Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Scope of the external auditor


    Should we allow him to get in to our PC’s and see how the controls are implemented and how my staffs are working? I am asking this because if I allow that then it will be a breach of the confidentiality agreement with my client. How to deal with this if such a situation arise?

    Answer:
    It starts and ends with the review of the implementation of ISO 27001, I mean, the auditor needs to review the compliance with the standard, and for this he will search evidences of compliance (for this, it can be necessary to see how your staff is working), but this does not mean that you need to show confidential information. For example, if you have defined a clear desk and clear screen policy, the auditor will search PCs with an open session, or passwords written in paper, etc.

    Generally, the auditor does not need to see confidential information (only needs to review how it is protected), but if he requests you this information, you ca n justify that the information cannot be seen by external people (if it happens, the auditor can include in his report this situation).

    This article about the brain of an ISO auditor can be useful for you “Infographic: The brain of an ISO auditor – What to expect at a certification audit” : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/

    And our online course about the internal audit can be also interesting for you, because we give information about the internal audit process “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 27001:2015?


    Answer:
    I am sorry but the last version of ISO 27001 is from 2013, not from 2015. Maybe your country has translated ISO 27001:2013 to your local language, and has published the standard with the local language, adding to the “name” of the standard the year when it has been translated. For example, in Spain the version translated of ISO 27001:2013 is UNE ISO/IEC 27001:2014 (but this is ISO 27001:2013 translated to Spanish, and was translated in 2014).

    Yes, our ISO 27001 courses are still relevant. You need knowledge about ISO 27001 to implement it, and to learn from a course is the right way. Our online ISO 27001 Foundations course is very interesting because gives you information about all key points of ISO 27001, so it can be your perfect solution. Please click this link to read more about “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ a nd you can also check our “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISMS and CMMI


    Answer:
    Yes, you can merge CMMI into an ISMS, because CMMI can help you to evaluate the maturity level of your organization’s processes, which is fundamental for planning the implementation, establishment, ongoing operation, and improvement of the information security. But it is not mandatory (there is no requirement to merge ISMS and CMMI), but it can be a best practice, and you can develop a manual for both.

    This article can give you information about the key points on how to start “Achieving continual improvement through the use of maturity models” : https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/

    Finally, for more information about the information security, the ISMS and the ISO 27001 , our online course can be interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Some questions about information security and virtualized environments

    There are many institutions/universities that have implemented successfully ISO 27001 with our templates, we have clients from all the world and from all sectors (including education). Keep in mind that ISO 27001 is developed for any type of business. So maybe can be interesting for you to try our toolkit, and remember that if you buy it, you will also have our support, so click here on “DOWNLOAD FREE TOOLKIT DEMO” and try it! “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  • Is the author name mandatory on the first page of the document

    I can understand it have to be identified with document number, revision and latest issue date but not with my name!!! But tell me please where in the standard it is written?!Which clause? Clause 7.5.2 says title, date, author or reference number

    Answer:

    You are right, there is no explicit requirements to write author name anywhere in the document, not only on the first page. The first page of our documents do require name of the author but if you don't want this, you can delete that row from the table. The reason why we included it in the document is because it is very common to have such information in the procedure but, again, it is not a requirement of the standard thus can be deleted.

  • Interested parities and conformance evaluation


    1. I think that having all the information in the appendix 1 “List of interested party” is enough to comply during the first audit about the identification of needs and expectations of interested party, is ok?

    2. The appendix 2 “Conformance evaluation record” will be attached to the procedure and it will be useful until the company conduct a conformity evaluation with legal and other requirements. Your procedure recommend at least twice a year. I think this appendix will be a record maybe until the second audit to the QMS, is ok?

    Answer:

    1. Yes, once you identify interested parties and their needs and expectation, you are compliant with that requirement of the standard.

    2. You need to run full cycle of the QMS in order to be ready for certification audit, but of course this depend mostly on the certification body. They might let you without conducting compliance evaluation but it is more usual that you need to perform all the activities of the QMS in order to be ready for the certification, this includes als o internal audit and management review. For more information, see: ISO 9001 Certification https://advisera.com/9001academy/iso-9001-certification/

  • Purchasing process in branch office

    Thank you so much for the clarification, that helps. Yes, the branch office actually has its own QMS so we will just define its own internal purchasing process but only for their office supplies because all the products they sell are coming from head office.

  • ISO 14001 vs ISO 9001 challenges in the transition


    •Documenting the QMS (what is new about this?)
    •Auditing according to the new version (what are main points to include?)

    Answer:

    If we compare transition processes for ISO 9001 and ISO 14001 there is no much difference between them. The key changes are pretty much the same. The requirements for documents and records are now changed into requirements for documented information and in that sense the ISO 9001 suffered more changes because there are no longer mandatory procedures and quality manual, so in that sense the ISO 9001 will suffer more changes than ISO 14001 management system. For more information, see:
    - New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
    - List of mandatory documents required by ISO 140 01:2015 https://advisera.com/14001academy/blog/2015/10/12/list-of-mandatory-documents-required-by-iso-140012015/

  • THIN CLIENTS VS. DESKTOPS

    From the point of view of security, an environment with thin-clients can be equal to an environment with desktops, because basically, both are composed by devices that you use to access to information (locally o remotely), and the key is : how to protect the information and how to access to the information?

    With thin-clients you can access to the information remotely, so in this case, it will be important to protect the channel of communication. With desktops, if you access to information remotely, it is also important to protect the channel of communication in the same way.

    So, from my point of view the most important thing should be how to protect and how to access the information, independently of the devices or the environment. Keep also in mind that for the protection of the information – in accordance with ISO 27001- you need to perform a risk assessment & treatment, so maybe this article can be interesting for you - “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ c-steps/

    And our online course can be also interesting for you, because we give more information about the risk assessment & treatment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Replication of site A


    Our goal is to get ISO27001 certification for Site A including the core systems and the supporting IT infrastructure ( the AD domain controllers and e-mail servers, network devices ). Could you please tell me how to deal with the replication servers of core system, AD domain controllers and backup server for e-mail services in Site B and C ?

    Answer:
    I am not sure if I have understood your question, but you can implement and certify ISO 27001 in your site A without problems, where core systems are. Regarding the backup systems, you can use them for the Disaster Recovery Plan, I mean, if the core systems of the Site A fails, systems of site B and/or C can continue providing all services related to domain controller and email.

    So, for this scenario you can use the security controls o f A.17 Information security aspects of business continuity management, of the Annex A of ISO 27001:2013, and for this, our template can be useful for you “Disaster Recovery Plan” (you can see a free version clicking on “Free Demo” tab) : https://advisera.com/27001academy/documentation/disaster-recovery-plan/

    By the way, this article about the distance between sites can be also interesting for you “Disaster Recovery site – What is the ideal distance from primary site?” : https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

    Finally, our free online course can be also interesting for you, because we talk more in detail about the business continuity “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Page 1014-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +