Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Compras y evaluación de proveedores


    Respuesta:

    Efectivamente en ese caso no se necesitaría hacer una evaluación de ese proveedor. Sin embargo, debe también pensar en otro tipo de proveedores que tiene su empresa si el alcance del sistema de gestión afecta a toda la organización. Por ejemplo, proveedores de servicios de entrega, proveedores de materiales de oficina, proveedores relacionados con software y hadware, etc. También estarían incluidas subcontratas que realiza su empresa, por ejemplo una compañ ía de RRHH para selección de personal, una empresa para realizar el diseño de su página web o que la gestione, etc. Así que muy probablemente sí que necesite este documento de evaluación de proveedores.

    Para más información sobre la evaluación de proveedores puede ver los siguientes materiales:
    - Artículo - How to evaluate supploer performance according to ISO 9001:2015: https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
    - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • ISO 20000 certification


    Answer:
    I assume you'd like to know how does certification process look like. Here is the article which explains certification process:
    "Process to obtain ISO/IEC 20000 certification: Companies and individuals" https://advisera.com/20000academy/knowledgebase/iso-20000-certification-the-process-of-obtaining-a-certifica/

    This book can help you further:
    PREPARING FOR ISO CERTIFICATION AUDIT: A PLAIN ENGLISH GUIDE https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

    and this webinar (applicable also to ISO 20000 implementation):
    ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

  • Document control


    Answer: ISO requirements for document control refer to:
    - documented information required by the Standard (e.g., results of risk assessment and treatment, internal audit program and reports, etc.)
    - documented information determined by the organization as necessary for the ISMS

    Considering that, for organization's documents you must include only those related to the ISMS scope, i.e., those information you want to protect, and this most likely won't mean all information, either because it would be too expensive to protect all of them, or because the different values they have to the business.
    This article will provide you further explanation about document control:
    - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
    This material will also help you regarding document control:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Hybrid approach for risk assessment


    Answer: ISO 27001 does not prescribe any approach for risk assessment, so you can adopt the one that better suits your organization, even a hybrid one. The same applies for the process/methodology. You can create your own, provided this one fulfills the requirements from the standard.

    But please note that you have to verify if the benefits of adopting a hybrid approach will be greater than the complexity required to perform it.

    For information about alternative approaches for risk identification, please read:
    - ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/

  • ISO 27001 implementation case studies


    Answer: For case studies I suggest you these articles:
    - ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/
    - A success story about implementation of ISO 27001 and 9001: How online platform Doccle did it https://advisera.com/27001academy/blog/2019/04/08/a-success-story-about-implementation-of-iso-27001-and-9001-how-online-platform-doccle-did-it/

  • Policy content


    Vertrauliche Informationen müssen entsprechend der [Richtline zur Vertraulichkeit von Informationen] zusätzlich geschützt werden

    Should this be "Richtlinie zur Klassifizierung"? Cannot find Richtline zur Vertraulichkeit - what subdirectory is this?"

    ("Confidential information must be additionally protected in accordance with the [Information Confidentiality Directive]

    Should this be "Classification Guideline"? Can not find confidentiality policy - what subdirectory is this? ")

    Answer: First of all, sorry for this translation problem.

    The original text in English is "classified information must be additionally protected according to the [Information Classification Policy]"

    The Information Classification Policy is located in folder 08 Annex A Security Controls A.8 Asset Management

  • Risk assessment report


    Answer:

    I'm understanding that you did perform a single risk assessment and risk treatment. Considering that you can adjust the term "final reports" to "final report" ("final reports" is used only if you have performed more than one risk assessment and risk treatment during the implementation project). As for the period, you can use the period of time when you performed the risk assessment and risk treatment (please not that this period is important because the purpose of the report is to provide a snapshot of risks at a particular period).

    Regarding documents to be used, besides the report itself, there are only two documents that need to be attached to the report (nothing more) - the risk assessment and risk treatment, and both of them are part of the toolkit.

  • Sizing an project team


    Answer: First it is important to note that there can be two kinds of personnel involved in a project:
    - people regularly involved in all project's activities (e.g., project manager, information security expert, etc.)
    - people involved in specific project's activities (document review and risk identification for specific departments/process, etc.)

    Considering that, for a project involving 600 people, the project team would vary from 4 to 6 people, and the extra people related to specific project's activities will depend on the organizational structure (e.g., one or two by department/process).

    Please note that people involved in specific project's activities will be only occasionally needed on the project, while project members will be probably involved at least once a week.

    This article will provide you further explanation about responsibilities in a project:
    - RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/

    This material will also help you regarding responsibilities in a project:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Can ISO 27001 and ISO 22301 be used together in a document?


    Answer: It is not clear about which document you are talking about, but some documents in the ISO 27001 & ISO 22301 Premium Documentation Toolkit are common for both ISMS and BCMS (e.g., Document control procedure and Internal audit Procedure), or can be used to support both systems, so it is possible to use them for both systems.

    Included in your toolkit there is a List of Documents file which shows which clauses of both standards are covered by each document. Another way to identify this common use is by the commentaries included in each template. Some comments specifically identifies which text can be adjusted so the document can cover both standards.

    For further information about integrating ISO management systems, please read:
    - How to implement integrated management systems https://advisera.com/27001academy/blog/2015/10/05/how-to-implement-integrated-management-systems/
    - ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-iso-22301-better-implement-together-free-webinar-on-demand/

  • Questions about documents


    Answer: I'm assuming you are referring to the Website Privacy Policy.

    Considering that, this template is part of the following toolkits:
    - EU GDPR & ISO 27001 Integrated Documentation Toolkit
    - GDPR Mini Toolkit for Websites
    - EU GDPR Premium Documentation Toolkit

    The document in the EU GDPR Premium Documentation Toolkit can be customized by you to fulfill your needs related to ISMS/BCMS. The document included in the EU GDPR & ISO 27001 Integrated Documentation Toolkit already has the adjustments to be compliant with ISO 27001.

    Second question: Can I use ISO 27001/22301 documents for BOTH ISMS and BCMS, referencing both ISMS and BCMS in the same document?....or must I use the documents for one or the other, but not both?

    Answer: Some documents in the ISO 27001 & ISO 22301 Premium Documentation Toolkit are common for both ISMS and BCMS (e.g., Document control procedure and Internal audit Procedure), or can be used to support both systems, so it is possible to use these documents for both systems.

    Included in your toolkit there is a List of Documents file which shows which clauses of both standards are covered by each document. Another way to identify this common use is by the commentaries included in each template. Some comments specifically identify which text can be adjusted so the document can cover both standards.

    For further information about integrating ISO management systems, please read:
    - How to implement integrated management systems https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/
    - ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-iso-22301-better-implement-together-free-webinar-on-demand/
Page 514-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +