Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Business objectives for BCMS


    Answer:

    Examples of business continuity objectives may be:
    - Comply with xyz law/regulation by December 31, 2020, using ISO 22301 methodology
    - Enter a new market in the next 12 months because of the ISO 22301 certificate
    - During 2020, improve our recovery time by 12 hours while not incurring new costs.

    This article will provide you further explanation about business continuity objectives:
    - Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/

    This material will also help you regarding business continuity objectives:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Non conformity severity


    Answer:

    Certification audits normally consider two degrees for non-conformity severity (and both are considered serious):
    - Minor non-conformity: a nonconformity that does not affect the capability of the management system to achieve the intended results.
    - Major non-conformity: a nonconformity that affects the capability of the management system to achieve the intended results. For example, if the company completely failed to fulfill a certain requirement; if a process has completely fallen apart; or if you have several minor nonconformities that are related to the same process or to the same element of your management system.

    Regarding the certification / re-certification process, minor non-conformities identified during the process does not affect the certificate (provided that you present an action plan for the auditor). On the other hand, a major non-conformity is an impediment for the certification, until the situation is solved.

    Pleas e note that the definition of major and minor non-conformity are based on best practice used by certification bodies and certification auditors. ISO 17021, the ISO standard for bodies providing audit and certification of management systems, states that a non-conformity shall be classified (but it does not define the classification to use). Also note that this grading is not mandatory for internal audits (most often such grading is not necessary for internal audits).

    This article will provide you further explanation about non conformities:
    - Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
    On 02/09/2019 04:25, Vanda Ercegović wrote:

  • Privacy of customer data


    Answer:

    Even though you do not have access to data processed by the customer, you still have access to some kind of data from your customer, like email addresses for support contact, personal data of the person responsible for the contract/ service agreement, financial data for billing process, etc.

    So, you have to consider this kind of data on your your Policy for Data Privacy.

    The main tip here is the question: which information the customer has to send me so I can setup his service and billed him?

    If you have any specific doubts in mind please contact us, so you can help you with them.

  • Handling risk


    Answer
    Organizations determine risks and then evaluate them. ISO 31000:2018 presents several options to handle relevant risks:
    * Avoid risk by deciding not to start, or not to continue, with an action that raises it;
    * Accept or increase the risk in order to pursue an opportunity;
    * Remove the source of the risk;
    * Lower the probability;
    * Change the consequences;
    * Share the risk with another party or parties;
    * Maintain risk based on informed decision;
    * Take advantage of opportunities.

    Your “preventive” interpretation is applicable when avoiding risk and when lowering the probability, for example.
    The “correct and fix” interpretation is less common but applicable when removing the s ource of risk. So, both, in certain way are correct. Although the “preventive” approach is much more common.

    The following material will provide you more information about risk management:
    - How to identify risk controls in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/
    - How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
    - Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
    - ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO 45001: Processes vs Procedures


    Answer:
    The root of both of your questions is the difference between processes and procedures, so it is best to answer them together. A process is anything that you do that takes inputs, does something to them, and creates outputs (this does not mean that the activities need to be in a specific order). A process does not need to be documented. A procedure is a set way of doing a process, so when the activities need to be done in a certain order (this does not mean that the procedure needs to be written down). A documented procedure is when you choose to write a procedure down. If will give you an example using a purchasing process; I like using purchasing because it is easy to understand.

    So, as an example: If you have a process that states that your purchasers will get a purchase request, choose some vendors from the approved vendor list, find prices online, and then place an order of the best value; you have a process (i n this case you may then find prices online first and then look at the vendor list to make sure the vendors are approved because the order doesn’t matter).

    If you decide that the order matters and you want to do the steps in the order listed (purchase request, approved vendor list, find prices, place order) then this becomes a procedure. Note that if you only have a few purchasers, and don’t think you need to write this down because it is not complex, you now have a procedure that is not documented, but it is still a procedure.

    By writing down the procedure you have a documented procedure. You can do this an any way that works for you; flow chart, text document, etc. The important thing to remember is that if by not writing down the procedure you could have a process nonconformity, you should write down the procedure.

    For more information on the difference between processes and procedures, see the 9001Academy article: Watch Your Language! Don’t confuse processes with procedures, https://advisera.com/9001academy/blog/2014/11/04/watch-language-dont-confuse-processes-procedures/

  • Becoming an ISO 27001 consultant

    1. I am at a cross road in my 30+ year career in Accounting and I'm looking for a change. What are the requirements to become an ISO 27001 lead implementer and how can I become an independent consultant?

    To be qualified as an ISO 27001 Lead Implementer you have to attend an ISO 27001 Lead Implementer course, and for this course there is no previous requirements, so you can start your implementer career with ISO through this course.

    To become a consultant, you should first acquire experience in this field, and the most common ways are to work inside your current company implementing information security, or working for an established consultant.

    For more information about the ISO 27001 Lead Implementer course and how to become a consultant, please read:
    - What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    - How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-bec ome-an-iso-27001-iso-22301-consultant/

    2. Will your course prepare me to take the ISMS with Exemplar Global?

    Answer: If I understood your question correctly, you want to know if our ISO 27001 Lead Implementer Course can prepare you to the Exemplar Global exam for ISO 27001 Lead Implementer. Considering that, it is important to note that Exemplar Global currently does not accredit Lead Implementer exams (only ISO 27001 Foundations, Internal Auditor, and Lead Auditor exams, like the ones offered by Advisera), but our course covers all topics related to ISO 27001 Lead Implementer.

    See more information about our ISO 27001 Lead Implementer course at this link: https://advisera.com/training/iso-27001-lead-implementer-course/

  • Roles and Responsibilities of the Board in Cyber Security


    Answer:

    Basically the main roles and responsibilities or the board are:
    - ensure that cybersecurity supports the company strategy;
    - definition of objectives to be achieved;
    - definition of specific related responsibilities and authorities to cyber security;
    - provision of resources;
    - general performance review.

    For more information about roles and responsibilities of Board in Cyber Security I suggest you these materials:
    - Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
    - Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
    - How to document roles and responsibilities according to ISO 27001 https://advisera.c om/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
    - Privacy, cyber security, and ISO 27001 – How are they related? https://info.advisera.com/27001academy/free-download/privacy-cyber-security-and-iso-27001

  • Requirement from ISO 27001 for calibration

    If yes, how a "Software development" company do calibration? We don't use any tools or machine. Just PC.

    Answer:

    ISO 27001 does not prescribe requirements for calibration, but information security requirements from the own organization, or from third-parties, may define the need for calibration to be included in the software under development.

    For example, for a biometric-based access control software, you need to perform calibration during development to ensure the proper degree of confidence on biometric readings, as well as make this feature available for software users to adjust the system when needed (e.g., when a new hardware is used).

    In this case, to ensure such requirements are identified and handled properly, you can apply the control A.14.1.1 Information security requirements analysis and specification.

    This article will provide you further explanation about Software Development Life Cycle:
    - How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

  • Independent review

    Can this requirement for 'Independent Review' be satisfied internally? That is, review of the ISMS policies and procedures by an in-house team that is not directly attached to the ISO 27001 effort?


    Answer: You understanding is correct. The ISMS review by anyone with proper competence (i.e., knowledge, education or experience on ISO 27001 requirements) that is not related to the ISMS scope, or does not review his/her own work, is a way to fulfill this requirement.

    Can this requirement be satisfied through the ISO 27001 Certification process, citing the 2 minor audits between major certification as our Independent Review?


    Answer: You assumption is correct, it is possible to achieve compliance with A.18.2.1 by means of certification / surveillance audit.

    Otherwise, what is the best course of action to meet this requirement, and could we gain and keep certification without using this control?


    Answer: The certification / surveillance audit is the best course of action because internal audits are mandatory.

    This article will p rovide you further explanation about internal audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

    For further information about internal audit, please see:
    - ISO 27001:2013 Internal auditor course https://advisera.com/training/iso-27001-internal-auditor-course/

  • Corrective Action Plan

    In fact the three alternatives can happen:
    - a Corrective Action Plan (CAP) can be elaborated after an audit, when the auditor formally states the nonconformities
    - in some cases, depending on the auditor approach, a CAP can be elaborated during the audit
    - a CAP can be elaborated after someone reports a nonconformity during normal operations, i.e., not associated to an audit activity

    Please note that on all cases the purpose of the CAP is the same, to eliminate the causes of identified nonconformities
Page 516-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +