Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How cloud risks are mitigated
Cloud-16 Do you have a document available to tenants describing your Information Security Management Program (ISMP) which addresses how cloud risks are mitigated (e.g. multi-tenancy, network segregation, entitlement)?
I can't seem to find this term in the context of 27001. Any idea what they might mean by this? This can't simply be the Information Security Policy, could it?
Answer:
You are right, the specific term “Information Security Management Program (ISMP)” is not used in ISO 27001 (neither ISO 27002), and without more specific information about the context or your situation is difficult for me give you more information.
Anyway, in your question I can read “how cloud risks are mitigated…”, and for the mitigation of any type of risks you need a methodology of risk management, so if you do not have this, I recommend you to try our toolkit “Risk Assessment and Risk Treatment Methodology” : https://advisera.com/27001academy/documentation/risk-assessment-and-risk-treatment-methodology/
With the methodology you can have a defined process for the management of risks, so basically you can identify risks and reduce, or mitigate, them with the implementation of security controls.
By the way, ISO 270017 is a code of practice for information security controls based on ISO 27002 for cloud services, and ISO 27018 is also a code of practice but for the protection of personally identifiable information in public clouds, so maybe can be interesting for you to read both standards. These articles can be also interesting for you:
"ISO 27001 vs. ISO 27017 - Information security controls for cloud services" : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
"ISO 27001 vs . ISO 27018 - Standard for protecting privacy in the cloud" : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Mandatory documents and records according to ISO 9001:2015
Answer:
Most common types of documents which are required in order to be compliant with ISO 9001:2015 standard (and other ISO standards) are policies,various procedures and records.
ISO 9001:2015 requires some mandatory documents, such as quality policy, document about the scope of QMS and quality objectives and over 20 mandatory records.
Some of the documents are not mandatory by the standard itself, but your organization company may define them as necessary for effective QMS (additional process procedures, work instruction and records) and they all should be implemented and maintained in order to comply with the ISO 9001:2015.
For more information about mandatory and non mandatory documents please see this article:
- List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
Examples of our documents for ISO 9001:2015 you can see on this link https://advisera.com/9001academy/iso-9001-documentation-toolkit/ -
Numeric identifier for ISMS documents
Answer:
ISO 27001 does not require you to add a numeric identifier to each ISMS document, neither is this something that the certification auditor would look for. Therefore, it is really up to you, to decide what is more common/more useful for your company - very often smaller companies have only the title. -
Starting consulting agency
Answer:
Starting consulting business is not easy. Beside competence, you need to create a lot of materials regarding not only the standards that you offer but also things related to sales, and other processes in your new company. For people who are just starting the consulting business, we offer special product to help them establish their busines, here you can find free preview of our ISO 9001 Tools for Consultants https://advisera.com/9001academy/consultants/ -
Procedure for work environment
Answer:
From the title of the procedure I can't be sure what it should contain and does it really refers to ISO 14001 and to what requirements, but I can give you some general advice.
First you need to define the purpose, scope and users of the procedure, meaning why is it written, where it applies and who will apply it. Than you need to define all activities, responsibilities for the activities and records to demonstrate that the activities are carried out as planned.
That is, in short how to write the procedure, for more information, see:
- Deciding which procedures to document in the EMS https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/deciding-which-procedures-to-document-in-the-ems//
- 7 steps in writing QMS policies and procedures for ISO 9001 https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/
- ISO 9001:2015 process vs. procedure – Some practical examples https://advisera.com/9001academy/blog/2016/01/19/iso-90012015-process-vs-procedure-some-practical-examples/ -
Internal audit before certification according to new version
Answer:
The ISO 14001:2015 does not explicitly requires that you must perform internal audit before certification, but a lot of certification bodies expect you to conduct both internal audit and management review before certification in order to demonstrate that you applied all requirements of the standard.
The second reason for conducting internal audit before certification is to make sure that your organization is really compliant with the standard and avoid some nonconformities during certification audit. Once the internal audit is done you can meet certification audit without any stress.
For more inf ormation, see:
- What will the ISO 14001 auditor ask you during the certification? https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/what-will-the-iso-14001-auditor-ask-you-during-the-certification/ -
Corrective action traceability
Answer:
If there is one cause to several nonconformities, you can use the same corrective action to address those nonconformities. If the corrective action cause nonconformities on the other part of the system, it would be good to make reference in new corrective actions to the initial corrective action.
For more information, see:
- ISO 9001 – Difference between correction and corrective action https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
- Seven Steps for Corrective and Preventive Actions to support Continual Improvement https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/ -
Logic behind dropping preventive actions
Answer:
The preventive actions were left out from the new version of the standard because of introduction of risk-based thinking that covers much larger scope than preventive actions and provides a framework for identification of risks and opportunities arising from the context of the organization and not only from the processes as it was with the preventive actions.
Preventive actions no longer exists only by their name, but actions to address risks and opportunities required by the new version of the standard basically represent the preventive action.
For more information, see:
- Risk-based thinking replacing preventive ac tion in ISO 9001:2015 – The benefits https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/ -
Instalation
1. Is the toolkit on a CD or once payment has been received is there a link that is sent and then I (client) can download the documents from there, secondly,
2. If the toolkit is a software, does it come on a CD and is the software compatible with Mac?
Answer:
1. Once you purchase the toolkit, you will receive the email with the link where you can download the toolkit, in case when the link doesn't work or some other problem, we will send you an email with attached toolkit. You can also order the toolkit to arrive to your address on CD, but then you will have to wait until the post office delivers it to you.
2. The toolkit is set of Word and Excel documents, so it is not a software and it is completely compatible with Mac -
Time-frame for getting the certificate
Answer:
The answer to this question depends on the stage in implementation of the standard.
If the company implemented the standard and conducted internal audit and management review, than it only need to hire a certification body to conduct certification audit and issue the certificate. In this case, the certificate will be issued rather quickly.
If the company needs to implement the standard first, than it can take form three to six months or even longer, depending on the size of the company,complexity of the processes and also on resources and priority given for the implementation and certification of the standard.
for more information, see:
- Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/