Search results

Home / Search

Category:
Select
Select

11271 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Business Continuity Management

    The Recovery Time Objective (RTO) means how fast after a disaster an organization wants its business to resume operations, and its definition is made through the Business Impact Analysis, which helps you understand the level of resources are required and the evolution of losses over time (in shorth, the faster the losses increases over time, the shorter the RTO needs to be, and more resources will be required).

    As a reference to evaluate how much resources are enough, you should consider the losses to the organization if the operations are not resumed in a given time. For example, if the losses for not returning in 12h are US$ 200k, and the resources required to return operations at this time cost US$ 250k, then it is not practical to define an RTO of 12h. On the other hand, if the losses for not returning in 14h are US$ 1M, and the resources required to return operations at this time cost US$ 750k, then it is practical to define an RTO of 24h.

    These articles will provide you with a further explanation about business continuity concepts:

  • Amendments to ISO 27001 Toolkit

    First of all, congratulations on your approval.

    Included in the toolkit you purchased you are entitled to receive free updates for one year after your purchase date. In this situation, you will receive documents considering the appropriate changes. We will send you the updated toolkit shortly after the ISO 27001 update is officially published.

  • Business Continuity Policy

    Considering the explicitly stated missing parts, please note that ISO 22301 does not require policy statements, definitions, compliance, and consequences for Non-Compliance. 

    While we agree that such items could be considered, our templates are designed to fulfill the standard’s requirements with minimum overhead to minimize administrative effort to keep and maintain them.

    In terms of policy, ISO 22301 clause 5.2.1 requires: alignment with the organization’s purpose, an approach to defining business continuity objectives, commitment to fulfilling legal requirements, and commitment to the continual improvement of the Business Continuity Management System.

    In case you want to include such items in your own policy, you can schedule a meeting with one of our experts so he can help you develop them.

    For further information, see:
    - The purpose of Business continuity policy according to ISO 22301 https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/

  • ISO 27001 / Conformio questions

    1. How should we treat the risk assessment process? Should we consider all the risks within our company and go over a bit or should we be more conservative? For example, should we consider our CEO being on leave as a risk while doing the risk assessment?

    Considering the Conformio platform, first, you need to define your Risk Assessment and Risk Treatment Methodology. In the document provided by Conformio, you will define the risk acceptance criteria, i.e., when identified and analyzed risks must be treated. Conformio automatically determines which risks need to be treated based on the acceptance criteria you define.

    For further information, see:

    2. In terms of SoA should we mark all the controls as applicable? How should we approach this?

    Considering the Conformio platform, Conformio automatically marks controls applicable based on the results of risk assessment and legal requirements.

    For further information, see:

  • Role of CISO

    Please note that considering ISO 27001, if private information is part of the Information Security Management System scope, the CISO will have to protect it anyway. The fact that the organization may need to be compliant with some legal requirements related to private information (e.g., EU GDPR) will only mean that there are additional requirements to be considered by the CISO for the protection of this kind of information.

    In cases where all private information handled by the organization is part of the ISMS scope, the CISO may also be designated as the DPO.

    In such scenarios, you may want to consider the use of ISO 27701 which defines requirements for a Privacy Information Security Management System. 

    For further information, see:

  • Security concepts

    I’m considering that when you mention “security concepts”, and the listed standards, you mean “information security” concepts.

    Considering that, the three standards can be useful to you because together they cover concepts for both governance and management of information security:
    - ISO 27000 covers the general concepts about information security
    - ISO 27001 presents concepts related to information security management, i.e., how to identify and treat information security risks, and this standard requires the engagement of management
    - ISO 27014 covers concepts of Information Security Governance, i.e., on how to evaluate, direct, monitor, and communicate the information security-related activities within the organization

    You can also check this doctoral thesis from Dejan Kosutic that describes a holistic approach to cybersecurity management through a socio-technical system that balances strategic, organizational, risk & technology, and people aspects: https://www.researchgate.net/publication/357826918_The_Impact_of_Cybersecurity_on_Competitive_Advantage

    For further information, see:
    - Should information security focus on asset protection, compliance, or corporate governance? https://advisera.com/27001academy/blog/2017/03/13/information-security-focus-asset-protection-compliance-corporate-governance/
    - Integration of Information Security, IT and Corporate Governance https://info.advisera.com/27001academy/free-download/integration-of-information-security-it-and-corporate-governance

  • Changes affecting the documents

    1 - I would like to know how these new controls affect our purchased toolkit (Cloud_EN)?

    Reference: https://info.advisera.com/27001academy/free-download/overview-of-new-security-controls-in-fdis-iso-27002

    Included in the toolkit you purchased you are entitled to receive free updates for one year after your purchase date. In this situation, you will receive documents considering the appropriate changes.

    2 - Should we include this new change in our implementation?

    Yes, you will need to implement the changes in controls.

    Is important to note that any required changes will have a transition period to be implemented after the release of a new version of ISO 27001 (in general this transition period is of two years after a change in a management system standard, which is plenty of time to do this transition for most controls).

  • Reporting

    You asked

    7.8.2.1  i) The date of the test or calibration.

    For geology/mineral reports, is this necessary? I know there have been some changes in reporting requirements, but if the date of testing does not affect the validity of the results, is 7.8.2.1 i) necessary?

    Note that ISO 17025 states that all must be included unless you have a valid reason for not. This tells you if you have considered the risk and are confident the results are reported suitably (not ambiguously) then you can justify a simplified report. As long as the information is retained, i.e as long you can find the raw data if you have a query and need to troubleshoot.

    You also asked about clause 7.4.3.


    The standard requires you to a have a process to a) assess against a requirement, that a sample is suitable for testing. For example the criteria may be water in a 1 litre glass bottle, filled to the cap, temperature below 5 degrees Celsius); b) to consult the customer and agree on the way forward if there are deviations and c) record deviations and agreements and keep the records.

    For more information on what is required for ISO 17025, read the whitepaper Clause-by-clause explanation of ISO 17025:2017 available for download from https://advisera.com/17025academy/free-downloads/ and preview the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  • Mass pieces for verification of balance

    You asked

    Does this mean that if you have mass pieces that are verified on a balance right after calibration of the balance, this is insufficient to prove 'fit for purpose'?

    No that would not be sufficient. To meet the requirement of clause 6.4.5 and 6.4.6, as well as 6.5 such mass pieces should be calibrated (not verified) by a “competent” laboratory. i.e either by a calibration laboratory accredited to ISO 17025 for mass, or at least one which meets the requirements to perfom and report the calibration competently according to ISO 17025.

    You also asked a number of questions regarding reporting. Note that ISO 17025 states that all must be included unless you have a valid reason for not. This tells you if you have considered the risk and are confident the results are reported suitably (not ambiguous) then you can justify a simplified report.

    7.8.2.1 e)  - If this is an inhouse client, then a simplified report is suitable – as long as the sample is traceable and you have evidence of who the report was provided to.

    7.8.2.1 o) The way the authorisation takes place is not the issue, as long as it is traceble as to who authorised the report.

    7..8.1.3 No not necessarily in a report, but the information must be available and traceble. Imagine there is a query – all information should be protected (from change) and be available on looking, for example, within a LIMS, database or a record.

  • ISO17025 Stage 1 Application- Covid Testing

    You asked

    However our method is not CE Marked and potentially need to apply for derogation. Is this something you have encountered before and can provide advise on how to go about this.

    I cannot tell, based on your comments, if your Quantitative Polymerase Chain Reaction (qPCR) is laboratory-based or point-of-care. For molecular point-of-care COVID-19 Tests, the accreditation body will have specific requirements. 

    Regarding the CE marking, I assume you are referring to the kit you use for your test. A CE conformity marking is applicable to goods not a method. A CE-IVD mark is required for regulatory approval for a product for in vitro diagnostic use in Europe and other areas. I advise you to contact your accreditation body to determine if this impacts on your accreditation.

    You also asked

    Secondly any advise on what is required for Stage 1 Declaration Application."

    Application for COVID testing accreditation as a private provider is government and accreditation body specific. The minimum standards depends on the type or purpose of test. This will be available from the Accreditation body’s website.

    For example see https://www.gov.uk/government/publications/minimum-standards-for-private-sector-providers-of-covid-19-testing

    Stage 1 Declaration Application typically involves a declaration stating that your tests meet the appropriate standard, and that you have at least applied for accreditation for relevant international standard. That would be ISO/IEC 17025 or ISO 15189 for lab-based providers and ISO 15189 and ISO 22870 for point of care testing providers.
Page 109-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +