Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Can company share their employee personal data?

    No, it means that in the agreement with your client you state that personal data connected to the performance of the contract will be processed as stated in the attached privacy notice. You may also link to the web portal, but if you attach the privacy notice to the contract it is easier to demonstrate compliance to the obligation of providing information about data processing.

  • ISO 9001 Audit

    You just need to include the records that have been produced when the implementation starts. During the first steps of the implementation you must to do an assessment of the training gaps that the personnel of your company have in order to prepare a training plan. The records produced from those training will be the ones you can include to demonstrate the competence of your people to  carry out the processes in an effective way.

    For more information about training in ISO 9001, see the following materials: 

    - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/

    - Enroll for a free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

    - ISO 9001 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/

    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Sample data for MSP

    Please note that is our policy does not offer such sample artifacts.

    This is so because even organizations of the same industry and using the same IaaS provider have unique objectives and risk appetites, so the use of such sample artifacts can mislead organizations into adopting a security profile that does not fit their needs.

    These genetic papers can provide you an idea about a filled in risk register:

    - Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home - Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

    Please note that you can schedule a call with our ISO 27001 expert, where he can give some tips on how to adapt Risk register, Statement of Applicability and your documents to your specific circumstances.

    Additionally, since Conformio can automatically suggests threats, vulnerabilities, and applicable documents based on the specific assets you enter, you can use the examples provided in the abovementioned papers to see how the process goes through the platform.

  • Copying documents

    I’m assuming the question you refer to is about the usefulness of using ISMS documents from other organizations on your own.

    Considering that, the correct answer is that documents from other organizations are only useful as a starting point for developing your own.

    This is so because documents from other organizations will not be adjusted to your context, so they can become too bureaucratic, or not provide proper security.

    There wasn’t an alternative stating that it was forbidden to copy documents from other organizations because this is not always true. You may have access to documents from other organizations because they are of public nature, or because you may have some sort of agreement you have with them.

  • Conformio - setting up people and departments

    1 - I am starting on the list of requirements. As far as contracts are concerned, I understand that we specify the clause(s) of the contracts and what they require. So, that seems fine so far.

    Answer: Please note that the contracts in the list of requirements are those which prioritize the clauses your organization needs to comply with regarding interested parties (e.g., contracts with your customers).

    Contracts that prioritize the clauses the interested parties need to comply with on your behalf are controlled through the Supplier Security Policy, which is provided by Conformio.

    For further information, see:
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    2 - What detail is required.

    2.1 - As far as legislation is concerned, I’m not sure how specific we get. For example, in relation to the UK GDPR/Data Protection Act 2018 do we just specify “Article 5(1)(f) of the UK GDPR - Integrity and Confidentiality (the security principle)”.

    Answer: The level of detail must be sufficient to allow the designated person for complying with the requirement to understand what needs to be fulfilled, or where to find such information. Your example falls in the second type (i.e., you identify where the details to fulfill the clause can be found). An example for the first type would be including the information that a clause from a contract with a customer specifying that a full backup of all his information needs to be performed weekly.

    2.2 - You have a helpful list of legislation that may possibly affect ISO 27001. Do you have a more detailed analysis showing which parts of those acts etc., are specifically relevant to ISO 27001? For example, I believe that the Human Rights Act and the Freedom of Information Act only applies to public authorities. 

    There are quite a lot of acts etc., that I have heard for but don’t know in detail e.g., the Electronic Communications Act 2000. Do I have to work through all of these to see if they apply to us? That looks like a long job!

    Answer: Please note that the list of legislation provided in Conformio is a starting point. Since each organization can have different levels of compliance needs for each one, it is unfeasible to provide a more detailed analysis. Our recommendation is for companies to hire local expert advice to help identify your specific needs.

    3 - Valid from and deadline dates

    3.1 - What are these dates aimed at?

    Answer: The valid from date refers to the date when the requirement was published (i.e., when the law/regulation was published).

    The deadline date refers to the date by when the requirement must start to be enforced in the organization (in most cases it is related to an enforcement date defined in the law/regulation).

  • ISO27001 Implementation

    ISO 27001 consists of two parts:
    1 - the main part of the standard, from clauses 0 to 10, out of which clauses 4 to 10 are mandatory. These clauses defined what an Information Security Management System (ISMS) needs to perform, document, record, and deliver.

    2 - Annex A, which has 14 sections - it starts from A.5 to A.18. These sections contain the 114 controls, which defines information security requirements and controls objectives

    ISO 27001 Annex A is based on British Standard BS 7799-1 (Information technology - Code of practice for information security management ), which had the following structure:

    Foreword
    0 introduction
    1 scope
    2 terms and definitions
    3 structure of this standard
    4 risk assessment and treatment
    5 security policy
    6 organization of information security
    7 asset management
    8 human resources security
    9 physical and environmental security
    10 communications and operations management 
    11 access control
    12 information systems acquisition, development and maintenance
    13 information security incident management
    14 business continuity management
    15 compliance
    Bibliography
    Index

    So, when this content was incorporated to ISO 27001 Annex A, version 2005, to facilitate the transition for those who used the BS standard, the names and section numbers from sections 5 to 15 of the old BS 7799-1 were kept, only including the "A." to indicate they are part of the ISO 27001 Annex. When ISO 27001 was updated to version 2013 this sequence was maintained.

    Here you can see a further explanation:
    - A list of sections in Annex A: https://advisera.com/27001academy/iso-27001-controls/
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/

    This whitepaper also can help you:
    - Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001

  • Management Representative role choice

    There is nothing in ISO 14001:2015 about the management representative. So, organizations can chose a temporary employee to fulfill the role. Even in previous versions where the role of the management representative was included allowed the use of a temporary employee to fulfill the role. Some years ago I acted as management representative for a company, while being a service supplier

  • Scope in Conformio

    In the context of ISO 27001, interested parties are any entities (e.g., persons or organizations) that can influence your information security, or that can be affected by your information security activities. Considering that, and your examples, “local community” wouldn’t be an interested party, while your client would be.

    Regarding provided services, these are not part of the interested parties or interested parties’ requirements. They would be part of the ISMS scope, i.e., the elements of your organization you want to protect considering interested parties and their requirements

    For further information, see:

    This material can also help you:

  • Best approach in evaluating time and effort for certification

    The implementation duration and costs depend on many variables (e.g., size and complexity of the scope, financial resources, and expertise available, etc.), but for very small and small-sized business generally is possible to implement ISO 27001 within 3 months.

    For more information about the time needed for the implementation, I suggest you see this article: 

    Regarding costs, what I can tell you are some cost issues you should consider:

    • Training and literature
    • External assistance
    • Technologies to be updated/implemented
    • Employee's effort and time
    • The certification process

    These materials can provide you more information:

  • ISO 17025:2017 witnessing audit

    Witnessing is a technique use during internal auditing that is applicable to many activities. Typically a laboratory would as a minimum include technical witnessing of personnel. You would decide which activities to witness, based on risk.  Look at the scope of work and for a particular activity, e.g a test method, why you would decide what steps to audit.  Take the process of receiving samples to releasing results as an example. If  you have new personnel performing sample preparation, one Internal witnessing could be them demonstrating that step. If for example there have been nonconforming events raised due to problems with reagents, then plan to witness that activity.

     

    For more information on technical audits, see
    https://advisera.com/17025academy/blog/2020/11/10/iso-17025-technical-internal-audit-the-basics/
Page 145-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +