Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 14001 Multiple sites merging under one manual

    Thank you.  Much appreciate your help

  • ISO 9001 Sales office under the scope

    Your company interacts with clients according to ISO 9001:2015 clause 8.2 and that clause cannot be excluded. If clause 8.2 is done by Sales offices, it cannot be excluded from scope.

    The following material will provide you more information about exclusions:

  • ISO 9001 Managing an ISO 9001 compliant system

    For documents that are relevant to the quality management system. Normally, organizations use stamps like:

    • Controlled copy (after approval)
    • Uncontrolled copy (for example, when a document is given to an outsider for information purposes)
    • Obsolete (when the document is no longer current but the organization decides to keep a copy for historical purposes)
       

    The following material will provide you more information about documents:

  • Question about ISO 27018 certification

    Thank you for the reply. That clears it up then. 

  • Aligning business strategy to ISMS

    In fact, the most common situation is the other way around (align ISMS to business strategy), and to do that you basically need to take business objectives and strategies into account when defining the ISMS objectives and scope.

    For example, if e-commerce is an important part of the business, and the ISMS objectives and scope do not include e-commerce, then the ISMS is not aligned to the business.

    Another example, if customer information is important to the business and the ISMS scope includes customer information, and there is a clear ISMS objective related to it (e.g., reduce the occurrence of a customer data breach, or comply with GDPR), then the ISMS is aligned with the business.

    This article will provide you a further explanation about aligning ISMS to business strategy:

  • ISO certification

    1. What are all the procedures for getting ISO 27001 certification for an organization?

    First, it is important to note that some documents and records are mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10), and these are:

    • Scope of the ISMS (clause 4.3)
    • Information security policy and objectives (clauses 5.2 and 6.2)
    • Risk assessment and risk treatment methodology (clause 6.1.2)
    • Statement of Applicability (clause 6.1.3 d)
    • Risk treatment plan (clauses 6.1.3 e and 6.2)
    • Risk assessment report (clause 8.2)
    • Records of training, skills, experience, and qualifications (clause 7.2)
    • Monitoring and measurement results (clause 9.1)
    • Internal audit program (clause 9.2)
    • Results of internal audits (clause 9.2)
    • Results of the management review (clause 9.3)
    • Results of corrective actions (clause 10.1)

    Another situation is that some documents are required to fulfill controls that are mandatory if at least one of these situations happen:

    • There are unacceptable risks that justify the application of the control
    • There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
    • There is a top management decision, to implement the control, by considering it as good practice.

    If none of the above conditions happen, there is no need to implement a document related to that control. Examples of such documents are:

    • Inventory of assets (to implement control A.8.1.1)
    • Acceptable use of assets (to implement control A.8.1.3)

    Considering that, besides the documents to fulfill clauses from the main sections, without a detailed evaluation of an organization, it is not possible to define how many documents an organization would have, and which ones would be an overkill.

    These articles will provide you a further explanation about ISO 27001 documents and selection of controls:

    2. What are all the requirements (i.e., qualification for company, needs for getting ISO certification)?

    Broadly speaking, to be ready for ISO certification, an organization needs to:

    • Broadly speaking, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:
    • define the ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
    • develop risk assessment and treatment methodology;
    • perform a risk assessment and define the risk treatment plan;
    • implement controls (e.g., policies and procedures documentation, acquisitions, etc.);
      perform people training and awareness;
    • operate controls;
    • perform monitoring and measurement;
    • perform an internal audit;
    • perform management critical review; and
    • address nonconformities, corrective actions, and opportunities for improvement.

    This article will provide you a further explanation about ISMS implementation:

    3. Where we can apply for that ISO certification?

    ISO 27001 certifications are issued by organizations known as "certification bodies", which follow strict procedures to audit and report audit results to provide confidence on audit findings to interested parties (e.g., the organization itself, its customers, regulation bodies, etc.).

    The choice of the certification body is an organization's decision, based on its strategies and business objectives and alignment with certification body practices.

    This article will provide you a further explanation about the certification body:

    4. What is the cost of this ISO certification?

    There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider:

    • Training and literature
    • External assistance
    • Technologies to be updated/implemented
    • Employee's effort and time
    • The certification process

    Regarding ISMS maintenance costs, the above-mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.

    These articles can provide you more information:

    5. If we applied when it will reach us?

    I'm sorry, but I'm not certain about what do you mean about "when it will reach us" to provide a proper answer. If you could provide more information or an example maybe I can help.

    6. How much the period of time for this ISO certification? Once we got that certification when we renew that or not needed.

    After certification, surveillance visits must take place at least once a year, and the certificate is valid for 3 years. After the certificate expires, an organization can decide whether to go for the recertification, but this is not mandatory - this is something you do only if you want to keep the certificate.

    This article can also help you: 

  • Conceding ISO 17025 certificate

    The accreditation process can typically take between 6 to 8 months. Each accreditation body will have a guideline on this, which you can obtain from them.  The first time period is between application (with submission of documents) and the initial assessment. This could be around three months. The second period is between assessment and clearing any findings. The accreditation body will provide, typically 3 months for the laboratory to do root cause analysis and clear the findings of the initial assessment, i.e take action (not the promise to do so). Thereafter, the accreditation body will have a time frame, perhaps a month to issue the certificate.

  • Difference between technical and control of records of ISO 17025:2017

    Good

  • ISO certification

    A question.
    We need to certify ourselves in the security of data deletion or disk destruction.
    Which of the ISOs would help us to review the packages?

    Our toolkits related to information security are based on ISO 27001, then this is the standard you need to use to review the toolkits.

    Included in the free demo of each toolkit you will find a List of documents file that will show you which clauses are covered by each document in the toolkit.

    But please note that ISO 27001 does not provide technical guidance on how to perform data disposal. For technical guidance, you should consider these references:

    You can see our toolkits on this link:  https://advisera.com/27001academy/es/tour-del-producto/ 
Page 338-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +