Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Control of external documents


    Answer:

    One way to deal with this situation is to limit recording only external documents related to the quality management system. The standard requires external documents to be controlled but non necessarily recorded into list of external documents, so you only need to add to the procedure how you handle this drawings.

    For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

  • What kind of information is of external origin?

    1. What kind of information about ISMS we may receive from outside? And to which units this information can be addressed?

    Answer: You can receive all kinds of security communication and documents from regulatory body and from your partners and clients. This information could be addressed to your IT department, legal department, management board, etc.

    2. We also ask you to clarify this item: "[job title] then classifies documents according to the Policy for handling classified information and determines to whom the document should be forwarded." Is it necessary to classify documents? What is the reason to classify documents if this documents will be stored by other units?

    Answer: Classification of documents is specified in control A.8.2.1 - you have to apply this control if you marked this control as applicable in your Statement of Applicability, and you will mark it as applicable if there are (1) risks that would req uire such control to be implemented, and/or (2) if there are legal or contractual requirements. In most cases, when the documents are stored on the intranet, there are risks that someone unauthorized will see them - this is why classification is used; further, very often the regulatory body is requiring the classification to be implemented.

    By the way, you can learn a lot about the document control, and all other requirements of ISO 27001 through our free online ISO 27001 Foundations course - I would recommend you register: https://advisera.com/training/iso-27001-foundations-course/

  • Disaster vs. Incident


    Answer:
    The difference is that an incident is a situation that might be, or could lead to a disruption, or a loss, or in a situation of emergency or crisis, while a disaster always is a situation that implies a serious damage to the organization.

    From the perspective of business continuity, the difference between incident and a disaster is in timing - if the duration of the incident is short, then this is just an incident; if it lasts longer, then it could become a disaster

    An example of incident can be the interruption of communications in the organization (for example you do not have Internet), while an example of disaster can be an earthquake, or a fire, or a flood, etc.

    And, an incident can result in a disaster, for example, if you detect a fire in an information system, it can be notified as incident, but it can also result in a disaster (it the fire spreads to all the organization).

    Regarding the information security incidents, this article can be interesting for you “How a change in thinking can stop 59% of security incidents” : https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/

    And also this article “How to handle incidents according to ISO 27001 A.16” : https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

    And I think can this document can also help you because gives you information about examples of disruptive incidents scenarios “Examples of Disruptive Incident Scenarios” : https://advisera.com/27001academy/documentation/examples-of-disruptive-incident-scenarios/

  • Scope of the QMS

    If you fill in all the sections from the document, you will define your entire scope. Sections from 3.1 to 3.6 cover different aspects of the scope and once you complete them, you will have the your scope defined. There is no expected length of the scope, in some cases it can be defined in one sentence.

    For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/

  • Processes and activities


    Answer:

    The process is a series of activities that deliver desired result. The column "Activity/Action" in our Appendix 1 – Quality Objectives is for defining action to accomplish the objective and doesn't have to be related to the activities in the process.

    For more information, see: How to Write Good Quality Objectives https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

  • Performance Evaluation for ISO 9001:2015


    Answer:

    The clause 9.1.1 requires organization to determine what needs to be monitored and measured , how and when the monitoring and measurement will be performed and to retain records as an evidence of monitoring and measuring. In simple terms, that can be key performance indicators that you defined for your processes and you need to have a records about the monitoring and measuring the KPIs. Here you can find a free preview of our Matrix of Key Performance Indicators https://advisera.com/9001academy/documentation/matrix-key-performance-indicators/

    For more information, see: How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/

    The clause 9.1.3 defines what data should b e analysed and with what purpose, our toolkit contains one simple record with this purpose, you can find the free preview of Data Analysis Report here https://advisera.com/9001academy/documentation/data-analysis-report-2/

  • If I do pen test, which controls from Annex A can be covered?


    Answer: Unfortunately, out of 114 controls from Annex A, with penetration testing your would partially cover only the control A.12.6.1 "Management of technical vulnerabilities." And I say partially because pen testings wouldn't be enough to cover this control completely.

    See also these articles:
    - How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
    - How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

  • Implementing ISO 27001 in a SMB start up company


    Answer: Yes, it is possible that small start up company implements ISO 27001 - we have quite many such clients who have successfully done that with our toolkits. Some companies will find ISO 27001 more useful than others - each company needs to decide which benefits can be achieved on their own . This article will help you with details: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

    Should they take external help for this project or is it possible for them to initiate this on their own with some virtual help from outside?

    Answer: This depends how quickly this company needs to implement ISO 27001 - if this is something urgent, then it would be better to hire a consultant; if this is not so urgent, and if there are some confidential data that should not be shared with others, then they can implement the standard usin g the Do-It-Yourself approach using some online tools.

    This article explains these options in detail: 3 strategies to implement any ISO standard https://advisera.com/articles/3-strategic-options-to-implement-any-iso-standard/

  • Warehousing Procedure

    In your case, there is no need for warehousing procedure, storage of hard files of your clients may be covered with procedure for document and record control.

    You don't need to use every procedure and record from our toolkit, only those that are mandatory and the ones you find useful for your business

  • ISO 31000 and ISO 27005


    Answer:
    From my point of view no, because ISO 27005 is specially developed to provide guidelines on how to organize information security risk management, and ISO 31000 is developed to provide guidelines on how to organize global risk management, so if you have an ISMS (Information Security Management System) and you have information security risks, the best way (and the logic way) is to use ISO 27005. Anyway, remember that both standards are only code of best practices, you cannot certify them. For more information, please read this article “ISO 31000 and ISO 27001 – How are they related?” : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

    And if you are interested in ISO 27001, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Page 1005-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +