Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Template content

    The list of controls can be found in Annex A of the ISO 27001 standard. Control A.8.2.1 refers to the Classification of information (Information must be classified in terms of predefined requirements).

    This list of controls is also visible in Statement of Applicability, which is located on folder 06 Statement of Applicability 

    These articles will provide you further explanation about controls selection and the statement of applicability:

  • ISO 14001 and life cycle perspectives

    I am a very visual person. So, I recommend organizations to draw a flowchart with the main steps in the life cycle numbered. Then, design a table where the first column identifies the main steps and its numbers. The other columns include topics like aspects, impacts, legislation or regulation related, legislation or regulation compliance situation, evaluation parameters and final result with decision upon significance.

    Please check below more information about life cycle:

    - Article – Lifecycle perspective in ISO 14001:2015 – What does it mean? - https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
    - Article - How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
    - Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
     

  • Tools for determining external context

    When monitoring external context, I recommend considering two kinds of monitoring:

    • Strategic and;
    • Reactive.

    By strategic I mean reviewing the external context when preparing for management review. For this kind of monitoring, I use the PESTL analysis framework in order to support the discipline of questioning the mind around various areas that may affect an organization (politics, economics, social, technology, legislation, and environment). After the PESTL analysis, I recommend collecting positive external issues as opportunities and negative external issues as threats and I organize the information in a SWOT matrix that allows us to determine potential risks and opportunities. Please check these two free webinars where I demonstrate the use of the technique:

    By reactive I mean, between management reviews top management monitors the system’s performance. For example, last Monday I conducted a monthly monitoring meeting at an industrial organization. The first topic was all about the external context. How to minimize disruption due to coronavirus outbreak?

    • What should be changed internally to make the organization safer? 
    • What kind of social behaviors should be changed internally? 
    • What can sales do to reach customers while fairs and expositions are postponed or suppressed? 
    • What most common raw materials can be ordered to minimize potential future suppliers’ closings? 
    • What can be done financially to prevent cash flow problems?

    You can find more information about external context below:
    - ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

     

  • Owner of general procedures

    ISO 27001 does not prescribes which role must be responsible for policies and procedures, so an organization can define these responsibilities as better fits it.

    Considering that, the "head" of the organization is one good option when the ISMS scope is the entire organization. When the ISMS scope covers only part of the organization, this responsibility can be delegated to the person with the highest hierarchical level in the scope. In both cases, this responsibility can be delegated to the person responsible for the information security, if such a role exists.

    Please note that this makes sense only for general policies and procedures. For more operational policies and procedures, a person in charge of particular department or process will be the best owner - e.g. Head of human resources for HR security procedures.

    These articles will provide you a further explanation about the top management responsibilities:
    - Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
    - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

    This material can also provide further information:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Ilac compatibility to previous versions and ISO 17025

    To answer your question, ILAC G8:03 is obsolete. Only the latest version of ILAC G8 should be referenced,  i.e. ILAC G8:09/2019 Guidelines on Decision Rules and Statements of Conformity.

    ILAC, the international organisation for accreditation bodies, produce guidance documents for assessors, regulators, laboratories and customers on the interpretation of accreditation criteria. As the 2017 edition of ISO/IEC 17025 requires decision rules to be agreed on, when a laboratory issues statements of conformity to specifications or standards; ILAC G8 was revised extensively.

    The article ISO/IEC 17025:2005 vs. ISO/IEC 17025:2017 revision: What has changed?, may be of interest.  Available at https://advisera.com/17025academy/blog/2019/11/13/iso-17025-2017-vs-iso-17025-2005-key-changes-infographic/

  • ISO 9001 Clause 8.5.1 f

    As far as I remember the wording of “special processes” come from the intial ISO 9001:1987 version. Imagine a manufacturing process where welding takes place, or where a sterilization process takes place. Is it possible to test welding quality? Is it possible to test sterilization effectiveness? Yes. Is it economically sound to do it every time? Normally, no. But organizations want to be sure that welding, sterilization, heat treatment, painting, and other activities are correctly performed. So, they have to validate process conditions and train people to be competent in performing the activities.

    You can find more information about special processes below:

    - How to establish process validation in the QMS - https://advisera.com/9001academy/blog/2017/01/31/how-to-establish-process-validation-in-the-qms/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

  • Risk Deviation

    "Risk Deviation" is a statistical concept based on the standard variation. It means how volatile is a risk, i.e., the range of possible values, a risk can assume around an expected value.

    For example, if you have a risk mean value of 3, with a deviation of +0.2 - 0.2, this means that this risk can vary from 2,8 to 3,2.

  • Segregation of duties

    1. Regarding Segregation of duties I believe some jobs can’t be combined (like the SO can’t be the DPO?)

    I'm assuming that by SO you mean Security Officer. Considering that, and ISO 27001 and EU GDPR, there are no requirements in these references preventing a single person to be both SO and DPO. Of course, you should also consider other laws, regulations or contracts you have to comply with to define if these jobs can be performed by a single person.

    GDPR requires an independent DPO who needs to relate with the data controller, data subjects and surveillance authorities.
    For larger companies it is a good practice to have these two positions separated; for smaller companies, this is not feasible.  

    GDPR requires also to have a close look at dimensions of the company so that in SMEs if the circumstances do not create risk of conflicts Security Officer and DPO can be the same person. Of course, the reasons for such choices and policies to avoid conflicts must be set in order to comply with the accountability principle.  

    2. Are there specific combinations that are not done? We have these roles in the company? To divide under 4 people:
    Security officer (is also Risk manager & Authorization officer)
    Internal auditor (external consultant)
    Service manager (is also Change manager & Incident manager)
    Security tester (outsourced)
    Compliance officer
    Solutions Director
    DPO

    The most common criteria to be considered for segregation of duties of critical activities are:

    • the person who elaborates something does not approve it
    • the person how performs a task does not review it

    Considering that, for example, the internal auditor/security tester should not be the same person as the service manager. The service manager defines and handles changes/incidents, while internal auditor/security tester verifies if these are effective. So, you should verify exactly which activities will be performed by each role to identify potential conflicts of interest.

    For further information, see:

    3. Do you also have standard lists of the Responsibilities & Requirements of these roles?

    ISO 27001 does not prescribe the security officer role, only that relevant information security responsibilities are defined and designated.

    Articles 37 to 39 GDPR describe the designation, the position and the tasks of DPO according to the GDPR. Article 39 GDPR lists the tasks of DPO stating that DPO shall ensure:

    • to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions
    • to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
    • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35
    • to cooperate with the supervisory authority
    • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter

    These articles will provide you further explanation about responsibilities for information security:

    You can also find some useful information on our free training online course The role of DPO according to GDPR: https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/ 

  • Overlapping between ISO 27001 and ISO 9001

    Since 2012 all ISO management systems have a similar framework, so integrating them is a lot easier today.

    You can find a comparison between ISO 27001 and ISO 9001 in this material:

    The matrix shows relationships between clauses of ISO 27001 and ISO 9001 and gives an overview of common requirements of these two standards with tips on how to fulfill them with as little documentation as possible.

    Regarding which one adds more value, ISO 9001 or SOC2, you have to evaluate which objective your organization wants to achieve, legal requirements (e.g., laws, regulations, and contracts) you must comply with, and which framework will bring them more clients.

    This article will provide you further explanation about integrating management systems:

  • Environmental report

    I want to know how to conduct and compile a report on environmental, design, structural and amenities deficiency
Page 433-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +