Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 benefits


    Answer:

    The most common topics you can consider regarding lowering expenses are related to the impact of information security incidents: the decreasing of their quantity, of their effective impact, or on the resources involved in their handling.

    Additionally, you can consider the decrease on fines related to non compliance with legal requirements.

  • Measurable quality objectives


    Answer
    If you write a quality objective that can be countable you ensure that it is measurable. For example:

    * Our organization want to increase the number of corporate clients by 5% by the end of the year;
    * Our organization want to reduce the number of clients lost to the competition by 7% by the end of the year;
    * Our organization wants to reduce by 10% the customer wait time in line by the end of next quarter.
    * Our organization wants to reduce employee turnover by 10% by the end of the year.

    For each example you can count the number of corporate clients, the number of clients lost, …"

    The following material will provide you more information about quality objectives:
    How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Enroll for free course - ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
    - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Surveillance audit and auditors


    Answer
    Surveillance audits are performed by certification bodies. Certification bodies use the same criteria that they have for certification audits. Normally, certification bodies try to keep one or more auditors from the certification audit in the following surveillance audits.

    The following material will provide you more information surveillance audits:
    What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
    [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Course and cerification bodies


    Answer:
    Your question is not complete because we do not know your purpose, what aim you want to meet by enrolling in the course.
    If you want to become an internal auditor, it is enough (and very expensive).
    If you want to become an external lead auditor doing internal audits, it is enough (and very expensive).
    If you want to become a lead auditor for a certification body, after the course when you get the certificate, you have to contact the certification body to know what their particular requirements are. They may want evidence of your experience as auditor, what your professional experience is because of the economic sectors that you can audit. Each certification body will have different requirements and different contract requirements.

    The following material will provide you more information about audit courses whe re you can enroll for free at your own pace and time and recognized by Exemplar Global:
    - ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/

  • Risk Assessment and Risk Treatment template


    Answer: The main difference between these three documents are:
    - Risk Assessment and Risk Treatment Methodology Cloud covers not only requirements for ISO 27001, but also specific requirements applicable for cloud environments defined by ISO 27017 and for Personal Identifiable Information PII) defined by ISO 27018.
    - Risk Assessment and Risk Treatment Methodology Premium covers not only requirements for ISO 27001, but also specific requirements applicable for business continuity defined by ISO 22301.
    - Risk Assessment and Risk Treatment Methodology Integrated covers not only requirements for ISO 27001, but also specific requirements applicable for protection of personal data defined EU GDPR.

    You can see the specific requirements covered in each document in its own section 2 - Reference Documents.

    2 - Also, based on security practices risk is calculated by multiplying likelihood with im pact. However in this methodology you are adding them.

    Answer: ISO 27001 does not prescribe how risk is calculated, and the most used practices are multiplying or adding likelihood with impact, and we chose for our template the last mentioned approach. However you can adjust the template approach for multiplying likelihood with impact if you wish so. This is perfectly acceptable by ISO 27001 requirements ( both methods are suggested in ISO 27005).

    For further information, see:
    - How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    3 - Please let me know if Advisera has any documentation on how to perform risk assessments on third parties and cloud providers .

    Answer: You can use the same risk assessment approach adopted by your organization to perform risk assessments on third parties and cloud providers. Please note that to assess risks on cloud providers you should consider the Risk Assessment and Risk Treatment Methodology Cloud.

  • Training on business continuity


    I need an advice as to which Certification course can I first start to enroll with the academy.

    I have looked at your prices compared to BCI, I have found them cheaper as I have to pay it myself

    Answer: Since you mentioned BCI (Business Continuity Institute), I'm assuming you are looking for business continuity training. Considering that, unfortunately at this time we do not have available courses related to this topic. If you want to consider the ISO 22301, the ISO standard for business continuity, I'd suggest you first to take a foundations course to understand the standard and its requirements.

    This article will provide you further explanation about ISO 22301:
    - What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/

    These materials will also help you regarding ISO 22301 BCMS:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - ISO 22301: An overview of the BCM implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/
    - Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
    - Writing a business continuity plan according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

  • Design and development applicability


    Answer
    Changing parameters of an established product is not necessarily the outcome of design and development. If the company does not launch new products design and development is not applicable. But in our days it is difficult to stay in the market without periodically launch new products.

    The following material will provide you more information about applicable clauses:
    What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
    - Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://community.advisera.com/topic/design-and-development-applicability/
    - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Certification options for persons


    Answer:

    The best pathway will depend on your professional objectives. If you plan to work on an Information Security Management System certification process, then you should consider the Lead Implementer certification. If you plan to ensure the operation of an ISMS, then you should consider the Lead Auditor certification. Considering your current work, Lead Implementer certification seems more appropriated.

    These articles will provide you further explanation about ISO 27001 certifications:
    - What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    - What does ISO 27001 Lead Auditor training look l ike? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

    This material will also help you regarding ISO 27001 certifications:
    - ISO 27001:2013 Lead auditor course https://advisera.com/training/iso-27001-lead-auditor-course/
    - ISO 27001:2013 Lead implementer course https://advisera.com/training/iso-27001-lead-implementer-course/

  • Filling SoA

    Answer:

    Your understanding about referencing risks on SoA is correct, but I'd like to comment that incorporating the Risk Assessment and Risk Treatment in a single spreadsheet is not a recommended approach. Although it may simplify documentation, it also creates a bigger document that is more difficult to read and work with, besides the fact that it leaves open information about risk treatment to personnel that only is required for risk assessment. For example, most people can participate in the risk assessment process, but definition of risk treatments and controls may be restricted only to personnel who will work on the implementation of such treatment. You should evaluate this situation to verify if using a single spreadsheet will not raise significant risk.

  • Information security in organizational chart


    Answer:

    Since your organization has a CRO (Chief Risk Officer), and I'm assuming that by that there is an organizational-wide risk management process, you have two options:
    - Leave CRO in charge of the Information security risk management, and the CISO will provide the criteria by which information security risks will be evaluated considering the CRO risk management process approach.

    - Leave CISO in charge of the Information security risk management, and the CRO will provide the requirements the information security risk management process will have to follow to stay compliant with the organizational-wide risk management process approach.
Page 520-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +