Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 and PCI-DSS
- I'm not an expert in PCI-DSS, but from what I know e-commerce merchants of certain size and payment card processors must implement PCI-DSS because this is what Visa and MasterCard require - therefore, it is mandatory in such cases. If you already implemented ISO 27001, and now you are starting to implement PCI-DSS, this doesn't mean you would have to do the same things twice - if the requirements of these two standards are the same, then you just use the controls you implemented for ISO 27001 for PCI-DSS as well. -
Where to get ISO 22301
- You can purchase the ISO 22301 standard here: https://www.iso.org/standard/50038.html - it costs ca 130 USD. You may be able to purchase it for a better price at your local standardization body. -
Construction of Risk Analysis
I do is following the lifting of the risk scenarios failures, there begin
to identify risks for each scenario and also support me as generic risks by
Cobit and ISO 2700X
- I'm not sure if I understood the question well, but ISO 27001 requires to identify 5 elements during the risk assessment: all the assets, for each asset you need to identify threats and vulnerabilities, and then consequence and likelihood for each risk. You can find a detailed explanation in my webinar The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Preparation for ISO 27001 Lead Auditor Course
- The best preparation for Lead Auditor Course is to read the standard itself a couple of times, and try to remember the structure of the standard. You can also take a look at my webinar ISO 27001 Lead Auditor Course preparation training https://advisera.com/training/iso-27001-lead-auditor-course/
i also wanted to know the min exp req to attend the LA course for ISO 27001 and the scope for the same.
- There are no formal requirements, but it is recommended that you have some experience in either IT or other management systems like ISO 9001.
Will it req any prior auditing exp?
- No, prior auditing experience is not required. -
Where can I get new ISO 27001?
Alec,
You can purchase it from the BSI website: https://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/
Dejan -
Appointing an external person to do the pre-assessment
- No, it is not necessary to hire someone to do a pre-assessment before the certification. Our Toolkit contains all the required documents, and there is no requirement by the standard to perform pre-assessment. -
Policy vs. standard
- There is no absolute difference since there is no absolute definition of these two. Generally, the policy defines certain intention and gives direction, whereas a standard specifies a standardized way of doing something.
Would an organization have a standard and policy co-existing?
- Yes, although a standard is not very often - more often you would see a policy and procedures co-existing.
For example, would there be an Asset Management standard and an Asset Management policy coexisting? Or as another example, an Access Control Standard and a Password Policy?
- Yes, this is possible, although more often you would have Asset Management Policy and then Asset Management Procedure.
Another dilemma question I have is is it a good idea for an organization to have fairly complex ICT Security Policy (with sub-policies within in, for example, this single document would have acceptable us e, intranet, shared drive, email usage etc covered in it).
- I don't think this is a good idea because it will be very difficult to maintain such a document, and even more difficult for users to read and understand this policy. Much better solution is to have separate policies which describe certain areas - read this article for more explanation: https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
Because some subparts of this policy may not be relevant to the end user and hence we should take into consideration the question do we publish this to an incumbent user to read it and sign it, when we some sub-parts do not apply to the user.
- When you have separate policies, you send only relevant policies to users, not all policies; further, it is not mandatory for them to sign them - it is enough you have some kind of a proof they have received them (e.g. through Document Management System)
That brings another question up, is it good practice to have two versions of a policy one for general user use (used @ induction and to which the user signs to abide by during the employment period) and another one for high-level use?
- No, redundancy in documentation brings only problems - again, you should create separate documents for certain areas. -
Scope of the QMS - our document
Answer:
The chapter 3.1 refers to the processes inside your company that are included in the scope of the quality management system, if we take your example it can be something like this:
"The processes of our company that are included in scope of the QMS are:
Purchasing
Sales
Production of nuts and bolts
Warehousing
Transportation"
In the section 3.2 you need to write the products and services your organization provide that are included in the scope of your QMS:
"Our Quality Management System covers production and delivery of nuts and bolts."
In the section 3.3 you need to describe what units and functions are included in the scope and how they are separated from the ones that are not included in the scope. To expand your example, let's say that the company produces not only nuts and bolts but also screwdrivers and production of screwdrivers is excluded form the QMS scope. In that case, you need to write something like this:
"Scope of our quality management system covers purchasing and sales department, department for production of nuts and bolts and transportation department. Department for screwdrivers production is not inside the scope of the QMS and it is divided in the separate facility on another location"
The chapter 3.4 requires you to define all locations of your company that are included in your QMS scope, for example:
"Administrative building, 123 boulevard, New York
Production facility, 456 street, Boston"
The chapter 3.5 requires you to list organizational elements (units, departments, processes, etc.) that are excluded from the scope. In our example it would be:
"Accounting
Production of screwdrivers"
For more information read this article:
- How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/ -
Processes vs. Departments
Answer:
Every department has processes that are their responsibility. For example the HR department is responsible for recruitment and for providing necessary training for employees. So, they may decide to create Procedure for Human Resources that will explain how they execute their processes but that is not mandatory by the ISO 9001.
For more information, see:
- Deciding Which Procedures to Document in QMS https://advisera.com/9001academy/blog/2013/11/26/deciding-procedures-document-qms/ -
Documentation for the context and risks and opportunities
Answer:
Actually, the ISO 9001:2015 doesn't explicitly requires you to create any documents regarding context of the organization and risks and opportunities, it will depend mostly on the size and type of the organization and complexity of your processes.
My recommendation for addressing requirements regarding context of the organization and risk and opportunities is to create some documents because it is much easier when it's done for the first time and, frankly, it will be much easier to demonstrate your conformance to the requirements to certification auditor.
For more information, see:
How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/05/26/how-to-identify-the-context-of-the-organization-in-iso-90012015/
The Role of Risk Assessment in the QMS https://advisera.com/9001academy/blog/2014/01/07/role-risk-assessment-qms/
List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015//