Search results

Updating the Incident Management Procedure

It would be great if you could share some examples for different categories like security weakness or event and incidents. This way we can get a better understanding of each type.

Weakness is a characteristic of an asset which enables a potential threat to create an incident - for example, this could be a software that is not patched. For other explanations see this article: ISO 27001 information security event vs. incident vs. non-compliance https://advisera.com/27001academy/blog/2018/12/03/iso-27001-information-security-event-vs-incident-vs-non-compliance/ 

Should we include our maintenance window to this document to exclude from our SLA? I mean we use this document as a reference for SLA.

I assume you refer to Incident Management Procedure - this procedure needs to be aligned with your existing SLAs, meaning you have to plan to react to incidents in a way to comply with the requirements from your clients. 

Here's some more information: How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/ 

Do you recommend any tool for handling incidents proper for small business?

In couple of months time we will launch a new SaaS tool that will help smaller companies handle incidents compliant with ISO 27001 - we'll let you know once we complete it. 

Contingency planning 

1-is contingency plan part of ISO22301 requirements?

The word "contingency" is not used in ISO 22301, but the whole idea of ISO 22301 is to prepare a company for a disruption. 

2-who should develop contingency plan and scenarios

Usually a person is appointed to coordinate business continuity project, and this person together with the heads of departments develops the whole business continuity documentation. 

See also: The challenging role of the ISO 22301 BCM Manager https://advisera.com/27001academy/blog/2016/03/21/the-challenging-role-of-the-iso-22301-bcm-manager/ 

4-is there any conflicts between having contingency plan is ready and ITDR project ?? I mean is it an obstacle for DR project if I do not have contingency pls

If by "contingency" you mean the plans on how to recover your IT infrastructure, then the answer is that you must have those plans. 

Finally, do u have a kit for crisis scenarios?

ISO 22301 Documentation Toolkit contains a list of most common disruption scenarios; it also contains a documentation for risk assessment with catalogs of threats and vulnerabilities.

ISO 9001 requirements for implementation

No, there are no mandatory requirements for the person leading the ISO 9001:2015 implementation project. However, knowing the standard is a great obvious help. Also, taking our ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/ can be helpful to learn some good practices.

Later in the implementation life cycle, your organization will need to perform internal audits. At that moment it is useful to have at least one person in the organization able to do that. So, later in the implementation life cycle, you can attend a training course like our free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/

You can find more information below:

• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• How to budget an ISO 9001 implementation project - https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project?utm_source=script-for-iso-9001-lead-implementer-course&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-downloads-9001
• Free webinar on-demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

How to exclude information in the definition of scope?

I assume your question is how to exclude maintenance and administrative tasks for the EMEA area of hosting from your scope. 

First you have to consider if this exclusion is feasible or not - if the people who work on mentioned tasks within your branch cannot be logically and/or physically separated from the rest of your branch office, then it would be better if they remain in the scope. 

If it is feasible to exclude the activities you mentioned from the scope, then you have to define in your ISMS Scope document which activities are, and which are not included in your scope. Together with the toolkit you purchased you have the access to the video tutorial that explains how to fill out the ISMS Scope document. 

These materials will also help you with the scope definition: 

• article Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ 

Certificação ISO 27001

A ISO 27001 foi projetada para ser implementada em organizações de qualquer tamanho e indústria, portanto, as etapas gerais são as mesmas para qualquer indústria, incluindo as da indústria gráfica.

Em termos gerais, depois de obter suporte para seu projeto (por meio da aprovação do plano de projeto do SGSI) e da aprovação do Procedimento para Controle de Documentos e Registros, você deve considerar estas etapas:

• definir a estrutura básica do SGSI (por exemplo, escopo, objetivos, estrutura organizacional), por meio da compreensão do contexto organizacional e dos requisitos das partes interessadas
• desenvolvimento de avaliação de risco e metodologia de tratamento
• realizar uma avaliação de risco e definir o plano de tratamento de risco
• implementação de controles (por exemplo, documentação de políticas e procedimentos, aquisições, etc.)
• treinamento e conscientização de pessoas
• controla a operação
• monitoramento e medição de desempenho
• realizar uma auditoria interna
• realizar a revisão crítica da gestão
• abordar não-conformidades, ações corretivas e oportunidades de melhoria.

Para ver como são os documentos em conformidade com a ISO 27001, sugiro que você dê uma olhada na demonstração gratuita de nosso kit de documentação ISO 27001 neste link: https://advisera.com/27001academy/pt-br/kit-de-ferramentas-da-documentacao-da-iso-27001/

Este artigo fornecerá uma explicação adicional sobre a implementação do ISMS:

• Lista de verificação de implementação ISO 27001 https://advisera.com/27001academy/pt-br/knowledgebase/lista-de-verificacao-para-implementacao-da-iso-27001/

Esses materiais também irão ajudá-lo com relação à implementação da ISO 27001:

• How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 certification

ISO 27001 was designed to be implemented in organizations of any size and industry, so the general steps are the same for any industry, including those of the printing industry.

Broadly speaking, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:

• defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
• development of risk assessment and treatment methodology;
• perform a risk assessment and define the risk treatment plan;
• controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
• people training and awareness;
• controls operation;
• performance monitoring and measurement;
• perform an internal audit;
• perform management critical review; and
• address nonconformities, corrective actions, and opportunities for improvement.

To see how documents compliant with ISO 27001 look like, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This article will provide you a further explanation of ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001 implementation:

• How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Pre-requisite/eligibility criterion for 9001:2015 Internal Auditor certification

No, there is no pre-requisite for being an ISO 9001:2015 internal auditor. Each organization has the authority to determine what should be its own criteria either as a pre-requisite, not mandatory, either as competence requirement, mandatory.

Normally, organizations decide that internal auditors should have a good knowledge of the standard and of good auditing practices.

You can find more information below:

• Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Article - ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
• Webinar - Free webinar on-demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Making of a quality flow chart

Please check this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ - where I explain how to develop process mapping, drawing a model of how an organization works, based on the process-approach, and how to draw a flowchart describing each process.

The following material will provide you information about processes:

• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (where I apply the process approach as the basis for developing a quality management system)

Is IATF accreditation necessary?

The conditions for obtaining the IATF 16949: 2016 certificate are specified in IATF Rules 5. I give the details below to obtain this certificate.

1. Suppliers who produce parts for OEM (Original Equipment Manufacturer) and/or OES (Original Equipment Service) customers in the automotive industry and these parts must be fitted to the vehicle. As you know, production methods such as heat treatment, coating, assembly, welding, and the like are included in this scope.

2. The suppliers must be able to ship to the customer continuously and in mass production. If the produced 3D part is attached to the vehicle serially, the IATF 16949: 2016 certificate may be required. For this, it may be necessary to get the opinion of the customer.

3. Suppliers who manufacture aftermarket parts cannot apply for IATF 16949: 2016 certification.

The customer-specific requirements (CSR’s) must first determine the conditions for IATF 16949: 2016 certificate. If the supplier meets the above conditions and the customer has required to obtain the IATF certificate, then the supplier can apply for a certification audit to the certification body.

Rather than the supplier is small or large; especially, suppliers who produce parts directly for OEM and/or OES customers such as Ford, Daimler, Renault, etc., must obtain the IATF 16949: 2016 certificate if the customer does not have a different requirement.

Apart from that, an accredited ISO 9001: 2015 certificate is sufficient for automotive customers. Because of the first requirement for the IATF 16949: 2016, the standard is to be ISO 9001: 2015 accredited for the suppliers. Apart from this, the customer-specific requirement (CSR) of the customer is of course important.

For more information, see:

• Key Benefits of IATF 16949 Implementation https://advisera.com/16949academy/knowledgebase/key-benefits-of-iatf-16949-implementation/
• Project plan for IATF 16949:2016 implementation https://info.advisera.com/16949academy/free-download/project-plan-for-iatf-16949-implementation-presentation
• What are the main differences between IATF 16949 and ISO 9001? https://advisera.com/16949academy/blog/2019/11/19/iso-9001-vs-iatf-16949-what-is-the-difference/

Is PII Information?

1 - Is customer PII considered as Information in ISO 27001:2013 Standard?

Answer: Information is any data with meaning, and ISO 27001 was designed to protect any kind of information, so Customer Personally Identifiable Information (PII) is also considered in its scope.

These articles will provide you a further explanation about ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

This material will also help you regarding ISO 27001:
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

2 If yes then shouldn't monitoring of PII shared with vendors be mandatory and not dependent upon contractual agreement. Shouldn't this activity be not allowed to be excluded from contractual agreement? This question confuses me on allowing exclusions in ISMS

Answer: First is important to note that for most countries the protection of PII is not a contractual obligation, but a legal obligation. For example, we have GDPR in Europe, CCPA in U.S., and LGPD in Brazil.

GDPR and other regulations require a contract between controller and a processor, in cases both when the outsourced processing is done within the country and outside the country.

For further information, see:
- EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//