Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Improvement targets and budget targets
Answer
I agree with your organization’s approach. One target is for the budget and has to be communicated to the Finance. The other target is for internal use to guide an improvement project. There is no guarantee that the improvement target will attain. When the budget is prepared, the organization sometimes has no idea about what should be done to meet the improvement target.
The following material will provide you more information about quality objectives:
How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 9001 and fertility centers
Answer
Yes, ISO 9001 is applicable to fertility centers. ISO 9001 is applicable to any activity, both public and private.
The following material will provide you more information about ISO 9001 applicability:
ISO 9001 Requirements and Structure - https://advisera.com/9001academy/knowledgebase/iso-9001-requirements-and-structure/
- Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Scope definition
(1 - I hope you are very well, I write since the company where I am currently working wants to be certified in 27001, but just wants to certify a "product" which is electronic invoicing, I wanted to know if this is possible, since I have confusion at the time to delimit the scope of the ISMS and the information security policy, would the policy exclude the other processes and areas of the company?
Answer:
First it is important to note that ISO 27001 does not certify "products", o nly processes. So in your case the certification would be related to the electronic invoicing process.
Regarding scope definition, you can limit the scope to any size you want, and you can exclude processes, locations or business units you think should be left outside the scope.
2 - And, due to cost issues, it would also be less beneficial since it would increase when you want to certify the other processes of the company?)
Answer:
The smaller the scope, the smaller the certification costs will be, in fact including process you do not want to certify now, will increase the costs of certification (many certification bodies use the total of personnel involved in the scope to define required days for the certification, which directly impacts certification costs).
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/ -
Complaining to the certification body
My reason for asking is that I have an example of where a company has flouted almost every rule in terms of maybe a dismissal or redundancy. Should this be brought to the attention of the body that appointed them for this standard as clearly, they are not being met.
Answer
Although there is no explicit HR policy, a certified organization must comply with the requirements of HR-related clauses. For example, clause 7.1.4 on the environment for processes operation addresses both physical and human factors. Among the human factors the standard mentions in a note social and psychological factors, which may frame the concerns you expressed.
Anyone who feels that an organization, while certified, is not meeting the requirements of the standard can always formally complain to the certification body that issued the certificate. -
Filling SoA justification
Answer:
In fact entering the whole risks from the risk treatment table in the SoA is not the best way to justify applicable controls. What you can do is to include only the risk ID of the risks related to control A.12.6.1, according to your Risk treatment table. For example, you could write "Risk 001, 003, and 023 ". -
Record of Processing
Answer:
Article 30(5) of the GDPR provides an exemption that allows companies to avoid Article 30 record-keeping obligations provided that the processing is (i) only occasional; (ii) the processing is not considered a risk to the rights and freedoms of the data subjects; and (iii) the processing is not of ‘Special Categories of Data’ (Article 9.1) or personal data relating to criminal convictions and offences.
So unless you fall under the exemptions above you need to create an Inventory of processing activities or ROP as you called them. -
Filling asset inventory
Answer:
First is important to note that both approaches are acceptable, but to keep your inventory less complex we recommend you to list only the highest impact associated to an asset. -
ISO 27001-2019
Answer: First of all, sorry for this situation. In the future if you want to contact us please use this e-mail: support@advisera.com
With this email you can either post a question or schedule a meeting with one of our consultants.
Second, the reason for my inquiry is due to the fact that I just found out about the IS/IEC 27001:2019 version and was wondering how this will affect our current initiative. To be honest, we are still very much at the beginning and I think that it would definitely be best to move forward with the latest version of the standard rather than continue with the 2013 version. I just started reading and am tryi ng to find what differences there may be between the 2 versions, but if you can provide that comparison and tell us your thoughts about how you think we should progress, that would be very much appreciated.
Answer: Please note that ISO 27001:2013 was indeed reviewed in 2019, but it was confirmed as the current standard, so no changes will be required for those organizations already certified, or in process of certification of this version of the standard (the version of the current standard will still be 2013, not 2019). For more information, please access this link: https://www.iso.org/standard/54534.html -
Use of encryption
First it is important to note that this impediment is not absolute. If your organization's Information Classification Policy defines the use of encryption with central key management as a general solution for all information classification levels, than the IT departmen t can implement it as you described.
The use of encryption solutions must be considered wisely because it can have some potentially restrictions or negative consequences, e.g., in some countries the usage of encryption is defined by law; also if an employee leaves the company and all his data is locked on a encrypted disk, then the company cannot access this data.
This article will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Transferred risks
1 - El propietario del activo debe ademas aplicar controles sobre para mitigar este riesgo, o en l momento de transferir el riesgo, la aplicacion de los controles, desaparece?
2 - Puedo transferir el riesgo a un tercero y a la vez, decidir aplicar controles propios para estos servidores criticos?
(In the risk analysis, if it is decided to transfer the risk of some assets, to a third party, with whom there is a maintenance contract. For example, it is decided to transfer the risk of a very critical set of servers to the maintenance company.
1 - Should the owner of the asset also apply controls over to mitigate this risk, or at the time of transferring the risk, does the application of the controls disappear?
Answer: First it is important to note that if you adopt the option to transfer the risks, the application of controls does not disappear, only the implementation method changes from your own implementation to "implemented by third-party".
Considering that, once risks are transferred to the third-party, the asset owner should also consider the application of controls from section A.15.1 Information security in supplier relationships, to ensure the existence of contracts or agreements to enforce the proper treatment of the transferred risks.
For additional information, please read:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
2 - Can I transfer the risk to a third party and, at the same time, decide to apply my own controls for these critical servers?)
Answer: In theory you can do that, but it does not make much sense, since you are contracting someone just to protect your servers. Additionally, these paralleled applied controls may interfere with each other and reduce overall server security or performance.