Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Remote Audits in Manufacturing

    Remote audits are about using technology to collect evidences, gather information, interview an auditee, etc. when “face-to-face” methods are not possible or desired.

    ISO 19011:2018 mentions the possibility of using remote audits and virtual audits. There is an important remark: Performing remote audits can depend on the kind of risk to achieving the audit objectives, the level of confidence between auditor and auditee’s personnel and any regulatory requirements. Please check ISO 19011:2018 Annex A.1 Applying audit methods. See also Annex A.15 Visiting the auditee’s location and Annex A.16 Auditing virtual activities and locations.

    Deciding when and how to use remote auditing techniques depends on the audit objectives, scope and criteria, the available technology, the competency of the auditee and auditor to use the technology, and the type of audit evidence that needs to be gathered. The key question is whether the remote auditing techniques allow you to meet your audit objectives, while benefitting the audit process, or whether the use of remote auditing techniques could be a disadvantage to your audit.

    Remote audits can be useful for auditing manufacturing during circumstances beyond the control of the organization, commonly referred to as “Force Majeure”. Remote audits can be useful for reducing audit costs and increasing audit efficiency.

    The following material will provide you more information about remote audits:

  • ISO 27007 vs ISO 19011 for auditing

    ISO 27007 is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. ISO 19011 was designed to conduct internal or external audits in management systems in general.

    ISO 27007 provides additional recommendations to the guidance provided by ISO 19011. For example where ISO 19011 states you must look for evidences for compliance, ISO 27007 will suggest specific evidences and tests for ISO 27001 clauses and controls from Annex A.

    Considering that, for a specific ISO 27001 context, ISO 27007 is more recommended. If you have to also audit other ISO management systems, like ISO 9001 and ISO 14001, ISO 19011 would be a better choice.

    This material can help you:
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 14001 and recording opportunities

    First, let us consider what ISO 14001:2015 considers mandatory. Clause 6.1.1 states the need to maintain a list of the risks and opportunities that need to be addressed by the organization.

    Second, records are the memories of an organization. Without memory it is much more difficult to improve, to compare last year’s point of view with your current situation, with what your organization in the meantime lived, tested, suffered, and improved.

    The following material will provide you information about document requirements:

  • Consulting and conflict of interest

    1 - When we talk about ISO27001, what is the consulting evidence?

    I'm assuming you are referring to consulting services hired to support operations related to an ISO 27001 based ISMS, because of your second question about pen test and SOC implementation.

    Considering that, ISO 27001 does not prescribe evidences for consulting, but since consulting is a kind of service, you should consider at least these evidences:
    - contracts or service agreements (they define what is to be delivered and the rules of execution of the job)
    - any evidence of the delivery of what was required (e.g., final reports and all other documents produced by a consultant)
    - any evidence of the acceptance by the customer of what was delivered (e.g., acceptance letters, receipts, etc.)

    2 - Is pen test or contract for implementation of SOC type of consulting?

    Consulting is any kind of service where expert advice is provided, so pen test and implementation of SOC can be provided as a consulting.

    3 - Is a CB allow to give these services to their client?

    I'm assuming that by CB you are referring to Certification Body.

    Considering that, a certification body must avoid performing any other activity to a client in a way that can affect its capacity to evaluate the client in an independent way.

  • ISO 14001 and ISO 9001 similarities

    Both standards require that the policy:

    • Be appropriate to the purpose and context of the organization;
    • Frame the management system objectives;
    • Include a commitment to meet compliance obligations (although 9001 uses another language);
    • Include a commitment to continuous improvement of the management system;
    • Be kept as documented information;
    • Be communicated internally and made available to interested parties

    While the quality policy, according to ISO 9001, must support the strategic orientation of an organization, the environmental policy, according to ISO 14001, must take into account the relevant environmental impacts and include a commitment to the prevention of pollution and protection of the environment.

    You can find more information about management system policies:

  • ISO 27001 implementation


    Thank you very much for your time and detailed answers. I only have one more question before I make the purchase:

    Comparing the two documents you provide (attached), I see some discrepancy consisting of few of the documents listed as mandatory in the Checklist are missing on the List of documents in the Toolkit:

    - Definition of Security roles and responsibilities
    - Acceptable use of assets
    - Operating procedure for IT management
    - Secure system engineering principles
    - Business continuity procedure

    Please explain?

  • Security service presentation

    1. Security standards enforcement measures?

    Answer: Basic enforcement measures to be considered are configuration of technical solutions (e.g., the rules for setting strong passwords), awareness about consequences of
     non-compliance (i.e., disciplinary process), and periodic audits.

    2. Major threats to security standards?

    Answer: Major threats you can consider are: lack of top management support, lack of understanding of the importance of the standard for the business, and the focus of the solutions only to comply with the standard and not in support of the business.

    3. Technical faults affecting security standards?

    Answer: The main faults to be considered are unmanaged security vulnerabilities (e.g., new software flaws, not installing updates), lack of control of changes and misconfigurations during implementation.

    As a general answer you could refer to ISO 27001, the leading standard for information security. Here a some basic information:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

  • Agile methodology and ISO 27001 implementation

    Please note that Agile is not a methodology, but a set of methodologies people-focused and results-focused, most used for works with very dynamic requirements. Some examples are:
    - Agile Scrum Methodology
    - Lean Software Development
    - Kanban
    - Extreme Programming (XP)
    - Crystal
    - Dynamic Systems Development Method (DSDM)
    - Feature Driven Development (FDD)

    Project management approaches are not our filed of expertise, so we avoid to provide recommendations related to them, but you can find useful information  in this article:
    - How to use Scrum for the ISO 27001 implementation project https://advisera.com/27001academy/blog/2017/03/27/how-to-use-scrum-for-the-iso-27001-implementation-project/

  • ISO 27001 and PCI DSS/ PA DSS

    We're not experts in PCI DSS, but generally ISO 27001 documentation can help cover some of the requirements of PCI DSS - e.g. Access control policy.

    This article from ISACA can provide you a comparison: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-1/comparison-of-pci-dss-and-isoiec-27001-standards

    These articles will provide you further explanation about ISO 27001 and PCI DSS:
    - PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences https://advisera.com/27001academy/knowledgebase/pci-dss/
    - PCI-DSS vs. ISO 27001 Part 2 – Implementation and Certification https://advisera.com/27001academy/knowledgebase/pci-dss/

  • Risk assessment table

    1. is the risk rating based on taking into account existing controls or in the case of no controls at all, before controls are applied?
    How does control No 4 affect the risk level of risk no 4?

    Shouldn´t the sequence be:
    - assess risk
    - take into account existing controls
    - update risk taking into account existing controls
    - perform risk treatment for unacceptable risks and document in risk treatment table
    -define a risk treatment plan

    Risk rating must consider already implemented controls because this situation reflects the reality of your organization.

    The mentioned control (locked in the file cabinet) decreases the effect of the vulnerability (unauthorized access to facilities allowed) in the likelihood because even if a person has unauthorized access to facilities since the confidential agreement is in a locked cabinet if the person has not appropriated tools he will not be able to access the agreement.

    Considering your proposed sequence, taking into account the existing controls are performed at the same time when you assess risk, by the fact that the control will affect the components of the risk (i.e., impact and/or likelihood). So the sequence would be:

    • assess risk, take into account existing controls
    • perform risk treatment for unacceptable risks and document in risk treatment table
    • define a risk treatment plan

    2. what about existing controls for No 1-3? None implemented yet?

    In the tutorial, there are no controls implemented for risks 1-3. These examples were used to demonstrate the most common situation, where there are no controls implemented and a single asset can have multiples risk associated to it.

    3. What about controls for risks that can be accepted?

    For risks with no current implemented controls that are acceptable, you do not need to associate controls, so there is not to fill in in the last column.

    In case you have a risk that is acceptable because you have an implemented control associated with it, you should evaluate if this control needs some kind of adjustment (e.g., a technological update, or change in the process). If no adjustments are needed then your job is finished.

    In case you understand the control needs adjustment, then you must include this risk in the next step of the process, the risk treatment.
Page 424-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +