Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Career on Information security
Answer:
Considering your stated background, in fact the ISO 27001 Lead Auditor course is the best option for start your civilian career.
Our exam for the ISO 27001 Lead Auditor course is certified by Exemplar Global, and is globally recognized and accepted as evidence of competence to audit ISO 27001 Information Security Management systems.
This article will provide you further explanation about Lead Auditor:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
For more information about our ISO 27001 Lead Auditor course, please access these links:
- https://advisera.com/training/iso-27001-lead-auditor-course/
- https://advisera.com/training/eu-gdpr-courses/ -
Developing key performance indicators for a division in an organization
Answer
First of all, I would like to set a common language to avoid misunderstandings from both parties. The following figure shows my interpretation of “division”:
Corporation is what you call organization.
A division is the head or the umbrella of a set of business units.
Normally, a division does not sell to customers. Sales to customers are done through each business unit.
Business units have their own strategies to drive customer derived value.
A division have a division strategy to drive value from the alignment and synergy of different business units, belonging to the same division.
So, to develop relevant key performance indicators for a division, one must first identify how the division intends to generate value from the fact that different business units belong and can work together. For example, they can share customers, and, in that way, they want to promote cross-sel ling; they can share processes and services; they can share intangible assets; they can share a common brand; they can share capital. Key performance indicators for a division should be indicators that highlight, promote and monitor both the behaviors and the outcomes of those sharing drivers.
The following material will provide you more information about quality objectives:
- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
What has changed with quality objectives in ISO 9001:2015?
- https://advisera.com/9001academy/blog/2018/05/08/what-has-changed-with-quality-objectives-in-iso-90012015/
- Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Risk Assessment and Risk Treatment Methodology-Cloud
Please see response from Advisera: "Risk Assessment and Risk Treatment Methodology Cloud covers not only requirements for ISO 27001, but also specific requirements applicable for cloud environments defined by ISO 27017 and for Personal Identifiable Information PII) defined by ISO 27018."
Answer:
First of all, thanks for this feedback.
Please note that ISO 27017, in its clause 4.4 (Managing information security risks in cloud services) does not define any additional requirements for the risk management process, only that it is advised to refer to requirements for risk management defined fo r ISO 27001, and considered in its application cloud environment specifics (e.g., risk sources, threats and vulnerabilities), and these specifics are already included in risk assessment and risk treatment tables.
Considering that, we will be adding this reference to ISO 27017 to this Risk Assessment and Risk Treatment Methodology Cloud template to avoid misunderstandings, but there is no need to make any other change in the document, and the document you have is fully compliant with ISO 27017. -
Business objectives for BCMS
Answer:
Examples of business continuity objectives may be:
- Comply with xyz law/regulation by December 31, 2020, using ISO 22301 methodology
- Enter a new market in the next 12 months because of the ISO 22301 certificate
- During 2020, improve our recovery time by 12 hours while not incurring new costs.
This article will provide you further explanation about business continuity objectives:
- Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/
This material will also help you regarding business continuity objectives:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Non conformity severity
Answer:
Certification audits normally consider two degrees for non-conformity severity (and both are considered serious):
- Minor non-conformity: a nonconformity that does not affect the capability of the management system to achieve the intended results.
- Major non-conformity: a nonconformity that affects the capability of the management system to achieve the intended results. For example, if the company completely failed to fulfill a certain requirement; if a process has completely fallen apart; or if you have several minor nonconformities that are related to the same process or to the same element of your management system.
Regarding the certification / re-certification process, minor non-conformities identified during the process does not affect the certificate (provided that you present an action plan for the auditor). On the other hand, a major non-conformity is an impediment for the certification, until the situation is solved.
Pleas e note that the definition of major and minor non-conformity are based on best practice used by certification bodies and certification auditors. ISO 17021, the ISO standard for bodies providing audit and certification of management systems, states that a non-conformity shall be classified (but it does not define the classification to use). Also note that this grading is not mandatory for internal audits (most often such grading is not necessary for internal audits).
This article will provide you further explanation about non conformities:
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
On 02/09/2019 04:25, Vanda Ercegović wrote: -
Privacy of customer data
Answer:
Even though you do not have access to data processed by the customer, you still have access to some kind of data from your customer, like email addresses for support contact, personal data of the person responsible for the contract/ service agreement, financial data for billing process, etc.
So, you have to consider this kind of data on your your Policy for Data Privacy.
The main tip here is the question: which information the customer has to send me so I can setup his service and billed him?
If you have any specific doubts in mind please contact us, so you can help you with them. -
Handling risk
Answer
Organizations determine risks and then evaluate them. ISO 31000:2018 presents several options to handle relevant risks:
* Avoid risk by deciding not to start, or not to continue, with an action that raises it;
* Accept or increase the risk in order to pursue an opportunity;
* Remove the source of the risk;
* Lower the probability;
* Change the consequences;
* Share the risk with another party or parties;
* Maintain risk based on informed decision;
* Take advantage of opportunities.
Your “preventive” interpretation is applicable when avoiding risk and when lowering the probability, for example.
The “correct and fix” interpretation is less common but applicable when removing the s ource of risk. So, both, in certain way are correct. Although the “preventive” approach is much more common.
The following material will provide you more information about risk management:
- How to identify risk controls in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/
- How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
- Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 45001: Processes vs Procedures
Answer:
The root of both of your questions is the difference between processes and procedures, so it is best to answer them together. A process is anything that you do that takes inputs, does something to them, and creates outputs (this does not mean that the activities need to be in a specific order). A process does not need to be documented. A procedure is a set way of doing a process, so when the activities need to be done in a certain order (this does not mean that the procedure needs to be written down). A documented procedure is when you choose to write a procedure down. If will give you an example using a purchasing process; I like using purchasing because it is easy to understand.
So, as an example: If you have a process that states that your purchasers will get a purchase request, choose some vendors from the approved vendor list, find prices online, and then place an order of the best value; you have a process (i n this case you may then find prices online first and then look at the vendor list to make sure the vendors are approved because the order doesn’t matter).
If you decide that the order matters and you want to do the steps in the order listed (purchase request, approved vendor list, find prices, place order) then this becomes a procedure. Note that if you only have a few purchasers, and don’t think you need to write this down because it is not complex, you now have a procedure that is not documented, but it is still a procedure.
By writing down the procedure you have a documented procedure. You can do this an any way that works for you; flow chart, text document, etc. The important thing to remember is that if by not writing down the procedure you could have a process nonconformity, you should write down the procedure.
For more information on the difference between processes and procedures, see the 9001Academy article: Watch Your Language! Don’t confuse processes with procedures, https://advisera.com/9001academy/blog/2014/11/04/watch-language-dont-confuse-processes-procedures/ -
Becoming an ISO 27001 consultant
1. I am at a cross road in my 30+ year career in Accounting and I'm looking for a change. What are the requirements to become an ISO 27001 lead implementer and how can I become an independent consultant?
To be qualified as an ISO 27001 Lead Implementer you have to attend an ISO 27001 Lead Implementer course, and for this course there is no previous requirements, so you can start your implementer career with ISO through this course.
To become a consultant, you should first acquire experience in this field, and the most common ways are to work inside your current company implementing information security, or working for an established consultant.
For more information about the ISO 27001 Lead Implementer course and how to become a consultant, please read:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-bec ome-an-iso-27001-iso-22301-consultant/
2. Will your course prepare me to take the ISMS with Exemplar Global?
Answer: If I understood your question correctly, you want to know if our ISO 27001 Lead Implementer Course can prepare you to the Exemplar Global exam for ISO 27001 Lead Implementer. Considering that, it is important to note that Exemplar Global currently does not accredit Lead Implementer exams (only ISO 27001 Foundations, Internal Auditor, and Lead Auditor exams, like the ones offered by Advisera), but our course covers all topics related to ISO 27001 Lead Implementer.
See more information about our ISO 27001 Lead Implementer course at this link: https://advisera.com/training/iso-27001-lead-implementer-course/ -
Roles and Responsibilities of the Board in Cyber Security
Answer:
Basically the main roles and responsibilities or the board are:
- ensure that cybersecurity supports the company strategy;
- definition of objectives to be achieved;
- definition of specific related responsibilities and authorities to cyber security;
- provision of resources;
- general performance review.
For more information about roles and responsibilities of Board in Cyber Security I suggest you these materials:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
- How to document roles and responsibilities according to ISO 27001 https://advisera.c om/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Privacy, cyber security, and ISO 27001 – How are they related? https://info.advisera.com/27001academy/free-download/privacy-cyber-security-and-iso-27001