. =hat is your primary task once you have

@in;ltrated5 (i.e. got into a net!orkH "t5s not really a brain teaser question /ust ask

yourself !hat you !ould do in the real-!orld to gain access to valuable data assetsH

Pour /ob the moment you are in the system is to initiate escalation of privileges, !hich is

ho! an attacker attempts to gain more access from the established foothold that theyhave created.


28/33

he administrator referred to here !as, allegedly, Ed!ard #no!denD

A#ource #ysadmin security fail B#< ;nds #no!den hi/acked oVcials5 logins, allagher C 6.

Ferhaps it isn5t /ust the smaller enterprises that need 2yber EssentialsH

%yber Assentia"s* Whyyour organisationshou"d ,Met 5adgedU $

art Vart V* Fequirements 72 Ga"wareprotection. and 82 atch management

6al!are protection soft!are is a necessary cyber security requirement. =e all have

kno!ledge of mal!are threats in one form or another and e9perience teaches us to be

!ary of certain links and email attachments.


29/33

2yber Essentials starts !ith the

assumption that computers connected to the internet are vulnerable to attack from

mal!are and therefore mal!are protection is seen as a key feature of basic cyber

hygiene requirements.

. 4alwa#e p#ote$tion

Ob6e$ti7es2omputers that are e9posed to the internet should be protected

against mal!are infection through the use of mal!are protection soft!are.

6al!are, such as computer viruses, !orms and spy!are, is soft!are that has

been !ritten and distributed deliberately to perform unauthorised functions on

one or more computers.

2omputers are often vulnerable to malicious soft!are, particularly those that are

e9posed to the internet (e.g. desktop F2s, laptops and mobile devices, !here

available. =hen available, dedicated soft!are is required that !ill monitor for,

detect and disable mal!are.

2omputers can be infected !ith mal!are through various means often involving a

user !ho opens an aected email, bro!ses a compromised !ebsite or opens anunkno!n ;le on a removable storage media.

asi$ te$hni$al $ybe# p#ote$tion ,o# +alwa#e

he organisation should implement robust mal!are protection on e9posed

computers.


30/33

12 Ga"ware protection software shou"d be insta""ed on a"" computers that are

connected to or capab"e of connecting to the internet2

+2 Ga"ware protection software ;inc"uding program code and ma"ware

signature "es> shou"d be kept up-to-date ;e2g2 at "east dai"y. either by

conguring it to update automatica""y or through the use of centra""y manageddep"oyment>2

)2 Ga"ware protection software shou"d be congured to scan "es

automatica""y upon access ;inc"uding when down"oading and opening "es.

accessing "es on remo#ab"e storage media or a network fo"der> and scan web

pages when being accessed ;#ia a web browser>2

72 Ga"ware protection software shou"d be congured to perform regu"ar

scans of a"" "es ;e2g2 dai"y>2

82 Ga"ware protection software shou"d pre#ent connections to ma"icious

websites on the internet ;e2g2 by using website b"ack"isting>2

he scope of mal!are protection in this document covers desktop F2s, laptops

and servers that have access to or are accessible from the internet. $ther

computers used in the organisation, !hile out of scope are likely to need

protection against mal!are as !ill some forms of tablets and smartphones.

=ebsite blacklisting is a technique used to help prevent !eb bro!sers connecting

to unauthorised !ebsites. he blacklist eectively contains a list of malicious or

suspicious !ebsites that is checked each time the !eb bro!ser attempts a

connection.

*o++enta#y

2yber Essentials assumes that @robust mal!are protection5 !ill help to protect your

system. hat protection comes from @mal!are protection soft!are5 (the $b/ectives

section avoids the outdated term @antivirus5.

he aim of course is to protect against human nature and the inevitable introduction of

commonly found types of malicious soft!are to a system. here5s no mention here of

highly sophisticated, targeted, zero-day and persistent advanced mal!are threats that


31/33

computer. =hile the email may appear to come from someone you kno!, it really came

from a compromised computer.

Relying purely on your mal!are protection soft!are is not a good idea. Pou should take

steps to raise sta a!areness of the e9ternal threats, and !hat steps they can take as

individuals to avoid mal!are infection.

Fersonally, " !ould like to have seen a reference to training employees in cyber security

a!areness and incident reporting rather than total reliance on soft!are tools both are

important in reducing the risk of data breach.

0ike!ise, there should be a @health !arning5 about advanced persistent threats to dispel

the notion that 2yber Essentials controls are eective against '&&X of the mal!are

attacks perpetrated by determined hackers.

1o!ever, !hat 2ontrol 7 attempts to do is probably a realistic goal for @essential

security5 given the limited aims of 2yber Essentials certi;cation.


32/33

software #endor or supp"ier of the software> to ensure security patches for known

#u"nerabi"ities are made a#ai"ab"e2

+2 Lpdates to software ;inc"uding operating system software and rmware>

running on computers and network de#ices that are connected to or capab"e of

connecting to the internet shou"d be insta""ed in a time"y manner ;e2g2 within )0days of re"ease or automatica""y when they become a#ai"ab"e from #endors>2

)2 Out-of-date software ;i2e2 software that is no "onger supported> shou"d be

remo#ed from computer and network de#ices that are connected to or capab"e of

connecting to the internet2

72 2

*o++enta#y

Reasonable steps in a sensible approach. " particularly like the reference to removal of

out-of-date soft!are. "f you don5t need it, get rid of it C fastD here5s no point in leaving

redundant, unpatched application soft!are on a system to help the hacker in their /ob.

e-cluttering improves security.

e;ning time limits for applying soft!are updates C i.e. !ithin :& days of release or

automatically !hen they become available from the vendor, C and, for security patches,

'7 days or automatically, for soft!are running on computers or net!ork devices, is, "

think, a useful security benchmark.

0ess helpful, there are no speci;c remarks about patching and updating Gire!alls, "#

and B"# (Bet!ork "ntrusion etection #ystems that often get a lo! priority in relation

to applying $# patches but are in constant need of attention and monitoring. he

alternatives to doing this yourself or building a dedicated in-house team are (a

outsourcing to a systems security or net!orking company e9perienced at dealing !ith

installations and on-going con;gurations of devices on a daily basisO or (b using cloud

services from public cloud providers like >oogle "nc. and


33/33

How does %yber Assentia"s dea" withc"oud ser#ice pro#ision!

iso 9001 2015 and risk assesment

Documents