Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Signature in the Advisera's Documentation

    Please note that ISO 27001 requires that documents must be approved, and the organizational information presented in the templates only identifies who was involved in the creation and approval process.

    Signing the document, either physical or electronic, is one way to ensure it was approved by authorized person, but if you can provide another way to ensure this proper approval you can delete the parts of the text about signature.

    For example, for electronic documents, if you use a document management system (DMS), most probably it has an approval feature that can be used to evidence proper approval.

    For physical documents, the use of personalized stamps or seals can substitute the signature.

    This article will provide you further explanation about managing documents:
    - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

    These materials will also help you regarding managing documents:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • ISMS risk calculation

    The main standard for information security risk management is the ISO 27005, which you can see a preview at this link: https://www.iso.org/standard/75281.html

    These articles will provide you further explanation about risk identification and calculation:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
    - How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    These materials will also help you regarding risk identification and calculation:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Policy for secure development

    Both adjustments can be made in your document, i.e., including reference to control A.14.1.1 in section 2 (reference documents), and add the Secure Development Policy as an implementation method for control A.14.1.1 in the SoA.

  • Procedure for measurement

    ISO 27001 does not require a procedure for measurement, only evidence of the monitoring and measurement results. For this purpose, you can use the template Measurement Result, located in folder 11 - Management Result.

    This article will provide you further explanation about monitoring and measurement:
    - How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

  • RACI Matrix

    Please note that the user's roles in a RACI Matrix must be defined according to specified activities (i.e., the same user may have different roles for different activities).

    For example, if the activity is "communicate policy publication" users will have the role "informed", while the security officer, for example, will have the role "responsible" (he is the one to communicate the new policy).

    If the activity is "follow policy", then programmers and system administrators will have the role "responsible", while the policy owner will have the role "accountable".

    This article will provide you further explanation about RACI matrix:
    - RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/

  • Policy for use of cryptographic

    I require advice on how cryptography policies should be documented. This to reach an ISO 27001 certification

    To see how a policy for use of encryption compliant with ISO 27001 looks like, I suggest you to take a look at the free demo of our Policy on the Use of Encryption at this link: https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/

    The purpose of this document is to define rules for the use of cryptographic controls, as well as the rules for the use of cryptographic keys, in order to protect the confidentiality, integrity, authenticity, and non-repudiation of information.

    This article will provide you further explanation about cryptographic policy:
    - How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

  • SOP and accreditation for testing method

    We received these questions: 

    1. We are initiating to get accreditation for ISO 17025:2017 for our laboratory, we are pharmaceutical company having all the related SOP's for ISO 9001:2015, etc. All the required SOP's related to laboratory working including testing procedure, calibration/qualification of equipment, validation of methods/qualification of personnel working in lab for their competency.etc. what you suggest we can get it done easily ?

    Answer: This is a good question, as it is important to structure your documentation correctly, to make the process easier. The ISO/IEC 17025:2017 Documentation Toolkit will help you achieve this. The Diagram of ISO 17025:2017 Implementation Process provides the steps for you to follow for implementation and accreditation. As guided by the Toolkit, you will start by documenting the Quality Policy and Quality Objectives of your laboratory. The Project Plan for Implementation provides clear direction for you to specify individual project objectives, and plan what documents will be written by when. Knowing the ISO 17025 mandatory requirements and evaluating the risks and opportunities for the laboratory’s processes and procedures will help you focus and keep the documentation to the necessary minimum. You can incorporate all the existing ISO 9001:2015 SOP’s into your ISO 17025 quality management system. Make sure these are revised, if necessary, to include all ISO 17025 activities.

    2. Is it required to get accreditation for each testing method perform in the lab? or just need to prove that we are working as a competent lab as all the tests performed under the required environment using qualified equipment by competent personnel.

    Answer: Unless required by regulators or legislation, you do not need to include all your test methods. In fact, this is an important decision which must be made early on, as indicated in the Diagram of ISO 17025:2017 Implementation Process (Determine the Scope). The choice of tests will be driven by regulator, customer or market need. Many laboratories become accredited initially, with only a few test methods. You can always extend the scope later. It is important to be clear, however, that general claims of technical competency are not allowed. A laboratory can only claim that they are accredited to provide results using those methods or techniques listed on the accreditation certificate.

    The following articles will provide more information:

    The links to the ISO 17025 Toolkit material are:

  • Report of the change of the tax code

    Unfortunately, this is not a GDPR matter. My advice would we, if you want to report a beach of tax law, you are free to do so.

  • Auditor costs

    ISO auditors hourly rate varies significantly from country to country, and depending on the certification body they work for, so there is no definitive answer to this question.

    In this IRCA survey, you can find that global average salary for an auditor is £38,031: https://www.quality.org/knowledge/salary-survey-reveals-how-much-more-irca-auditors-earn

    But please note that audit costs involves other variables, such as costs with travels and certification bodies fees. 

    In case you need more precision, you can get easily require a quote from a couple of certification bodies.

    This material will provide you further explanation about certification costs:
    - How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project

  • Assets in the cloud

    If I understood correctly, you are talking about variations in the available capacity of a virtual server in the cloud. In this case, you do not need to take into account this variation in the asset register, only the server as a logical unit.

    For example, if you have a database server in the cloud, in your asset register you can record it as "cloud database server". This way, by the very nature of cloud working, you do not need to take into account configuration related to its required capacity.

    This article will provide you further explanation about asset register:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Page 476-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +