Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Developing and implementing standards
Answer
Perhaps she is interested in you to search for the process used by ISO to develop or update standards, and about how an ISO management system can be implemented.
The following material will provide you more information about implementing an ISO management system:
ISO 9001 Requirements and Structure - https://advisera.com/9001academy/knowledgebase/iso-9001-requirements-and-structure/
Free webinar on demand - Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 27001 ISMS objectives
Thank you! I will review and, if I may, ask more questions. We are building a board-level decision support system based on a combination of a bespoke DBMS and Bayesian Networks to help board members/trustees sleep at night knowing that they meet global fiduciary standards. While the application is not as complicated as managing the details of conformance home like to ISO 27001, it's use of AI puts us out on the new horizons territory! -
ISO 27001 implementation challenge
Answer:
The challenge for each organization varies according these variables:
- Knowledge about the standard
- Lack of know how for implementing the standard
- Level of top management support and commitment to the implementation project
- Available resources (e.g., equipment, money, etc.) for the implementation
- Time to implement the project
- Time the project team can dedicate to the project tasks
In our experience the most challenging variables are the top management support and commitment, and the knowledge about the standard, and these are the main reasons we developed materials and that we provide expert support to organizations which want to implement ISO 27001.
These articles will provide you further explanation about ISO 27001 implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https: //advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/ -
Plans and procedures for teleworking
Answer:
For small organizations normally there is no need to develop plans and procedures. It should suffice to identify rules on the Mobile Device and Teleworking Policy itself.
As for large organizations, or if small organizations decide to use plans and procedures, examples would be backup procedure, software installation procedure (including anti-virus software), procedure for data exchange, etc.
Please note that these plans and procedures do not need to be documents specifically for teleworking. You can make reference to documents already used inside your organization. For example, the Security Procedures for IT Department included in your toolkit, in folder 08 Annex A Security Controls A.12 Operations Security covers most of the activities required by the Mobile Device and Teleworking Policy. -
Toolkits and PCI-DSS certification
Answer:
We're not experts in PCI DSS, but generally we recommend ISO 27001 documentation toolkit as a way to contribute to achieve PCI compliance, because PCI-DSS has some requirements that can be fulfilled by ISO 27001 controls from Annex A, such as access control policy.
These articles will provide you further explanation about PCI DSS and ISO 27001:
- PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences https://advisera.com/27001academy/knowledgebase/pci-dss/
- PCI-DSS vs. ISO 27001 Part 2 – Implementation and Certification https://advisera.com/27001academy/knowledgebase/pci-dss/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ d-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Maintaining certification
Answer
After certification your organization will have surveillance audits.
Surveillance audits exist to check if your management system is working as designed. So, pay special attention to records. Are all the incidents being recorded? Measurements, complaints, corrective actions, non-conformities, internal audits, and management review, etc. Remember, if your organization had any minor non-conformity or observations during the certification audit, be sure that auditors will look into those issues with special care.
The context change, priorities change, objectives change. So, be aware of the need to update management system documentation. For example, a new product line, a new machine, a new market, can lead to changes in processes and procedures.
The following material will provide you more information about surveillance audits:
Article – What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
- Free webinar – How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar/
- Enroll for free course - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book – ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Work instructions & safety and risks
Answer:
The short answer would be no, you do not have to complete it.
However, when a work procedure instruction is being developed it is a good practice to include safety, environment, and other topics. When people work, they don’t just do productivity work, or quality work, or safety work, or environmental work, they just work, period. And while working they do it with all those topics in mind. The work is a whole, not a sum of parts. About the risk assessment, ISO 9001:2015 does not require any records. I think that a good work procedure instruction can be a good answer to a previous risk assessment. In a work procedure instruction, one can list “what is there to do to reach a set of desired outcomes”. Risks are what can prevent us from achieving these expected results. Thus, in addition to including what to do, work procedure instruction can also include actions and concerns to minimize or avoid the most relevant risks.
The following material will provide you more information about risks:
Article – How to identify risk controls in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/
- Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Career on Information security
Answer:
Considering your stated background, in fact the ISO 27001 Lead Auditor course is the best option for start your civilian career.
Our exam for the ISO 27001 Lead Auditor course is certified by Exemplar Global, and is globally recognized and accepted as evidence of competence to audit ISO 27001 Information Security Management systems.
This article will provide you further explanation about Lead Auditor:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
For more information about our ISO 27001 Lead Auditor course, please access these links:
- https://advisera.com/training/iso-27001-lead-auditor-course/
- https://advisera.com/training/eu-gdpr-courses/ -
Developing key performance indicators for a division in an organization
Answer
First of all, I would like to set a common language to avoid misunderstandings from both parties. The following figure shows my interpretation of “division”:
Corporation is what you call organization.
A division is the head or the umbrella of a set of business units.
Normally, a division does not sell to customers. Sales to customers are done through each business unit.
Business units have their own strategies to drive customer derived value.
A division have a division strategy to drive value from the alignment and synergy of different business units, belonging to the same division.
So, to develop relevant key performance indicators for a division, one must first identify how the division intends to generate value from the fact that different business units belong and can work together. For example, they can share customers, and, in that way, they want to promote cross-sel ling; they can share processes and services; they can share intangible assets; they can share a common brand; they can share capital. Key performance indicators for a division should be indicators that highlight, promote and monitor both the behaviors and the outcomes of those sharing drivers.
The following material will provide you more information about quality objectives:
- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
What has changed with quality objectives in ISO 9001:2015?
- https://advisera.com/9001academy/blog/2018/05/08/what-has-changed-with-quality-objectives-in-iso-90012015/
- Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Risk Assessment and Risk Treatment Methodology-Cloud
Please see response from Advisera: "Risk Assessment and Risk Treatment Methodology Cloud covers not only requirements for ISO 27001, but also specific requirements applicable for cloud environments defined by ISO 27017 and for Personal Identifiable Information PII) defined by ISO 27018."
Answer:
First of all, thanks for this feedback.
Please note that ISO 27017, in its clause 4.4 (Managing information security risks in cloud services) does not define any additional requirements for the risk management process, only that it is advised to refer to requirements for risk management defined fo r ISO 27001, and considered in its application cloud environment specifics (e.g., risk sources, threats and vulnerabilities), and these specifics are already included in risk assessment and risk treatment tables.
Considering that, we will be adding this reference to ISO 27017 to this Risk Assessment and Risk Treatment Methodology Cloud template to avoid misunderstandings, but there is no need to make any other change in the document, and the document you have is fully compliant with ISO 27017.