Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Policy documents
The reason I ask is because our Board has to endorse all policies and for just ISMS, these are becoming quite heavy. As you can imagine, yearly endorsements of all policies within the company is a tremendous job anyway. Any advice would be helpful & appreciated.
Answers:
You can consider these particular documents as policies per se, I mean, they are only documents with rules which need to be followed by employees involved in the scope of the ISMS. But additionally you can add guidelines, as a best practice, indicating specifically with detailed information how to implement security controls related. For example, in the Policy on the use of cryptographic controls, you can include information about the system to be ciphered, the cryptographic tool to be used, etc. But additionally you c an have a guideline to know specifically how to use the cryptographic tool. You can see an example of policy with our template “Policy on the Use of Cryptographic Controls” : https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/
So, from my point of view, generally the policy has general principles, and the guideline has detailed information about how to comply with anything.
Anyway, remember that there is a list of mandatory documents, which you can find here “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
By the way, do you know our online course? We give information about the documents that you need for the implementation of the ISO 27001:2013 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Scope of the external auditor
Should we allow him to get in to our PC’s and see how the controls are implemented and how my staffs are working? I am asking this because if I allow that then it will be a breach of the confidentiality agreement with my client. How to deal with this if such a situation arise?
Answer:
It starts and ends with the review of the implementation of ISO 27001, I mean, the auditor needs to review the compliance with the standard, and for this he will search evidences of compliance (for this, it can be necessary to see how your staff is working), but this does not mean that you need to show confidential information. For example, if you have defined a clear desk and clear screen policy, the auditor will search PCs with an open session, or passwords written in paper, etc.
Generally, the auditor does not need to see confidential information (only needs to review how it is protected), but if he requests you this information, you ca n justify that the information cannot be seen by external people (if it happens, the auditor can include in his report this situation).
This article about the brain of an ISO auditor can be useful for you “Infographic: The brain of an ISO auditor – What to expect at a certification audit” : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
And our online course about the internal audit can be also interesting for you, because we give information about the internal audit process “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 27001:2015?
Answer:
I am sorry but the last version of ISO 27001 is from 2013, not from 2015. Maybe your country has translated ISO 27001:2013 to your local language, and has published the standard with the local language, adding to the “name” of the standard the year when it has been translated. For example, in Spain the version translated of ISO 27001:2013 is UNE ISO/IEC 27001:2014 (but this is ISO 27001:2013 translated to Spanish, and was translated in 2014).
Yes, our ISO 27001 courses are still relevant. You need knowledge about ISO 27001 to implement it, and to learn from a course is the right way. Our online ISO 27001 Foundations course is very interesting because gives you information about all key points of ISO 27001, so it can be your perfect solution. Please click this link to read more about “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ a nd you can also check our “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISMS and CMMI
Answer:
Yes, you can merge CMMI into an ISMS, because CMMI can help you to evaluate the maturity level of your organization’s processes, which is fundamental for planning the implementation, establishment, ongoing operation, and improvement of the information security. But it is not mandatory (there is no requirement to merge ISMS and CMMI), but it can be a best practice, and you can develop a manual for both.
This article can give you information about the key points on how to start “Achieving continual improvement through the use of maturity models” : https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/
Finally, for more information about the information security, the ISMS and the ISO 27001 , our online course can be interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Some questions about information security and virtualized environments
There are many institutions/universities that have implemented successfully ISO 27001 with our templates, we have clients from all the world and from all sectors (including education). Keep in mind that ISO 27001 is developed for any type of business. So maybe can be interesting for you to try our toolkit, and remember that if you buy it, you will also have our support, so click here on “DOWNLOAD FREE TOOLKIT DEMO” and try it! “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/ -
Is the author name mandatory on the first page of the document
I can understand it have to be identified with document number, revision and latest issue date but not with my name!!! But tell me please where in the standard it is written?!Which clause? Clause 7.5.2 says title, date, author or reference number
Answer:
You are right, there is no explicit requirements to write author name anywhere in the document, not only on the first page. The first page of our documents do require name of the author but if you don't want this, you can delete that row from the table. The reason why we included it in the document is because it is very common to have such information in the procedure but, again, it is not a requirement of the standard thus can be deleted. -
Interested parities and conformance evaluation
1. I think that having all the information in the appendix 1 “List of interested party” is enough to comply during the first audit about the identification of needs and expectations of interested party, is ok?
2. The appendix 2 “Conformance evaluation record” will be attached to the procedure and it will be useful until the company conduct a conformity evaluation with legal and other requirements. Your procedure recommend at least twice a year. I think this appendix will be a record maybe until the second audit to the QMS, is ok?
Answer:
1. Yes, once you identify interested parties and their needs and expectation, you are compliant with that requirement of the standard.
2. You need to run full cycle of the QMS in order to be ready for certification audit, but of course this depend mostly on the certification body. They might let you without conducting compliance evaluation but it is more usual that you need to perform all the activities of the QMS in order to be ready for the certification, this includes als o internal audit and management review. For more information, see: ISO 9001 Certification https://advisera.com/9001academy/iso-9001-certification/ -
Purchasing process in branch office
Thank you so much for the clarification, that helps. Yes, the branch office actually has its own QMS so we will just define its own internal purchasing process but only for their office supplies because all the products they sell are coming from head office. -
ISO 14001 vs ISO 9001 challenges in the transition
•Documenting the QMS (what is new about this?)
•Auditing according to the new version (what are main points to include?)
Answer:
If we compare transition processes for ISO 9001 and ISO 14001 there is no much difference between them. The key changes are pretty much the same. The requirements for documents and records are now changed into requirements for documented information and in that sense the ISO 9001 suffered more changes because there are no longer mandatory procedures and quality manual, so in that sense the ISO 9001 will suffer more changes than ISO 14001 management system. For more information, see:
- New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- List of mandatory documents required by ISO 140 01:2015 https://advisera.com/14001academy/blog/2015/10/12/list-of-mandatory-documents-required-by-iso-140012015/ -
THIN CLIENTS VS. DESKTOPS
From the point of view of security, an environment with thin-clients can be equal to an environment with desktops, because basically, both are composed by devices that you use to access to information (locally o remotely), and the key is : how to protect the information and how to access to the information?
With thin-clients you can access to the information remotely, so in this case, it will be important to protect the channel of communication. With desktops, if you access to information remotely, it is also important to protect the channel of communication in the same way.
So, from my point of view the most important thing should be how to protect and how to access the information, independently of the devices or the environment. Keep also in mind that for the protection of the information – in accordance with ISO 27001- you need to perform a risk assessment & treatment, so maybe this article can be interesting for you - “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ c-steps/
And our online course can be also interesting for you, because we give more information about the risk assessment & treatment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/