Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 13485 implementation time frame

    This depends on how big is your company, is your company on one location or several; how many employees there are and how complicated are your processes. Usually, for very small companies it is necessary 2 or 3 months; small organizations up to 50 employees could implement in 6-8 months; medium-sized organizations up to 500 employees could implement in 8-12 months; larger organizations can take 12-15 months to implement.

  • Residual risk

    First, you have to identify which documents in your organization contain information about residual risks (e.g., risk assessment and treatment report), and them which persons, or roles must have access to them (e.g., risk owner, asset owner, top management, responsible for information security, etc.). With this information, you can check if the significant residual risk is being provided to the appropriate people.

    This information is identified during the definition of the risk assessment and risk treatment processes required by ISO 27001.

    To see how a document with such information looks like, Is suggest you to take a look at the free demo of our Risk Assessment and Risk Treatment Methodology at this link: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
    This article will provide you further explanation about risk assessment and risk treatment methodology:

    These materials will also help you regarding risk assessment and risk treatment methodology:

  • Remote Audits in Manufacturing

    Remote audits are about using technology to collect evidences, gather information, interview an auditee, etc. when “face-to-face” methods are not possible or desired.

    ISO 19011:2018 mentions the possibility of using remote audits and virtual audits. There is an important remark: Performing remote audits can depend on the kind of risk to achieving the audit objectives, the level of confidence between auditor and auditee’s personnel and any regulatory requirements. Please check ISO 19011:2018 Annex A.1 Applying audit methods. See also Annex A.15 Visiting the auditee’s location and Annex A.16 Auditing virtual activities and locations.

    Deciding when and how to use remote auditing techniques depends on the audit objectives, scope and criteria, the available technology, the competency of the auditee and auditor to use the technology, and the type of audit evidence that needs to be gathered. The key question is whether the remote auditing techniques allow you to meet your audit objectives, while benefitting the audit process, or whether the use of remote auditing techniques could be a disadvantage to your audit.

    Remote audits can be useful for auditing manufacturing during circumstances beyond the control of the organization, commonly referred to as “Force Majeure”. Remote audits can be useful for reducing audit costs and increasing audit efficiency.

    The following material will provide you more information about remote audits:

  • ISO 27007 vs ISO 19011 for auditing

    ISO 27007 is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. ISO 19011 was designed to conduct internal or external audits in management systems in general.

    ISO 27007 provides additional recommendations to the guidance provided by ISO 19011. For example where ISO 19011 states you must look for evidences for compliance, ISO 27007 will suggest specific evidences and tests for ISO 27001 clauses and controls from Annex A.

    Considering that, for a specific ISO 27001 context, ISO 27007 is more recommended. If you have to also audit other ISO management systems, like ISO 9001 and ISO 14001, ISO 19011 would be a better choice.

    This material can help you:
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 14001 and recording opportunities

    First, let us consider what ISO 14001:2015 considers mandatory. Clause 6.1.1 states the need to maintain a list of the risks and opportunities that need to be addressed by the organization.

    Second, records are the memories of an organization. Without memory it is much more difficult to improve, to compare last year’s point of view with your current situation, with what your organization in the meantime lived, tested, suffered, and improved.

    The following material will provide you information about document requirements:

  • Consulting and conflict of interest

    1 - When we talk about ISO27001, what is the consulting evidence?

    I'm assuming you are referring to consulting services hired to support operations related to an ISO 27001 based ISMS, because of your second question about pen test and SOC implementation.

    Considering that, ISO 27001 does not prescribe evidences for consulting, but since consulting is a kind of service, you should consider at least these evidences:
    - contracts or service agreements (they define what is to be delivered and the rules of execution of the job)
    - any evidence of the delivery of what was required (e.g., final reports and all other documents produced by a consultant)
    - any evidence of the acceptance by the customer of what was delivered (e.g., acceptance letters, receipts, etc.)

    2 - Is pen test or contract for implementation of SOC type of consulting?

    Consulting is any kind of service where expert advice is provided, so pen test and implementation of SOC can be provided as a consulting.

    3 - Is a CB allow to give these services to their client?

    I'm assuming that by CB you are referring to Certification Body.

    Considering that, a certification body must avoid performing any other activity to a client in a way that can affect its capacity to evaluate the client in an independent way.

  • ISO 14001 and ISO 9001 similarities

    Both standards require that the policy:

    • Be appropriate to the purpose and context of the organization;
    • Frame the management system objectives;
    • Include a commitment to meet compliance obligations (although 9001 uses another language);
    • Include a commitment to continuous improvement of the management system;
    • Be kept as documented information;
    • Be communicated internally and made available to interested parties

    While the quality policy, according to ISO 9001, must support the strategic orientation of an organization, the environmental policy, according to ISO 14001, must take into account the relevant environmental impacts and include a commitment to the prevention of pollution and protection of the environment.

    You can find more information about management system policies:

  • ISO 27001 implementation


    Thank you very much for your time and detailed answers. I only have one more question before I make the purchase:

    Comparing the two documents you provide (attached), I see some discrepancy consisting of few of the documents listed as mandatory in the Checklist are missing on the List of documents in the Toolkit:

    - Definition of Security roles and responsibilities
    - Acceptable use of assets
    - Operating procedure for IT management
    - Secure system engineering principles
    - Business continuity procedure

    Please explain?

  • Security service presentation

    1. Security standards enforcement measures?

    Answer: Basic enforcement measures to be considered are configuration of technical solutions (e.g., the rules for setting strong passwords), awareness about consequences of
     non-compliance (i.e., disciplinary process), and periodic audits.

    2. Major threats to security standards?

    Answer: Major threats you can consider are: lack of top management support, lack of understanding of the importance of the standard for the business, and the focus of the solutions only to comply with the standard and not in support of the business.

    3. Technical faults affecting security standards?

    Answer: The main faults to be considered are unmanaged security vulnerabilities (e.g., new software flaws, not installing updates), lack of control of changes and misconfigurations during implementation.

    As a general answer you could refer to ISO 27001, the leading standard for information security. Here a some basic information:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

  • Agile methodology and ISO 27001 implementation

    Please note that Agile is not a methodology, but a set of methodologies people-focused and results-focused, most used for works with very dynamic requirements. Some examples are:
    - Agile Scrum Methodology
    - Lean Software Development
    - Kanban
    - Extreme Programming (XP)
    - Crystal
    - Dynamic Systems Development Method (DSDM)
    - Feature Driven Development (FDD)

    Project management approaches are not our filed of expertise, so we avoid to provide recommendations related to them, but you can find useful information  in this article:
    - How to use Scrum for the ISO 27001 implementation project https://advisera.com/27001academy/blog/2017/03/27/how-to-use-scrum-for-the-iso-27001-implementation-project/
Page 423-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +