Search results

Statement of Acceptance of Residual Risks

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/0fed94a5-d671-4764-90fb-13dd73667f48

Register of legal, contractual and other requirements

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/af528359-7b54-4016-b184-c6d2f58a4d9f

FMEA new style

Different FMEA manuals are available. The main ones are AIAG Rev 4 and AIAG & VDA Rev 2019. They are valid for both FMEA. What is important here is what your customer's specific requirements are. If you do not have any customer-specific requirements, you can use the AIAG rev 4 FMEA model.

Why is ITIL so important?

Almost all services most companies provide today are IT-enabled. That means organizations have a tremendous benefit in creating, expanding, and improving their IT service management capability. ITIL is a powerful tool in a way that:

ITIL provides the guidance organizations need to address service management challenges and utilize the potential of modern technology.
ITIL is designed to ensure a flexible, coordinated, and integrated system for the effective governance and management of IT-enabled services.
ITIL is a best practice framework that guides ITSM delivery. 
ITIL is not a theoretic approach. On the contrary, it's practical (written by experts in the industry) and flexible (can be adapted in any company, independent of the size or nature of the business).
ITIL provides an end-to-end approach to IT service management and integrates well with other frameworks, e.g., Lean, DevOps, and Agile.
The article „Why ITIL?“ https://advisera.com/20000academy/knowledgebase/itil/ will provide more details.

Procedure for document and record control

1. Could be tell me what you guys exactly want from the Procedure for document and record control document? In detail please + I got a couple of questions too, my scope is the whole organization.

The purpose of the Procedure for document and record control is to establish a structured and unified approach for creating, updating, controlling, and protecting documents and records within a company. This ensures that the documented information is available for use, fit for purpose, and adequately protected against damage or loss of integrity and identity. The procedure defines the rules for creating and identifying documents, approving and publishing them, controlling access and distribution, withdrawing outdated documents, and managing updates and changes. It helps provide clarity to all employees on how to manage documents and records, ensuring compliance with ISO standards and facilitating effective information management within the organization.

2. "This procedure is applied to all documents and records related to the ISMS ", so in my case is it all company's documents ?

The organization can decide whether to apply the Procedure only to ISMS related documents, or to all documents in the company scope.

3. Document approval

I understood that the CEO must approve all documents and is there something else?

In a small ISMS scope, it is common practice for the CEO to approve all documents. This is because, in smaller companies, the CEO is usually the top-level management and has the authority to make decisions and approve important documents. However, it is important to note that the responsibility for approving documents can vary depending on the company's size and structure. In mid-size and larger companies, the responsibility for approving documents may be divided between senior management, security officers, and heads of departments. 

4. 3.3. Publishing and distributing documents; withdrawal from use

There are some parts conformio is mentioned there I dont thing this is a professional way for the word " confirmo " is written there, " the Conformio platform will automatically inform all employees listed as users of the document by email...."

First of all, sorry for the confusion.

Conformio is our platform to help organizations implement and operate an ISMS. In the text you mention, our platform will automatically inform users when a new document is published and retrieve old versions.

5. tell me more about record control and also document of external origin what do you want from me exactly, I could not figure it out.

Record control refers to the management of records within an organization. It involves defining how records are created, stored, accessed, retrieved, used, protected, and disposed of. The control of records ensures that they are available when needed, suitable for their intended use, and adequately protected. ISO 27001 requires organizations to have controls in place for the distribution, access, retrieval, and use of records, as well as for their storage, preservation, control of changes, and retention and disposition.

The control of documents of external origin refers to the management of documents that are not owned or controlled by the organization but are necessary for its operation. These external documents can include laws, regulations, standards, contracts, service agreements, product specifications, operation manuals, and more.

To control documents of external origin, the organization should define what are the relevant external documents for the Information Security Management System (ISMS) and who will be responsible for identifying and reviewing them. The frequency of verification should also be established.

One approach to controlling external documents is to have each head of a department responsible for the applicable external document. For example, the Head of the IT department can identify encryption standards for the website as a relevant external document and ensure it is controlled by the company.

It is important to note that external documents can be both physical and electronic. Physical documents can be received at the organization's office or a remote location if necessary. Electronic documents can include emails, digital files, and online resources.

Ativos

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/d7a4c02b-ac63-4bd9-97aa-2578b8cca18f

ISO 27001 Internal Audits

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/a88a0e04-ae4e-4afd-9fd8-192951da69f3

Automated Firewall Review

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/9694e497-ecc8-4a61-8046-eb3ab248f12a

Choose to Not implement a security control

Well explained! Thank you :) 

SOP

There is no mandatory requirement to list risks in an SOP. On the technical side, the overall risk assessment per test or calibration method should be performed according to your risk management procedure. You should, however, document specific controls in the SOPs that are put in place to keep the risk at an acceptable level. i.e. the controls decided on during the risk assessment. Ensure you state clearly if some action is mandatory. For example Shake for 10 min. Do not leave samples standing after 10 minutes, filter immediately.

For more information on risk assessment have a look at the Advisera ISO 17025 toolkit and webinars available. Start here https://advisera.com/iso-17025/