Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Question about clause 4 of ISO17025:2017

    This requirement refers to the need for intermediate checks on equipment to be performed according to a procedure. For certain equipment, external certified calibration (as per ISO 17025 calibration requirements), is required to conform the equipment is suitable for use and to provide metrological traceability and a measurement uncertainty for that step in the testing process (for example the use of a balance to weigh a sample). For equipment which could impact the validity of test results, intermediate checks (i.e. verifications) must be performed inhouse at suitable intervals until the next external calibration to confirm the equipment is still in calibration (i.e. has not deteriorated or drifted). This maintains confidence in the performance of the equipment. This is achieved by using traceable reference materials, or artifacts (such as certified weight pieces). The procedure could be a written work instruction or diagram, for example for the Daily verification of analytical balances.

    For more information see the question and response to Are intermediate checks required for calibration laboratories? at https://community.advisera.com/topic/are-intermediate-checks-required-for-calibration-laboratories/ There are alse some useful links on that page that will assist you.

  • ISMS

    1 - Is this sufficient during an ISO 27001 certification external audit to prove that *** took the necessary actions with regards to training internal employees?

    Please note that the security awareness training on our website focuses on regular users and general information security knowledge. In case you have specific security technical/management needs (e.g., secure development techniques or security strategy planning) this training won’t be sufficient.

    Considering that, you need first to identify which information security competencies gaps you need to treat, so you can evaluate if our training will cover all your needs, or if you need to complement it.

    This article will provide you a further explanation about awareness and training:

    2 - Is there any way to prove the employees have effectively followed your training ? Something like a completion certificate?

    Through the paid version of our security awareness training program, you can export the progress report and track which employees already attended the training and their results.

    When using the free version, you can create quizzes to apply to employees who have taken the training to evaluate their learning.

    3 - Would you recommend additional steps?

    The steps provided in the Training and awareness plan template included in your toolkit are enough to be compliant with the standard.

    Common approaches for information security awareness are training sessions, the use of newsletters, the use of video tutorials, and meetings between management and staff, which should be performed on a regular basis.

    Regarding content, please note that you will have different publics with different interests:

    • top management needs to make decisions over issues that many times are not so clear for them, and they do not need deep knowledge about technicalities of security issues (they will be more concerned about how it impacts the business). In these cases, your awareness should be focused on the decisions they need to make.
    • technical personnel with operational responsibilities for security needs deep knowledge over technologies, methodologies, and processes, so your awareness should be focused on the procedures and rules they need to follow
    • overall personnel needs a basic understanding of security, to properly identify, report, and react to risky situations. In these cases, your awareness should be focused on examples and how to proceed according to the policies and procedures

  • Recording serial numbers when destroying hard drives

    ISO 27001 does not prescribe which information should be added and recorded about assets to be destroyed, so organizations are free to include the information they see fit for their needs, based on results of risk assessment and applicable legal requirements.

    Recording serial numbers for each HDD would be a good practice, because serial numbers are unique identifiers, and you wouldn’t need to create your own to keep track of destroyed assets in case of need.

    These articles will provide you a further explanation about assets disposal:

  • Audit query

    In such cases, to decide if this is a finding or not you need to check if the events that trigger the procedure to be performed had occurred or not.

    For example, if the trigger is something like “every 6 months” or “6 months of the last occurrence”, and such period has not been completed yet by the time of the audit, then it is acceptable that the procedure has not been carried yet, and it is not a finding. Otherwise, it should be considered a finding.

    An example of a document that may not be activated when an audit takes place is the Disaster Recovery Plan or an incident treatment for a specific incident.

    For further information, see:

  • Customer Service Procedure

    There will be some changes, although the procedure is applicable to inhouse and external clients. Depending on the organizational structure, there may be few or more changes. Simply go over the procedure step by step and customize for your context. For example, a legal contract is not required if the laboratory is part of the same legal structure as the mine /production.  

    Either way the clients (internal or external) requirements should be known, agreements and deviations presented in writing for inhouse clients as well.  In most cases the way you record the evidence and results, can be simplified.

    Have a look at my response to a similar topic at https://community.advisera.com/topic/iso-17025-for-internal-quality-control-laboratory/

    You can also get a detailed description of the ISO 17025 Documentation Toolkit and free preview, at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  • Criteria to distinguish between deleting and not deleting data

    Anonymized data is not personal data. Moreover, the process of anonymization of personal data is equivalent to the deletion of personal data, because the process is irreversible and data cannot be used to identify a data subject, directly or indirectly. So, according to GDPR, you do not need to delete data that is not personal data. However, please pay attention that the data controller does not refer to pseudonymized data, which according to Art 4 GDPR – Definitions – is “personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;”. In this case, pseudonymized data is personal data and is subject to GDPR requirements, including obeying a controller request for personal data deletion.

    As part of our GDPR Toolkit, we have a document called Anonymization and Pseudonymization policy that you can use. Please check the links below:

  • Risk assessment: minimum content?

    1 - In our Risk Assessment table, is there any "minimum" content we should have to be "credible" from an auditor point of view ? Seeing our scope and assets I've listed I think I'll end up around 150 lines in the table.

    ISO 27001 does not require a "minimum" number of risks, only that relevant risks are identified and treated.

    Considering that, the auditor will be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity. The single point you need to pay attention to is to not overlook obvious risks, i.e., risks that someone with proper competence in the process or asset would easily identify. To mitigate this risk, you need to include in the risk assessment the personnel involved with the process or asset.

    As for the number of risks you mentioned, 150 is a good number. To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 50 to 100 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 300 to 600 risks.

    An important thing to note is that risk for which you already have implemented controls (and you will only accept the risk) also count for your relevant risks.

    These articles will provide you a further explanation about risk assessment and treatment:

    2 - Is this Risk Assessment Table a good document you would be able to review for me and provide feedback on ? Or is this too specific to certain business (like ours that is focused on our SaaS platform) ?

    As part of your toolkit, you can submit a certain quantity of documents for our review, so we can provide feedback about your work, and the Risk Assessment Table can be one of them.

  • Process of ISO 27001 Audit

    I’m assuming your question is about a certification audit.

    Considering that, to successfully clear a certification audit you need to implement the Information Security Management System according to ISO 27001 requirements, which involves:

    1. getting management buy-in for the project;
    2. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational and requirements of interested parties;
    3. development of risk assessment and treatment methodology;
    4. perform a risk assessment and define a risk treatment plan;
    5. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
    6. people training and awareness;
    7. controls operation;
    8. performance monitoring and measurement;
    9. perform internal audit;
    10. perform management critical review; and
    11. address nonconformities, corrective actions, and opportunities for improvement.

    This article will provide you a further explanation about ISMS implementation:

    About required documents, please see this article:

    To see how documents compliant with ISO 27001 looks like, please take a look at the free demo of our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  • Finding SOC 2 auditor

    We are not aware of specific boards or professional associations of SOC 2 auditors, so your best approach would be looking for them on professional social networks like LinkedIn, Security groups on Google Groups, or the American Institute of Certified Public Accountants (AICPA), which certifies accountants to audit for SOC 2.

    This article will provide you a further explanation about SOC2:

  • Toolkit content

    I’m assuming you are referring to the content of the documentation toolkit.

    Considering that, please note that the Risk Assessment Table included in the ISO 27001 toolkit contains separated tabs listing examples of assets, threats and vulnerabilities to be used to fill in the Risk Assessment Table (in the cells of each specific column you can chose an item from a list). The only difference from Conformio platform is that Conformio automatically suggests threats and vulnerabilities, while such functionality does not exist in the Excel sheet from the toolkit.

    For further information, see:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    In case you are referring to Conformio, please note that the content of the paper “Diagram of ISO 27001 Risk Assessment and Treatment Process” is a visual presentation of how risk assessment and treatment is performed through the Conformion Risk Register module. You have the same resources available in the Risk Register. It’s only not shown in a graphical format.  

    For each risk entry you perform the exact same steps:
    - when you chose an asset a set of related vulnerabilities is presented
    - for each chosen vulnerability, a set of threats is presented
    - when impact and likelihood are defined, for those risks calculated as unacceptable, there will be presented suggested controls to treat them.

    When you access the Risk Register, there is a video presenting how to perform risk assessment and treatment in Conformio.
Page 113-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +