Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results for "iso17025 vs gmp"
1219 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How to learn about infosec?
... 7001.
2. I am due to go on a foundation course and then the Lead Implementer course and then next year do my Lead Auditors course do you think this is the right way to go?
Perhaps foundation course would not be needed if you already have some experience in IT - in such case you can go straight to Lead Implementer course. Read also this article: Lead Auditor Course vs. Lead Implementer Course  Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
Using risks instead of threats
... ... otential cause of an unwanted incident, which may result in harm to a system or organization". So for instance, the threat is a computer virus, and the risk is the loss of all the information on your computer.
It is true that ISO 27001:2013 does not require the identification of threats any more, but this is in my opinion still the best methodology - read more here: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
Use old ISO 27001:2005 format for assessing the risks
... ... vision of ISO 27001 gives you a greater freedom in performing the risk assessment, but you can certainly use the principle from 27001:2005 where risks were identified based on assets, threats and vulnerabilities. The only thing you have to do extra because of 2013 revision is that you need to identify the risk owner for each risk.
You can learn more in this article: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
ISO 27031 vs ISO 22301
I am starting a BCP/DR effort here. I have not seen the ISO 27031. Our implementation would be mostly around a SaaS cloud services environment. We just passed our ISO 27K Stage 2 audit. Should I use ISO 22301 or ISO 27031 for BCP/DR guidance? Is there much difference in the two docs? -
To have or not have a Disaster Recovery Plan
... urn to normal operation and this should be planned and documented.
5) You need to implement a regular test approach in order to evaluate the effectiveness of the solution.
6) Disaster Recovery Plan would help in case of failure of HA technology.
You can find a more detailed information on: https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
Hope this helps -
Certification - RABQSA
Again, I'm not sure which ISO 27001 certification you are speaking about - are you speaking about the certification of an individual or a certification of a company?
Here are some articles that can help you:
- ISO 27001 certification for persons vs. organizations https://advisera.com/27001academy/iso-27001-certification/
- How to learn about ISO 27001 (this article lists different possible trainings) https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/ -
ISO 27001 - frequency of recertification
... ... out certification of organizations, surveillance visits must take place at least once a year, and the certificate is valid for 3 years. After the certificate expires, an organization can decide whether to go for the recertification, but this is not mandatory - this is something you do only if you want to keep the certificate.
This article can also help you: Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
Can the risk be accepted and the control not applied?
... low risk during the Risk Assessment and senior management has agreed to accept the residual risk; and we determined it be out of scope, is being demanded by the auditor to be in-scope. Is that permitted? Based on our scope and boundaries as well as documented exclusions, the control does not come into play. IÃÂm trying to gather some additional information on the determination of in-scope vs. out-of-scope.
-
Risk register vs. risk treatment table
Is the risk treatment table considered as risk register? or the risk register is something else? -
Third Party Providers vs. ISMS Policy conflictions
Hi, I have a concern presently concerning ISO27001 and company ISMS policy / third party agreement guideline vs. a third party who plays a large role in company activities. Our third party agreement guideline states that third parties shall compy with certain security requirements. We have a provider that has stated they are not iso27001 compliant but use many ISO 27002 principals, which is fine, but we are attempting to have them sign our agreemen - they do not want to sign, and I QUOTE "Because such a framework is subject to extensive governance, both internally as by external auditors and our overseers, security is not an area where we (they) have the liberty to accommodate and apply different security requirements per individual customer" UNQUOTE They have also provided a statement to replace what we have asked " QUOTE X shall at all times operate and manage the information security, reliability, resilience, and technology planning in accordance with its security control policy. In order to provide a more understandable framework for its specific business, the X security control policy is organised around the 5 key dimensions of: governance, change management, confidentiality, integrity and availability. X has implemented a number of initiatives that enhance security, including a company-wide commitment to adopt many of the principles of ISO 27002, which is the code of practice for information security management. This involves, amongst others, risk management practices in line with ISO 27005 and NIST standards. These internationally recognised standards provide wide-ranging security guidelines" UNQUOTE How does a company get passed this in ensuring they apply to the company security requirements especially when this aspect can be audited? Is this acceptable? Thanks for your reply Paula