Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Structure and communication between IS, Risks and IT
Answer:
I am sorry but I am not sure if I have understood your question. Anyway, if we see Information Security, Risks and IT as different process, from my point of view Risks and IT give support to Information Security, I mean, Risks and IT give information to Information Security (without this information the Information Security management is not possible).
With this structure, I think that the communication between these process is easy: Information Security requests information about risks, Risks identifies information security risks and the security controls that are necessary (this information can be coordinated directly with IT), Information Security receives the information and request IT for the implementation of information security controls.
Risks and IT can also give information to others process, for example Business Continuity Management, Quality Management, etc.
By the way, maybe our online course can be intere sting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Finally, you can find in our Free Download section the white paper "Integration of Information Security, IT and Corporate Governance", that I think can be interesting for you : https://advisera.com/27001academy/free-downloads/ -
How cloud risks are mitigated
Cloud-16 Do you have a document available to tenants describing your Information Security Management Program (ISMP) which addresses how cloud risks are mitigated (e.g. multi-tenancy, network segregation, entitlement)?
I can't seem to find this term in the context of 27001. Any idea what they might mean by this? This can't simply be the Information Security Policy, could it?
Answer:
You are right, the specific term “Information Security Management Program (ISMP)” is not used in ISO 27001 (neither ISO 27002), and without more specific information about the context or your situation is difficult for me give you more information.
Anyway, in your question I can read “how cloud risks are mitigated…”, and for the mitigation of any type of risks you need a methodology of risk management, so if you do not have this, I recommend you to try our toolkit “Risk Assessment and Risk Treatment Methodology” : https://advisera.com/27001academy/documentation/risk-assessment-and-risk-treatment-methodology/
With the methodology you can have a defined process for the management of risks, so basically you can identify risks and reduce, or mitigate, them with the implementation of security controls.
By the way, ISO 270017 is a code of practice for information security controls based on ISO 27002 for cloud services, and ISO 27018 is also a code of practice but for the protection of personally identifiable information in public clouds, so maybe can be interesting for you to read both standards. These articles can be also interesting for you:
"ISO 27001 vs. ISO 27017 - Information security controls for cloud services" : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
"ISO 27001 vs . ISO 27018 - Standard for protecting privacy in the cloud" : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Mandatory documents and records according to ISO 9001:2015
Answer:
Most common types of documents which are required in order to be compliant with ISO 9001:2015 standard (and other ISO standards) are policies,various procedures and records.
ISO 9001:2015 requires some mandatory documents, such as quality policy, document about the scope of QMS and quality objectives and over 20 mandatory records.
Some of the documents are not mandatory by the standard itself, but your organization company may define them as necessary for effective QMS (additional process procedures, work instruction and records) and they all should be implemented and maintained in order to comply with the ISO 9001:2015.
For more information about mandatory and non mandatory documents please see this article:
- List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
Examples of our documents for ISO 9001:2015 you can see on this link https://advisera.com/9001academy/iso-9001-documentation-toolkit/ -
Numeric identifier for ISMS documents
Answer:
ISO 27001 does not require you to add a numeric identifier to each ISMS document, neither is this something that the certification auditor would look for. Therefore, it is really up to you, to decide what is more common/more useful for your company - very often smaller companies have only the title. -
Starting consulting agency
Answer:
Starting consulting business is not easy. Beside competence, you need to create a lot of materials regarding not only the standards that you offer but also things related to sales, and other processes in your new company. For people who are just starting the consulting business, we offer special product to help them establish their busines, here you can find free preview of our ISO 9001 Tools for Consultants https://advisera.com/9001academy/consultants/ -
Procedure for work environment
Answer:
From the title of the procedure I can't be sure what it should contain and does it really refers to ISO 14001 and to what requirements, but I can give you some general advice.
First you need to define the purpose, scope and users of the procedure, meaning why is it written, where it applies and who will apply it. Than you need to define all activities, responsibilities for the activities and records to demonstrate that the activities are carried out as planned.
That is, in short how to write the procedure, for more information, see:
- Deciding which procedures to document in the EMS https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/deciding-which-procedures-to-document-in-the-ems//
- 7 steps in writing QMS policies and procedures for ISO 9001 https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/
- ISO 9001:2015 process vs. procedure – Some practical examples https://advisera.com/9001academy/blog/2016/01/19/iso-90012015-process-vs-procedure-some-practical-examples/ -
Internal audit before certification according to new version
Answer:
The ISO 14001:2015 does not explicitly requires that you must perform internal audit before certification, but a lot of certification bodies expect you to conduct both internal audit and management review before certification in order to demonstrate that you applied all requirements of the standard.
The second reason for conducting internal audit before certification is to make sure that your organization is really compliant with the standard and avoid some nonconformities during certification audit. Once the internal audit is done you can meet certification audit without any stress.
For more inf ormation, see:
- What will the ISO 14001 auditor ask you during the certification? https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/what-will-the-iso-14001-auditor-ask-you-during-the-certification/ -
Corrective action traceability
Answer:
If there is one cause to several nonconformities, you can use the same corrective action to address those nonconformities. If the corrective action cause nonconformities on the other part of the system, it would be good to make reference in new corrective actions to the initial corrective action.
For more information, see:
- ISO 9001 – Difference between correction and corrective action https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
- Seven Steps for Corrective and Preventive Actions to support Continual Improvement https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/ -
Logic behind dropping preventive actions
Answer:
The preventive actions were left out from the new version of the standard because of introduction of risk-based thinking that covers much larger scope than preventive actions and provides a framework for identification of risks and opportunities arising from the context of the organization and not only from the processes as it was with the preventive actions.
Preventive actions no longer exists only by their name, but actions to address risks and opportunities required by the new version of the standard basically represent the preventive action.
For more information, see:
- Risk-based thinking replacing preventive ac tion in ISO 9001:2015 – The benefits https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/ -
Instalation
1. Is the toolkit on a CD or once payment has been received is there a link that is sent and then I (client) can download the documents from there, secondly,
2. If the toolkit is a software, does it come on a CD and is the software compatible with Mac?
Answer:
1. Once you purchase the toolkit, you will receive the email with the link where you can download the toolkit, in case when the link doesn't work or some other problem, we will send you an email with attached toolkit. You can also order the toolkit to arrive to your address on CD, but then you will have to wait until the post office delivers it to you.
2. The toolkit is set of Word and Excel documents, so it is not a software and it is completely compatible with Mac