Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Control diversification

    Indeed, for such small companies, this column is not practical, and it would be better for you to create a shortlist of objectives in the Information security policy or develop a separate document with them.

    Besides decreasing incidents occurrence, you can also define some controls objectives like:

    • cost reduction of fines related to legal breaches (e.g., to controls A.18.1.4 Privacy and protection of personally identifiable information and A.18.1.5 Regulation of cryptographic controls)
    • increase in information systems uptime (e.g., to controls A.16.1.5 Response to information security incidents and A.17.1.2 Implementing information security continuity)
    • increase in process effectiveness/efficiency (e.g., to controls A.12.1.3 Capacity management and A.14.1.1 Information security requirements analysis and specification)

    Regarding security incidents objectives, you do not need to define one for every clause. You can define a single objective for all the ISMS (e.g., at most 3 incidents for a year).

    For further information, see:

  • 10.1.2 Key management

    To audit control 10.1.2 Key management you need to identify the defined requirements for generating, storing, archiving, retrieving, distributing, retiring, and destroying keys. Once these are identified you can start verifying if the implemented processes are being performed according to the requirements.

    Examples of evidence are:

    • requests for key generation
    • records of key delivery to users
    • records of key revocation

    This article will provide you further explanation about key management:

  • Human Resources Policy

    1 - In designing an ISMS to ISO 27001 standards, are this non security related policies included or excluded?

    You need to evaluate if these policies define some sort of usage or handling of information included in the ISMS scope (for example, the Car Allowance Policy may require the user to provide information about his driver's license, and this information is included in the ISMS scope). The policies which define usage or handling of information Included in the ISMS scope need to be included in the ISMS design.

    2 - Another question. My new organization uses the Plan-Do-Check-Act (PDCA) to write individual security policies like the business continuity management policy etc.
    My understanding is that the PCDA model is for the structure of the ISMS and not for individual policies. Am I wrong?

    The PDCA model can be used either for the structure of the ISMS and for the development of individual documents, such as policies and procedures.

    For further information, see:

  • Encryption for Backup/Restore

    1 - Do we need to encrypt all data during the backup/Restore process or not?

    According to ISO 27001, the need for encryption of backup tapes will depend on the results of risk assessment and identified legal requirements.

    If you do not have risks, or legal requirements, that justify the implementation of encryption, you do not need to implement it.

    This article will provide you with a further explanation about controls selection:

    2 - If yes , do we need to encrypt all the data or we need to classify the data?

    In case you have risks or legal requirements that justify implementing encryption, the data to be encrypted will depend on the rules defined by the organization, usually defined in the Information Classification Policy.

    So, before defining which data will be classified, you will need to classify it first.

    For further information, see:

    3 - Who will decide what data should be encrypted?

    The person who will decide if data should be encrypted or not is the person responsible for the data (also called in ISO 27001 as information owner). The decision will be related to the classification level attributed to the data.

  • Disaster Recovery Plan

    1 - May I ask, is the Disaster Recovery Plan a good control to start with, and the most important one. Also, it consists of many other controls that would then be covered at the same time?

    In fact, the Disaster Recovery Plan is one of the last controls to work on. The purpose of the Disaster Recovery Plan is to allow the quick resume of information security and information technology activities in case of a disruption, so you need to understand first which information security controls are in place to start developing your plan.

    For further information, see:

    2 - I suppose our Head Software Developer who also is in charge of Server Maintenance, would that be the person to document these steps.  As it is much more complex than just “copy-paste install backup.

    The person to be involved in the development of a Disaster Recovery Plan will depend on the defined disruptive scenario.

    For example, if the disruptive scenario involves only the loss of a server, then your Head Software Developer will be the person to be responsible for the plan. On the other hand, if the disaster involves not only the loss of the server, but also the loss of the server room, or an entire building, then you will need to involve more people, like the facility manager.

    This article will provide you with further explanation about developing a plan:

    These materials will also help you regarding developing a plan:

  • Calibration program

    You asked

    How the lab select the verification method "

    This depends on the type of test method and its purpose. I assume as you refer to verification, your laboratory is using a Standard Method. If not, you need to perform a more detailed validation.

    Have a look at my explanation to the question “Which parameters will be verified for standard methods?” Methods verification at https://community.advisera.com/topic/methods-verification/

    If you need more information on Validation, see my reply to Procedures for validation and verification of methods at https://community.advisera.com/topic/procedures-for-validation-and-verification-of-methods/

    You also asked

    How the lab measure the uncertainty ?"

    For information on the use of the toolkit and additional technical expertise required to evaluate measurement uncertainty, have a look my reply to a previous question Measurement uncertainty in chemical process at https://community.advisera.com/topic/measurement-uncertainty-in-chemical-process/

  • Enquiries on Project Plan and review

    On the inputs, you can state if there is already any documented procedure, record, contract with the supplier, so any documentation that you already have and use in your company.

    Deliverables mean what will be the output of certain requirements. And resources means whether it is necessary to provide any resources for each phase. For example, people who will spend a certain phase, finances (like these finances that you spent when buying this toolkit).

    For more information on the implementation process, please see the following:

    • Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

    • Performing IATF 16949 audits

      I think you are asking this question for internal auditor competency. According to article 7.2.3 of IATF 16949:2016 standard, system auditors should have the following information.

      • understanding of the automotive process approach for auditing, including risk-based thinking;
      • understanding of applicable customer-specific requirements;
      • understanding of applicable ISO 9001 and lATF 16949 requirements related to the scope of the audit;
      • understanding of applicable core tool requirements related to the scope of the audit;
      •  understanding how to plan, conduct, report, and closeout audit findings.

       

      As you know, the basic tools are APQP, PPAP, FMEA, SPC, MSA. In these subjects, it may be necessary to show either the training record or the experience records on the CV.

      In addition, Control Plan, FMEA, and related manufacturing process experience are required within manufacturing process auditors.

      If your ISO 9001 certified internal auditors can demonstrate the above-mentioned competencies, they can carry out inspections. Apart from these, if there is an additional requirement from the customer's special request, it may be necessary to provide evidence on that subject.

       

       

    • ISO 14001 certification in mixed-use projects

      Yes, you can have one certification applicable to more than one site. You will have common documents, like the same policy, like common overall goals, like same procedure for corrective actions, internal audits or document control. You may have common processes for collecting and verifying compliance obligations and for determining environmental aspects and impacts.
      Then, you will have specific procedures and work instructions a applicable to just one site

    • Vulnerability Assessment & Penetration Testing policy

      The vulnerability management and penetration test are not mandatory documents according to ISO 27001, nor are they documents commonly adopted by organizations (most of them rely on outsourced services for this purpose), so it is not included in the toolkit, to avoid unnecessary effort to manage the ISMS. If you understand that this document is important to your organization, you can schedule a meeting with one of our experts so he can help you to develop such a document.

      These articles will provide you a further explanation about vulnerability management:
Page 140-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +