Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • International laws on hazardous substances


    Answer:

    International laws on hazardous substances are conventions signed by countries that regulate handling of hazardous substances, some of them are binding for all UN nations and some are binding only for the countries that signed the convention. For example there is The Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and their Disposal, The Rotterdam Convention on the Prior Informed Consent Procedure for Certain Hazardous Chemicals and Pesticides in International Trade and many more.

    If some international convention is signed by your country, it is probably incorporated in your state legislation. The best way to identify them and address them is to contact your local authority and see what legislation are covering your field of industry and that is practically all you need to follow.

    For more information, see Demystification of legal req uirements in ISO 14001 https://advisera.com/14001academy/blog/2014/10/01/demystification-legal-requirements-iso-14001/

  • Implementing ISMS for systems with different cyber security risks


    Answer:

    I'm not sure if I understood your question correctly, but if you are asking how to cover the cyber security risks with ISO 27001 implementation for two different systems within the company, the answer is the following: one of the first steps in ISO 27001 implementation is to perform the risk assessment. Once you know which risks you have in those two systems, then you'll choose appropriate security controls that would fit either first or second system, or both. You'll have to list all of those controls in the Statement of Applicability, and make sure you define for which system is particular control intended for.

    In other words, ISO 27001 does not prescribe upfront certain safeguards for certain systems, you have to find out the controls yourself through the analysis called risk assessment - you'll find more information here: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    This article will also help you: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • ISO 27001 for an University


    Answer:
    Yes, sure, ISO 27001 is sufficient to protect the information security related to any type of business, including an Examination Cell of an University. There are more ISO standards that you can implement in your University (for example ISO 22301 for business continuity, ISO 9001 for quality management, etc), but the best ISO standard related to the information security is the ISO 27001.

    If you decide to implement it, maybe our toolkit can be useful for you, because it has all necessary documents, and furthermore you will have our support during the implementation. You can download a free demo here “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    This page can be also useful for you “What is ISO 27001?” : https://advisera.com/27001academy/what-is-iso-27001/

    And our online course can be also interesting for you, b ecause we give detailed information about the implementation of ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • ISMS scope for a cloud provider


    My question is about defining the ISMS Scope. As a service provider, how do we set the scope for ISMS ?

    Since we “hand control” of the servers to our customers and they have control over what data is uploaded and who can access it, I am struggling to see how that can be included in the scope.

    Answer:
    From my point of view, to set the scope for your ISMS, you can focus it on the information that you can manage: information about customers, financial information, information about providers, information about your employees, about your systems, etc. Maybe you have a CRM and/or an ERP, and you can also include it in your ISMS scope, because these applications have information. Keep in mind that ISO 27001 is about the protection o f information.

    For more detail about the scope, please read this article “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    And our online course can be also interesting for you, because we give more information about the ISMS scope “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Mandatory documents


    Answer:

    In difference to the previous version of the standard, new ISO 9001 does not have six mandatory procedures and requirements for documents are now much liberal. The documents that will be mandatory to your company depends on the processes you have in your company and what clauses of the standard does not apply to your business. To find out more about mandatory documents, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

    If you want to learn more about what clauses of the standard may be excluded, see: What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/

  • Training and awareness statements in the Information security policy

    * [job title] is responsible for adopting and implementing the Training and Awareness Plan, which applies to all persons who have a role in information security management
    * job title] will implement information security training and awareness programs for employees

    Answer:

    The first statement defines who is responsible for approving the Training and Awareness Plan, typically this would be CEO in smaller companies; the second statement defines who is responsible for the execution of this plan - in smaller companies this would usually be a person responsible for information security.

    By the way, the Training and Awareness Plan is also included in the ISO 27001 toolkit.

    This article might also help you: How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

  • Alternative options for treating unacceptable risks


    Answer: Basically, when treating the risks you have these 4 options: (1) reducing the risk by applying controls, (2) accepting the risk, (3) transferring the risk to third parties, and (4) avoiding the risk.

    So you have already tried the option (1), and you can try also options (3) and (4) before you accept the risk. So perhaps you can get an insurance policy for your assets or transfer the risk to your supplier? Or you can stop doing the activity altogether?

    See this article for more help: Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

  • Monitoring and reporting for security metric?


    Answer:
    From my point of view, the monitoring for security metric, simply means that you are watching something related to the metric (devices, applications, values, etc) with the purpose of being aware of its state, but furthermore you need to do measurement, which means that you need to assign values to something based on predefined dimensions and unit. For example, if you have a security metric for the backups, you can monitor the software that perform the backups, and measure the information related to the backups (% of fail backups, % of success backups, etc).

    The reporting simply means that you inform about the results of the security metric to other parties, for example, to the top management of the organization, or even to external parties.

    For more information about the monitoring and measurement, please read this article “How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

    Finally, our online course can be also interesting for you, because we give more information about the monitoring and measurement “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Head of Production as Management Representative


    Answer:

    There is no contradictions or collision with the requirements if head of production is a management representative. The standard only requires top management to assign one member of the management to be management representative and id doesn't give any further guidelines so the company may choose anyone within the members of the middle management. I think it is good to be a head of production because he understands the core processes and is directly in charge of the quality of products. For more information, see: Choosing the best person for the job of quality management representative https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/
Page 1003-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +