Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 security-driven culture

    1. How can we create an ISO 27001 security-driven culture in an organization?

    To develop a security culture you must consider these points:

    • definition of clear objectives and targets
    • definition of roles and responsibilities
    • providing awareness about the importance of information security and the consequences of incidents and non-compliances
    • providing training about how to perform required activities
    • measure and analyze performance and provide feedback

    For further information, see:

    This material will also help you regarding awareness and training:

    2. What are the success factors to ensure ISO 27001 compliance?

    Some common main success factors to ensure ISO 27001 compliance are:

    • top management support
    • clear objectives (aligned with business objectives)
    • clear roles and responsibilities
    • trained personnel
    • regular performance review

    These articles will provide you a further explanation about some success factors:

  • Productivity and surpasses performance target

    First is important to note that the purpose of ISO 27001/ISMS is not to ensure productivity nor to surpass performance targets, but to protect information.

    However, ISO 27001 can indirectly influence productivity. With a well-performed risk assessment and treatment, only the necessary controls will be selected and applied, and this can help productivity by:

    • avoiding excessive security
    • decreasing the occurrence and impact of information related incidents on productivity

    For example, by ensuring the integrity of product specifications, it helps avoid rework and resource waste. By ensuring the availability of operational procedures in the workplace, it helps employees to work on proper activities.

    These articles will provide you a further explanation about security objectives:

  • Risk Assessment

    Please note that before the certification audit you need to have evidence that all requirements from ISO 27001 clauses 4 to 10,

     and applicable controls are implemented and working as expected.

    Considering that, you need to perform at least one internal audit, covering all requirements and applicable controls, and one management review before the certification audit (corrective action you need to performed only if you identify any nonconformity during the implementation process). The lack of internal audit and management review will make impossible for the certification auditor to start stage 2 of the certification audit.

    These articles will provide you a further explanation about the certification audit:

    This material will provide you a further explanation about the certification audit:

  • Software validation procedure

    This is helpful, and I would be interested in hearing more about this in one of your webinars, perhaps? Many thanks.

  • Examples in "Organizational knowledge"

    When I work with organizations, facilitating the implementation of a quality management system according to ISO 9001:2015, about clause 7.1.6 “Organizational Knowledge, I draw the following matrix:

    https://www.screencast.com/t/XS7rxCzRoa

    The first and second paragraphs of clause 7.1.6 are about quadrants 1 and 2.
    Quadrant 1 is about what we know that we know – that is written in procedures, work instructions, tables, specifications. Normally, is listed or codified in job descriptions and when someone starts in a new position human resources plans an integration program with that knowledge transfer. For a construction contractor this is the engineering knowledge acquired at universities, this is empirical knowledge translated into your documented procedures and templates.

    Quadrant 2 is about what we don’t know that we know – that is work experience not codified, unwritten rules. Normally, is transferred through coaching with more experienced job partners. For a construction contractor this can be the know-how about using explosives to blast rock in a constrained environment. You know, it is different studying that kind of technique in a book or through experience. For a construction contractor this can be the ability to manage a lot of work fronts at the same time in a same site. Again, things that you learn with experience and are difficult to transmit in a classroom.

    The third and fourth paragraphs of clause 7.1.6 are about quadrants 3 and 4.
    Quadrant 3 is about what we know that we don’t know – that is information that when an organization realizes that is missing can be obtained through training, books, seminars, consultants, suppliers, technical magazines. For example, this question fits in this quadrant. For a construction contractor this can be working with a university or another partner to find a technical solution to solve an architectural challenge.

    Quadrant 4 is about what we don’t know that we don’t know – I call it the radar. How does the organization keep a radar working relevant information that can change the future of the business? Normally, organizations keep track of anything new through books, magazines, blogs, conferences, networking, suppliers, …

    The following material will provide you information about organizational knowledge:

  • Reducing risks from prosecution, pollution, and reputational damage

    ISO 14001:2015 states that organizations when determining environmental aspects and impacts should consider the lifecycle of its products and services. ISO 14001:2015 uses the word “consider” because each organization must be aware of its context. A small organization has little power or impact over suppliers. A small organization has little influence over its customers and/or customers’ customers.

    Consider the example of a large organization with a big brand power and with its production subcontracted. If one or more of those subcontractors has no concern for the environment and generates pollution, the big brand has a risk of reputational damage because for consumers the manufacturer is invisible it is only the brand that counts. Acting proactively to improve the environmental aspects may open a lot of opportunities for improving efficiency, reducing wastes and environmental costs.

    You can find more information below:

     

  • GDPR privacy policy - and Facebook

    From your question I understand that you are using the Facebook page as an influencer, for your product promoting activity and your earning comes from affiliate marketing. If so, you should have a privacy notice implemented with reference to Facebook pages saying that profile data will be managed by the Facebook privacy policy and terms and conditions.

    Of course, if your group is a personal group and your contacts are friends, family, and people you know in your everyday life, GDPR does not apply to private activity.

    Here you can find some useful material:

    You may also consider enrolling in this online EU GDPR Foundations Course:

    • EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

    • Compliance with the access control policy

      COVID-19 represents a significant change in the organizational context, so according to ISO 27001, clause 8.3, you must perform a risk assessment to identify if new risks have arisen (e.g., related to access control when working from home), or if current risks have changed. Based on the results of this new risk assessment you can decide if the access control policy needs change or not. This way you can ensure your access control policy will continue compliant with standards requirements.

      Specifically about the use of cards and biometrics, maybe you should consider implementing an alternative way of identification and authentication (e.g., locks with keys only) in pair with video monitoring, or adopting cleaning practices in the input devices, according to manufacturers' recommendations. 

      This article will provide you a further explanation about risk assessment and risk treatment:

      These materials will also help you regarding risk assessment and risk treatment:

    • Checklist of Mandatory Documentation Required by ISO/IEC 27001 (2013 Revision)

      Please note that requirements in the main section of the standard (sections 4 to 10) related to roles and responsibilities do not require these to be documented.

      On the other hand, to fulfill controls A.7.1.2, A.13.2.4, the roles and responsibilities need to be documented.

      This article will provide you further explanation documentation of roles and responsibilities:

    • Finding internal and external auditors

      First of all, sorry for this misunderstanding.

      We are not aware of specific jobs, boards or professional associations of ISO 27001 internal auditors, so your best approach would be looking for them on professional social networks like LinkedIn, ISO 27001 security group on Google Groups, or organizations which issue certificates for information security professionals like ISC2 or ISACA.
Page 387-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +