Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Dúvida preenchimento documento ISO 27000

    A alteração proposta é aceitável para fins de conformidade com a ISO 27001.

    Este artigo fornecerá mais explicações sobre a classificação das informações:

  • AS9100 - 8.5.1 production and service provision

    In AS9100, throughout the standard, all requirements are applied to the products AND services of the company. So, throughout the operations requirements in clause 8 the intent is that these will apply to both products and services of the company. As you have indicated, you do not exclude design and development as you take part in it, and apart from some minor differences in meaning as to this being a service or not it is actually a bit irrelevant. If you have identified the requirements for this activity, including those needed to meet the needs of your customers, and these are part of your process then if you have a scope of “design and manufacturing” or “design services and manufacturing” the end outcome is really irrelevant.

    Even if this activity is considered a service, I am sure that you have all the applicable “controlled conditions” of your service provision included to meet your needs, remembering that the clause 8.5.1 requirements are deemed “as applicable” to whichever product or service they are applied.  In the end you have a process that meets the needs of you and your customer.

     

    This change for products and services, along with the ability to exclude design and development from the QMS, is explained a bit more in this article: Can companies still exclude design and development from their AS9100 Rev D QMS?, https://advisera.com/9100academy/blog/2017/10/09/can-companies-still-exclude-design-and-development-from-their-as9100-rev-d-qms/

  • Help us understand each other better

    1 - Do I need to complete an internal audit of ALL areas of ISO27001 BEFORE I can schedule/conduct my first external regulatory audit?

    Answer: Before the certification audit, you need to perform an internal audit covering all ISO 27001 requirements (i.e., items from clauses 4 to 10) and applicable controls for all elements included in the Information Security Management System scope. This is a requirement from section 9.2 (Internal audit).

    For further information, see:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - How to perform an ISO internal audit [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-perform-an-iso-internal-audit-free-webinar-2/


    These materials will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

    2 - It is my understanding that as part of continuous monitoring of the systems most companies break down the audit into sections and in a rolling 3 year period cover the entire standard.  If that is the schedule I create, then my first external audit I will only have a portion of the standard covered by internal audit.  Is that acceptable?   Assuming it is, how much of the standard do you think (and I understand this is subjective) we should have completed before the external audit.

    Please let me know if you have any questions. Thank you


    Answer: Please note that breaking down the internal audit into sections is valid only after the certification audit (i.e., for surveillance audits). For the certification audit, you need to have performed an internal audit over all the ISMS scope.

    This article will provide you a further explanation about certification and surveillance audits:
    - Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

  • ASD ISM to ISO 27001 mapping

    Unfortunately, we do not have such mapping, but we suggest you take a look at this site to see if this tool can help fulfill your needs: https://www.agilient.com.au/cybersecurity-mapping-tool/ 

    It provides an alignment analysis including ISM, ISO 27001:2013, NIST, and the ASD Strategies to Mitigate Cyber Security Incidents.

  • Posts on discussion forum

    Usually, the discussion forum is ruled by the terms of service of the forum and so the legal basis for data processing is the contract between the company and the user.

    In case the user demands to delete its data, the data controller (the company) can either decide to anonymize or delete data.

    Here you can find some information about the legal basis:

    If you need to understand how to manage data subjects' rights under GDPR, you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

  • multi location vs BIA and RA performing

    Table duplication although feasible, won’t help you as much.

    You should consider keeping all data in the same table, splitting the lines related to the issues you want to have by location. For example:

    Instead of

    https://i.imgur.com/u409PB5.png

    or

    https://i.imgur.com/DJ7Ta3U.png

    You should adjust this line to

    https://i.imgur.com/FrjgAmm.png 

    and

    https://i.imgur.com/0EOAwgf.png

    *: you apply this example to all resources you need to evaluate (e.g., data, servers, documents, services, etc.)

    This way you will have all information you need in a single view.

  • Language requirements on medical device class 1 products

    1. What language requirements are there on the following in countries within EU? Labels of main product Labels of product boxes Labels of outer boxes Manuals/IFU

    According to Article 10 _ General obligations of manufacturers, Manufacturers shall ensure that the device is accompanied by the information set out in Section 23 of General Safety and performance requirements in an official Union language(s) determined by the Member State in which the device is made available to the user or patient. The particulars on the label shall be indelible, easily legible, and clearly comprehensible to the intended user or patient.  

    So, this means that if you put your medical device only on one market, then it is enough to have it in only one official language of the EU.

    For more information, see:

    2. Do you have a list on specific language requirements PER country on the above?

    No. We do not have a list of specific language requirements per country.

     

  • Help with ISMS Scope Definition

    1 - The Document of the scope

    The company has around 120 employees, has 2 sites, and 3 different activities: IT Solution integration, Training, and Cloud service provider. 

    One site contains the IT Solution integration and training Divisions with the HR & Commercial Departments, the other site contains the Cloud Division.

    The company wants to certify only the Cloud Activity, but I want to check if we should include in the Scope the HR and Commercial departments to respond to the A.7 requirements and the security of customers personnel information & customers Contracts.

    Answer: Please note that an ISMS scope is defined in terms of location, information, or processes to be protected, so taking into account your intention to certify the Cloud Activity, and that it is located in a separated site, the best options for defining your scope would be by location (Cloud division site) or processes (processes related to cloud service provision).

    Considering that, you do not need to include in the ISMS scope the HR and Commercial departments. In the mentioned situation these departments are dependencies to your ISMS scope, and as dependencies, they only need to be identified during the risk assessment and risk treatment process, so proper controls are selected to protect the information in the ISMS scope they have access to.

    For further information, see:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    2 - The Business Continuity 

    Should we also prepare all the documents related to A.17 requirements even if the company doesn't plan to include the BCMS and business continuity certification in this scope ?

    Thanks in advance for your support.

    Best regards

    Answer: In case there are no relevant risks or legal requirements justifying the implementation of controls of section A.17, you do not need to implement related documents.

    You only need to implement documents related to section A.17 in case you have relevant risks or legal requirements demanding the implementation of these documents. In our experience, we did not see any company that has excluded these controls.

    For further information, see:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  • Question about SoA

    Please note that either you have unacceptable risks or you do not have them - if you do not have them, then classification controls will not be applicable; if you have unacceptable risks then the controls need to be applicable, and in such case during the implementation you can define whether these controls apply only to some assets (e.g. secure data center), or all assets. 

    This article will provide you a further explanation about the selection of controls:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  • Physical and environmental security

    Please note that in your stated scenario employees will still have to use some sort of equipment (company or employee’s owned equipment) to access the company’s processes from somewhere (e.g., from an employee’s house or hotel), so you need to perform a risk assessment to identify if there are any relevant risk that requires the implementation of such controls.

    This article will provide you a further explanation about remote work:

    This material will also help you regarding remote work:
Page 165-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +