Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Company Profile
Having documented company profile is not a requirement of the standard. However, it is very common to have short description of the company and its business in the Quality Manual -
Including employees in the inventory of assets
Answer:
In its control A.8.1.1 ISO 27001 requires you to develop inventory of assets with all assets - since your employees are an asset, you should list them in the inventory. However, the standard doesn't say you need to have only one inventory, so if you already listed your employees in some human resources database, then you can simply refer to that database as the list of your employees.
See also this article: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Templates review and auditing
I have completed 9 templates and am working on Customer Delivery (we do not do Product delivery).
I have a few questions:
1. How much do you charge to review our templates and provide feedback?
2. Do you do audits? If not, can you recommend someone in Denver or Colorado Springs, CO, or Los Angeles, CA?
3. Are the audits really expensive and rigorous?
Answer:
1. The price of our toolkit includes review of three of your documents by your choice. So you can send me the documents and I will give you a feedback within 48 hours.
2. Unfortunately we do not provide audit services, but if you think about the internal audit, it is best to do it by yourself. We offer free online training for internal auditors, you can find the course on this link:
- ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/ . If you are asking about certification bodies, I can't r eally recommend you anybody because I don't have experience with certification bodies in your region.
3. I assume that you mean certification audit. Certification audits are not so rigorous, certification bodies have positive approach wen conducting the audit meaning that they are looking to find conformity to the standard and not nonconformity. But it doesn't mean that they will issue you a certificate if you are not compliant with the standard.
The price of the certification audit varies depending on the number of employees and locations your organization have, so it is best to collect at least several offers from certification bodies. Important thing is to make sure that they are accredited for issuing the certificate for your industry. For more information, see: How should you pick an ISO 9001 certification body? https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Security controls for E-Commerce?
2. what is the basic difference between threat and risk..?
Answers:
1.- I am sorry but in the Annex A of ISO 27001:2013 there is no specific control related to security protocols in E-commerce, although you can use the control “14.1.2 Securing application services on public networks”, and “A.14.1.3 Protecting application services transactions" which are related to the protection of application services and application services transactions, that you can use for e-commerce.
2.- The basic difference is that the threat can harm a system or your organization, and the risk can give you information about what parts of your organization need to be protected implementing security controls, reducing the probability that a threat be materialized. About the threats, you can see here a list of most common “Catalog of threats & vulnerabilities” : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
This article about the risk asses sment, where we talk about risks and threats can be also interesting for you “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally, our online course can be also interesting for you because we give more information about risks and threats “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Security policy for thousands of employees
How can i make my staffs aware of the policies to obey without using many resources because we have over 1000 staff?
Answer:
Regarding your first question, the best way is through the top management, I mean, the top management shall ensure that the security policy is available as documented information, and it is communicated within the organization (and also is available to interested parties). Top management can do the communication through emails, meetings, information published in the intranet, etc.
Regarding your second question, from my point of view in your case can be interesting an internal online course; you can use this online course for the awareness about information security of your staff, and you can also use this internal course to show to your staff all policies of the system. The course can be developed and performed by the most important employees, who also should write and/or maintain the policies and procedures. Th is article can be interesting for you “How to perform training & awareness for ISO 27001 and ISO 22301” : https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
We have a presentation, in our free downloads section, that you can use to prepare your internal course, you can find it here “Why ISO 27001 – Awareness presentation” : https://advisera.com/27001academy/free-downloads/
Finally, our online course can be also interesting for you, because we give detail information about foundations of ISO 27001:2013 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Questions about the backup policy
Do we need to check if these back-ups are running properly Or is that something that the service provider needs to do? As per ISO27001, is it sufficient if we regularly back-up our data, and do some mock-drill once in a while, OR do we need to check every month if these back-ups are ok?
Answer:
Yes, you need to check if your backups are running properly, it is one of the points that you need to consider when designing a backup plan (this is the common document that most of companies use basically to define when and how perform the backups and tests). Tests can help you to avoid backups with errors, which means you can avoid to lose information. And if the backup is performed by a service provider, you can request records that show you that the backup was performed correctly.
By the way, the backup policy is not a mandatory document, but it can be a best practice for your company, so maybe our template can help you (you can see a free ver sion clicking on “Free demo” tab) “Backup policy” : https://advisera.com/27001academy/documentation/backup-policy/
Regarding your second question, in the Annex A of ISO 27001 you have the control A.12.3.1, which establishes in a clear way that the backup should be taken and tested regularly in accordance with an agreed backup policy, so you can establish the frequency that you want for the the backups (and test), so every month can be good to check your backups, anyway, this article can help you to determine the frequency “Backup policy – How to determine backup frequency” : https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/
Finally, our only course can be also interesting for you because we give interesting information about the security controls of the Annex A of ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Knowledgebase in ISO 20000
Answer:
ISO 20000 does not set direct requirements towards Knowledge Management i.e. knowledgebase like e.g. ITIL does. Since you will have a lot of inputs for your knowledgebase - it's recommended to preserve it. If you use a tool to support your ISO 20000 implementation, many of your data/information will be saved inside the tool.
This article can help you: "ITIL – Implementing Knowledge Management" https://advisera.com/20000academy/blog/2014/12/09/itil-implementing-knowledge-management/ -
Implementing ISO 9001
Answer:
There are several options for implementation of ISO 9001, you can do it by yourself, you can hire a consultant or use documentation toolkit or some other tool that can assist you with implementation. Here you can find the comparison matrices for these options https://advisera.com/9001academy/comparison/
The steps in implementation of ISO 9001 are not so different regarding the option you have chosen, first you need to get top management buy in for the implementation, then to perform gap analysis to determine to what extent your company is already compliant with the standard and what needs to be done to achieve the full compliance. Here you can find free ISO 9001 GAP Analysis Tool https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
For the next step, it is highly advisable to establish the implementation as a project, in this way you can share responsibilities for implementation with other employees of your company and achieve higher involvment of your employees in further maint enance of the standard, also it will help you avoid missing anything out. Here you can download a free ISO 9001 Implementation Project Plan https://advisera.com/9001academy/free-downloads/
If you want to find out more about further steps in the implementation, take a look at this free ISO 9001 Implementation Diagram https://advisera.com/9001academy/free-downloads/ -
Addressing context of the organization
Answer:
The first important thing to remember is that you don't have to document entire context of the organization, simply because ti would be very long document and there would always be a question if it is completed.
You need to determine external and internal issues regarding your company and how they affect your company ability to achieve its objectives.
Internal issues or internal context may includes organizational structure, organizational culture, communication process in the company, the sequences and interaction between the processes, competence of your employees, condition of the equipment, etc.
External issues or external context includes the environment in which your company operates, it usually includes political situation, economical situation, relevant legislation, culture of the market where you place your products or services, etc.
For more information, see:
- How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/ -
Are confidentiality level and change history mandatory in all documents?
Answer:
The answer for those 2 elements is different:
1) If you have published the Classification policy, then you have to comply with your own policy - if in that policy you have defined that confidentiality level needs to be written in all of your documents, then you have to do so. If you didn't develop such policy, then there is no requirement in the standard to write the confidentiality level in all documents.
2) Regarding change history, ISO 27001 requires you to have this (or something similar) in your ISMS documentation. However, if you find this useful, then you can apply it to all the other documents as well.