Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • A.16.1.7 Collection of evidence


    Answer:
    This control is related to the information that is gathered and managed to treat with information security incidents, which can be used for example as evidence in a forensic analysis. So, basically you need to keep all information related to the information security incidents in a secure way, taking into account: chain of custody, safety of evidence, safety of personnel, roles and responsibilities of personnel involved, competency of personnel, etc.

    These points can be established in an incident management procedure, which is a mandatory document in the implementation of ISO 27001:2013, so our template can be useful for you “Incident Management Procedure” (you can see a free version clicking on “Free demo” tab) : https://advisera.com/27001academy/documentation/incident-management-procedure/

    This article can help you because has a list of mandatory documents about ISO 27001:2013 “List of mandator y documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    And this article about how to handle incidents can be also interesting for you “How to handle incidents according to ISO 27001 A.16” : https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

    Finally, our online course can be also interesting for you because we give more information about the management of information security incidents “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Validation and verification


    Answer:

    There is no specific ISO 9001 document or requirement that says in what cases you should use validation or verification. However, the definitions of those two terms provide a guideline on what should be used and when.

    Verification is testing and measuring the product to determine whether it is compliant with product requirements.

    Validation is used when the verification can not be conducted, it is the process of providing evidence that the final product is compliant with the initial product requirements. In your case, maybe it is impossible to measure entire surface covered with resin and verify that the resin coat has the same thickness on the entire surface so you need to establish process controls to ensure that the resin will be applied under same conditions on entire surface. This controls will basically represent the validation of your process.

    For more information, see:
    - ISO 9001 Design Verification vs Design Validation https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/

  • OHSAS 18001 implementation and auditing

    You can find free preview of the internal audits schedule (internal audit program according to the standard's terminology) here https://advisera.com/18001academy/documentation/annual-program-of-internal-audits/

  • What is GAP analysis tool?


    Answer:

    The gap analysis tool is the method to determine to what extent you are compliant with ISO 14001:2015 and what needs to be done to achieve the full compliance. After performing the analysis you will be able to determine the gap between current state of your system and requirements of the standard and it will give you guidelines on what needs to be done to achieve the full compliance with the standard.

    Here you an find our free GAP Analysis Tool https://advisera.com/14001academy/iso-14001-gap-analysis-tool/

  • ISO 9001:2015 in AMO ( Aircraft Maintenance Organization)


    Answer:

    The process of achieving compliance with ISO 9001:2015 can differ depending on whether you already implemented ISO 9001:2008 or you are starting from scratch.

    If you already implemented the 2008 revision of the standard, than you need to determine to what extent your current QMS system meets the new requirements and to take actions to achieve the full compliance. Here you can find our free GAP Analysis Tool https://advisera.com/9001academy/iso-9001-gap-analysis-tool/

    If you are implementing ISO 900 for the fist time, it is good to arrange the implementation as a project because in this way you will avoid missing anything out. Here you can find the ISO 9001 Implementation Diagram https://advisera.com/9001academy/free-downloads//

    Also you can download a free preview of our ISO 9001:2015 Documentation Toolkit that is 80% filled in and fully compliant with the standard. With purchase o f our toolkit you will be entitled to one hour online meeting with an expert and unlimited number of questions via email. Here is the link to our toolkit https://advisera.com/9001academy/iso-9001-documentation-toolkit/

    If you want to learn more about ISO 9001:2015, we provide free online courses:
    - ISO 9001:2015 Foundation online course https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - ISO 9001:2015 Internal Auditor online course https://advisera.com/training/iso-9001-internal-auditor-course/

  • ISO 9001:2015 transition regarding documents and records


    Answer:

    New version of the standard brought the changes in almost every part of the ISO 9001, of course, some changes are minor and some are bigger and require more effort to achieve the compliance. The change that every QMS document will have to suffer is the change in reference clause of the standard, other changes depend on to which extent the existing documentation is compliant with the new requirements. Here you can find the ISO 9001:2015 vs. ISO 9001:2008 matrix https://advisera.com/9001academy/free-downloads// that gives an overview of the differences between previous and current version of the standard.

    My advice to you would be to preform the GAP analysis first to determine to what extent your organization is already compliant with the new requirements of the standard and what needs to be done to achieve the full compliance. Once yu determine what needs to be done, you can plan actions to address all these requirements. Here you can find our free GAP Analysis Tool https://advisera.com/9001academy/iso-9001-gap-analysis-tool/

  • CISO role in ISO 27001 implementation, suppliers and other questions


    Answer: CISO should not assume the role of an internal auditor because that would be a conflict of interest according to ISO 27001 clause 9.2 e). Of course, CISO should be part of the ISO 27001 implementation team because this is the best way to make sure all the existing safeguards are integrated into the ISMS, and that the system will be maintained after the implementation is over. See also this article: What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

    Plus, where in the documentation we should specify the CISO name?

    Answer: ISO 27001 does not require you to mention names in the documentation, and we have decided not to use names in our documentation because when someone leaves the company this would require too much updating. If you want to, you can specify CISO's name i n his/her working contract.

    In some cases, the security measures will be transferred to a third party. How to ensure third-parties have committed? Should an email be enough/should such a commitment be verified through auditing? What is the requirement/process as per the ISO standard and what if the third party doesn’t accept to comply with these security measures?

    Answer: You should define third-party security obligations in the agreement that you're signing with them, and when these security clauses are really important, you can use audits to verify if they are compliant. If your supplier doesn't want to apply security clauses, then you should consider changing the supplier. This article will also help you: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    In the documentation, the simple risk assessment methodology was adopted. However, could you please provide more insight into the detailed risk assessment and the acceptable level of risk/criteria for accepting risks.

    Answer: Instead of assessing the likelihood, you can assess the level of threats and vulnerabilities; instead of impact you can assess separately the impact on confidentiality, integrity and availability. So instead of assessing 2 items (impact and likelihood), you can assess 5 items. This article might also be helpful: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

  • Policy documents


    The reason I ask is because our Board has to endorse all policies and for just ISMS, these are becoming quite heavy. As you can imagine, yearly endorsements of all policies within the company is a tremendous job anyway. Any advice would be helpful & appreciated.

    Answers:
    You can consider these particular documents as policies per se, I mean, they are only documents with rules which need to be followed by employees involved in the scope of the ISMS. But additionally you can add guidelines, as a best practice, indicating specifically with detailed information how to implement security controls related. For example, in the Policy on the use of cryptographic controls, you can include information about the system to be ciphered, the cryptographic tool to be used, etc. But additionally you c an have a guideline to know specifically how to use the cryptographic tool. You can see an example of policy with our template “Policy on the Use of Cryptographic Controls” : https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/

    So, from my point of view, generally the policy has general principles, and the guideline has detailed information about how to comply with anything.

    Anyway, remember that there is a list of mandatory documents, which you can find here “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    By the way, do you know our online course? We give information about the documents that you need for the implementation of the ISO 27001:2013 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Scope of the external auditor


    Should we allow him to get in to our PC’s and see how the controls are implemented and how my staffs are working? I am asking this because if I allow that then it will be a breach of the confidentiality agreement with my client. How to deal with this if such a situation arise?

    Answer:
    It starts and ends with the review of the implementation of ISO 27001, I mean, the auditor needs to review the compliance with the standard, and for this he will search evidences of compliance (for this, it can be necessary to see how your staff is working), but this does not mean that you need to show confidential information. For example, if you have defined a clear desk and clear screen policy, the auditor will search PCs with an open session, or passwords written in paper, etc.

    Generally, the auditor does not need to see confidential information (only needs to review how it is protected), but if he requests you this information, you ca n justify that the information cannot be seen by external people (if it happens, the auditor can include in his report this situation).

    This article about the brain of an ISO auditor can be useful for you “Infographic: The brain of an ISO auditor – What to expect at a certification audit” : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/

    And our online course about the internal audit can be also interesting for you, because we give information about the internal audit process “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 27001:2015?


    Answer:
    I am sorry but the last version of ISO 27001 is from 2013, not from 2015. Maybe your country has translated ISO 27001:2013 to your local language, and has published the standard with the local language, adding to the “name” of the standard the year when it has been translated. For example, in Spain the version translated of ISO 27001:2013 is UNE ISO/IEC 27001:2014 (but this is ISO 27001:2013 translated to Spanish, and was translated in 2014).

    Yes, our ISO 27001 courses are still relevant. You need knowledge about ISO 27001 to implement it, and to learn from a course is the right way. Our online ISO 27001 Foundations course is very interesting because gives you information about all key points of ISO 27001, so it can be your perfect solution. Please click this link to read more about “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ a nd you can also check our “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
Page 1013-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +