Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • External and environmental threats

    ISO 27001 does not prescribe ways to implement controls, only the objective to be achieved. For guidance on implementing this control, you should consider ISO 27002, a supporting standard that provides guidelines for implementation of controls from ISO 27001 Annex A.

    Common solutions to implement this control are:

    • Construction hardening (e.g., reinforcement of walls, doors, and windows, possibility to access multiple providers of the same service, etc.)
    • Crime Prevention Through Environmental Design (CPTED) (e.g., natural surveillance/access control)

    This article will provide you a further explanation about the application of control A.11.1.4:

  • Annex controls in SOA

    Please note that there is no need for a folder A.5 in the toolkit because the policies needed to fulfill the controls from section A.5 from ISO 27001 Annex A are included in all other folders that make part of the folder 08 Annex A. In short, controls from section A.5 are not documents by themselves, but refer to other documents (A.5.1.1), and practices to be performed on them (A.5.1.2).

    Regarding controls from section A.6.1, please note that roles and responsibilities are defined in each policy and procedure, so there is no need for a specific document to cover control A.6.1.1.

    According to our experience, the BYOD and Mobile Device and Telework policies are sufficient to cover the controls of section A.6.

    Additionally, is important to understand that ISO 27001 does not require every applicable control to be a separate document. In some cases, you only need to make a brief description of how it is implemented, and you can do that in our SoA template, in the column "Implementation Method".

    This article will provide you a further explanation about the Statement of Applicability:

  • Physical access audit records

    ISO 27001 does not prescribe records to be generated while managing physical access, but common records you should consider are:

    • access rights granted to personnel
    • access logs
    • changes in access rights
    • access review reports

    This way you cover the main steps of access management: the definition of access rights, when they are used and changed, and when they are reviewed.

    This article will provide you a further explanation about physical security:

    This material will also help you regarding physical security:

  • Key Universal Principles of Segregation of Duties

    The most common criteria to be considered for segregation of duties of critical activities are:

    • the person who elaborates something does not approve it
    • the person how performs a task does not review it

    Considering that, for example, the internal auditor/security tester should not be the same person as the service manager. The service manager defines and handles changes/incidents, while internal auditor/security tester verifies if these are effective. So, you should verify exactly which activities will be performed by each role to identify potential conflicts of interest.

    For further information, see:

    These materials will also help you regarding segregation of duties:

  • ISO 27001 Internal Auditor or Lead Auditor

    This depends on your career objectives:
    - The ISO 27001 Internal Auditor certification recognizes people capable of ISMS against ISO 27001. This allows them to perform audits in their own organizations.
    - The ISO 27001 Lead Auditor certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and qualifies them to audit other organizations on behalf of a customer, or to start the process to become a certification auditor.

    These articles will provide you a further explanation about personal certifications:
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    - ISO 27001 Internal Auditor training – Is it good for my career?  https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/  

    These materials will also help you regarding audit training:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
    - ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

  • ISO 27001 Lead Implementer Course

    The material of our ISO 27001:2013 Lead Implementer Auditor Course is designed by Advisera, and at this moment we are working on its accreditation by Exemplar Global (formerly RABQSA), but it would not be advisable to use the learning material from one course to pass the exam of another course - therefore, if you plan to go for e.g. BSI course, you should use their learning materials.

  • Review ISMS document

    You should review all ISMS scope content, considering the internal and external issues (e.g., internal culture, iplemented technologies, market trends, new technologies, etc.) that can affect the ISMS and its proposed objectives, as well as the defined requirements of the interested parties (e.g., contractual clauses, legislation, etc.).

    A change in one of these aspects may require a change in the ISMS scope, either to add, exclude or change something in the current ISMS scope document.


    These articles will provide you a further explanation about the scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
    - How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

    These materials will also help you regarding scope definition:
    - How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Implementation of iso 27001 controls

    Since you already identified all controls that are applicable and the percentage by which they are already implemented, my suggestion for additional criteria to prioritize implementation are:
    - controls which affects the highest risks (in fact this should be your first criteria)
    - which controls will have a more positive impact after implementation
    - which controls require less effort to be implemented

    Regarding starting with those who are lower in percentage, please note that a common risk in implementation projects is that a long period without results can decrease interest in the project by its supporters, so you should balance the implementation of controls which treat the highest risks with those that deliver the quickest results (i.e., implemented and measured controls as fast as you can).

    These articles will provide you a further explanation about common controls:
    - The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
    - How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/

    These materials will also help you regarding controls implementation:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
    - ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

     

  • Internal ISO 9001-2015 audit

    I have identified the sections in our company manual to answer the questions, but do I need to obtain paper proof?

    Answer:

    You need to obtain evidences that support the answers to your questions. What people say in their answers are not facts, are pseudofacts. You have to get evidences, facts that support what people say in their answers. For example, it might be a demonstration, or it might be a record, or it might be corroboration from others, in different places and at different times. So, you need proof, but not necessarily a paper proof.

    if I discover a procedure that has not been implemented, do I include it in the audit with a procedure to correct?

    Answer:

    No. If the procedure is not implemented you found a nonconformity. You should write the nonconformity with evidences. That is your role as auditor.

    Auditors do not compromise their independence and impartiality with a solution to the nonconformity. The solution is up to the quality manager or, even better, to the audited area manager. Auditees may decide that the procedure is OK, and what was wrong was a lack of training, ineffective training for the procedure users, for example. It is not auditors job to propose solutions.

    The following material will provide you more information about internal audit:

  • EN 13795/ISO 13485

    In the standard  EN 13795-1:2019 Surgical clothing and drapes - Requirements and test methods - Part 1: Surgical drapes and gowns are specified performance requirements for gowns. There are stated the tests and criteria for acceptance for different tests for standard and high performance. But, you as the manufacturer are responsible for defining the specifications of your medical device.   
Page 396-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +