Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Security controls for E-Commerce?

    2. what is the basic difference between threat and risk..?

    Answers:
    1.- I am sorry but in the Annex A of ISO 27001:2013 there is no specific control related to security protocols in E-commerce, although you can use the control “14.1.2 Securing application services on public networks”, and “A.14.1.3 Protecting application services transactions" which are related to the protection of application services and application services transactions, that you can use for e-commerce.

    2.- The basic difference is that the threat can harm a system or your organization, and the risk can give you information about what parts of your organization need to be protected implementing security controls, reducing the probability that a threat be materialized. About the threats, you can see here a list of most common “Catalog of threats & vulnerabilities” : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

    This article about the risk asses sment, where we talk about risks and threats can be also interesting for you “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    Finally, our online course can be also interesting for you because we give more information about risks and threats “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Security policy for thousands of employees


    How can i make my staffs aware of the policies to obey without using many resources because we have over 1000 staff​?

    Answer:
    Regarding your first question, the best way is through the top management, I mean, the top management shall ensure that the security policy is available as documented information, and it is communicated within the organization (and also is available to interested parties). Top management can do the communication through emails, meetings, information published in the intranet, etc.

    Regarding your second question, from my point of view in your case can be interesting an internal online course; you can use this online course for the awareness about information security of your staff, and you can also use this internal course to show to your staff all policies of the system. The course can be developed and performed by the most important employees, who also should write and/or maintain the policies and procedures. Th is article can be interesting for you “How to perform training & awareness for ISO 27001 and ISO 22301” : https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

    We have a presentation, in our free downloads section, that you can use to prepare your internal course, you can find it here “Why ISO 27001 – Awareness presentation” : https://advisera.com/27001academy/free-downloads/

    Finally, our online course can be also interesting for you, because we give detail information about foundations of ISO 27001:2013 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Questions about the backup policy


    Do we need to check if these back-ups are running properly Or is that something that the service provider needs to do? As per ISO27001, is it sufficient if we regularly back-up our data, and do some mock-drill once in a while, OR do we need to check every month if these back-ups are ok?

    Answer:
    Yes, you need to check if your backups are running properly, it is one of the points that you need to consider when designing a backup plan (this is the common document that most of companies use basically to define when and how perform the backups and tests). Tests can help you to avoid backups with errors, which means you can avoid to lose information. And if the backup is performed by a service provider, you can request records that show you that the backup was performed correctly.

    By the way, the backup policy is not a mandatory document, but it can be a best practice for your company, so maybe our template can help you (you can see a free ver sion clicking on “Free demo” tab) “Backup policy” : https://advisera.com/27001academy/documentation/backup-policy/

    Regarding your second question, in the Annex A of ISO 27001 you have the control A.12.3.1, which establishes in a clear way that the backup should be taken and tested regularly in accordance with an agreed backup policy, so you can establish the frequency that you want for the the backups (and test), so every month can be good to check your backups, anyway, this article can help you to determine the frequency “Backup policy – How to determine backup frequency” : https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/

    Finally, our only course can be also interesting for you because we give interesting information about the security controls of the Annex A of ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Knowledgebase in ISO 20000


    Answer:
    ISO 20000 does not set direct requirements towards Knowledge Management i.e. knowledgebase like e.g. ITIL does. Since you will have a lot of inputs for your knowledgebase - it's recommended to preserve it. If you use a tool to support your ISO 20000 implementation, many of your data/information will be saved inside the tool.
    This article can help you: "ITIL – Implementing Knowledge Management" https://advisera.com/20000academy/blog/2014/12/09/itil-implementing-knowledge-management/

  • Implementing ISO 9001


    Answer:

    There are several options for implementation of ISO 9001, you can do it by yourself, you can hire a consultant or use documentation toolkit or some other tool that can assist you with implementation. Here you can find the comparison matrices for these options https://advisera.com/9001academy/comparison/

    The steps in implementation of ISO 9001 are not so different regarding the option you have chosen, first you need to get top management buy in for the implementation, then to perform gap analysis to determine to what extent your company is already compliant with the standard and what needs to be done to achieve the full compliance. Here you can find free ISO 9001 GAP Analysis Tool https://advisera.com/9001academy/iso-9001-gap-analysis-tool/

    For the next step, it is highly advisable to establish the implementation as a project, in this way you can share responsibilities for implementation with other employees of your company and achieve higher involvment of your employees in further maint enance of the standard, also it will help you avoid missing anything out. Here you can download a free ISO 9001 Implementation Project Plan https://advisera.com/9001academy/free-downloads/

    If you want to find out more about further steps in the implementation, take a look at this free ISO 9001 Implementation Diagram https://advisera.com/9001academy/free-downloads/

  • Addressing context of the organization


    Answer:

    The first important thing to remember is that you don't have to document entire context of the organization, simply because ti would be very long document and there would always be a question if it is completed.

    You need to determine external and internal issues regarding your company and how they affect your company ability to achieve its objectives.

    Internal issues or internal context may includes organizational structure, organizational culture, communication process in the company, the sequences and interaction between the processes, competence of your employees, condition of the equipment, etc.

    External issues or external context includes the environment in which your company operates, it usually includes political situation, economical situation, relevant legislation, culture of the market where you place your products or services, etc.

    For more information, see:
    - How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/

  • Are confidentiality level and change history mandatory in all documents?


    Answer:

    The answer for those 2 elements is different:
    1) If you have published the Classification policy, then you have to comply with your own policy - if in that policy you have defined that confidentiality level needs to be written in all of your documents, then you have to do so. If you didn't develop such policy, then there is no requirement in the standard to write the confidentiality level in all documents.
    2) Regarding change history, ISO 27001 requires you to have this (or something similar) in your ISMS documentation. However, if you find this useful, then you can apply it to all the other documents as well.

  • Quality Objectives

    In the column "Process" you need to enter the processes that are related to the achievement of the objective, for example if the objective is to increase sales, this can be related to the sales and marketing process

  • Risks assessment in ISO 9001:2015


    Answer:

    First it is important to mention that ISO 9001:2015 does not require risk assessment methodology or full scale risk management. It IS simply enough to identify the risks and opportunities and plan actions to address them. However, if you decide to execute full risk assessment you have to be careful on what methodology to apply because they all have pros and cons. The easiest way is to go with SWOT analysis, and also FMEA is very popular tool for risk assessment.

    Our documentation toolkit includes Procedure for Addressing Risks and Opportunities that has simple yet effective risk assessment methodology that can fit most companies, here you can find a free preview of the procedure https://advisera.com/9001academy/documentation/procedure-for-addressing-risks-and-opportunities/

    Also we have a Procedure for FMEA Risk Assessment with lot of istructions throug h comments, you can find a free preview of the procedure here https://advisera.com/9001academy/documentation/fmea-risk-assessment-record/

  • Defining context of the organization


    Answer:

    There is no single answer to this question, but it is important to keep in mind the scope of the context consideration and that is quality management system. You need to consider all internal and external issues that may affect your QMS and your ability to achieve the objectives and increase customer satisfaction.

    Internal issues or internal context includes organizational structure, organizational culture, condition of your equipment, competence of employees, etc. The external issues include relevant legislation, conditions on the market, actions of your competitors, and even the culture of the market where you place your products and services.

    For more information, see:
    - How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
Page 1008-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +