Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Confidentiality level of a document


    Answer:

    This policy normally defines the rules for use of cryptographic technologies, so due to its technical nature, and the risks associated to non IT personnel having access to its content, it is normally given a classification which restricts its assets to IT personnel (normally it is not necessary for regular users to have access to this policy).

    This article will provide you further explanation about information classification:
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  • Difference between Risk Treatment Plan and Corrective Actions


    Answer:

    Risk Treatment Plan and Corrective Actions fulfill different purposes and requirements, that's why we provide different documents.

    You use the Risk Treatment Plan to define actions to treat risks, i.e, actions to prevent them to happen, or to minimize their impact in case they occur.

    On the other hand, you use Corrective actions to treat controls or processes that failed to fulfill their objectives, or are not performing as planned.

    For example, to treat a risk of data loss you can define the implementation of a backup process in the Risk Treatment Plan.

    Now consider that this backup process is implemented, and it was identified that for some reason the backup was not performed as scheduled, or that the process has failed (in both situations the original data wasn't lost). To treat this situation you have to open a Correcti ve Action.

    These articles will provide you further explanation about risk treatment plan and corrective actions:
    - Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
    - Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

  • Performing risk assessment


    Answer:

    The reason why we do not have articles on defining the asset value is that it is not prescribed by the standard, and it only complicates the risk assessment if you already assess the level of impact. The point is, if you use the asset-based approach you need to identify risk by listing assets (without evaluating them), threats and vulnerabilities, evaluate impact (taking into account C-I-A) and likelihood, calculate the le vel of risk, and define the risk owner - nothing more.

    This article can provide you further information about asset-based risk assessment:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    This material will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Mandatory written procedures


    Answer
    There are no mandatory written procedures in ISO 9001:2015. Each organization should evaluate which practices will benefit from the existence of written procedures. Please check ISO 9001:2015 clause 4.4.2. It is up to each organization to evaluate “To the extent necessary” any need for SOP’s or other written procedures. Normally, that depends on people’s turnaround and tasks complexity.

    The following materials will provide you more information about documenting a quality management system:
    - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
    - Enroll for free in the course – ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Questions about risk assessment and treatment

    This excerpt you presented fulfills correctly the fields in the risk assessment table, so if the rest of the matrix is filled similarly you can consider this table compliant with ISO 27001 requirements for the risk assessment process.

  • Assets for risk assessment


    I thought the starting of implementation ISO 27001 is to make risk assessment table. Even though I received the template, but not easy to fill out it. First, when I want to list up all information assets, I don’t know How to categorize assets. Macro level will be People, IT, Physical administrate. In template, People, Applications and databases, Documentation (in paper or electronic form) etc. but for example, in paper documents. There are too many documents, then do I have to list up one by one all documents? I am very difficult to categorize those. More over in IT area, how can I divide for each software, in hardware and application programs etc?

    Answer:

    ISO 27001 does not prescribe how to categorize assets, so you can adopt categories you believe that will better fulfill your needs. You can use the asset catalogue sheet included in your Risk Assessment Table template as a starting point (this catalogue will help you categorize individual assets.).

    Some g eneral rules you can consider are:
    - split assets in different categories when they require different levels of protection and different number of applicable controls
    - use a category to refer to assets that can have the same level of protection and applied controls

    For example, regarding documents, you do not need to list them one by one. You can have a single asset called "paper documents", or if it is necessary you can create specific assets like "contracts in paper form", or "blueprints in paper form", if you need to apply different controls on them.

    The same idea applies to other assets. For example, for workstations, you can use categories related to their purpose. For example general workstation and development workstation, including detailed information of the quantity of each type.

    This article will provide you further explanation about asset register:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • EU GDPR course certificate


    Answer:

    The certificate you receive is a proof that you have a working knowledge of all the GDPR requirements. It can be accepted in the USA or allover the world.

  • Manual en ISO 9001:2015/política de calidad


    Respuesta:

    Efectivamente no se requiere de un manual de calidad, aunque eso no significa que la organización lo quiera seguir conservando porque lo considere útil ya que en muchas ocasiones se utiliza como una especie de guía de los distintos documentos del sistema de gestión. En cuanto a los aspectos de la organización, depende de qué "aspectos" se refiera. Por ejemplo, para la determinación del contexto de la organización, puede contar con un procedimiento (que no es obligatorio) donde se establezcan cómo se determinan las cuestiones internas y externas.

    Para más información sobre los documentos obligatorios en ISO 9001:2015, puede ver el siguiente ar tículo - Lista de documentos obligatoris requeridos por la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/

    Con respecto a la política de calidad - puede contarse con un documento que se llame Política de Calidad que cuente con los siguientes requisitos:
    - que sea apropiada al propósito y contexto de la organización, y esté alineada con la dirección estratégica de la organización
    - que proporcione un marco de referencia para los objetivos de calidad
    - que contenga el compromiso de cumplir con los distintos requisitos de aplicación
    - que contenga la mejora continua del SGC

    Para más información sobre la política de calidad, puede ver el siguiente artículo - How does the ISO 9001:2015 revision affect the quality policy:
    https://advisera.com/9001academy/blog/2018/04/10/how-does-the-iso-90012015-revision-affect-the-quality-policy/

    Además estos materiales pueden ayudarle con la documentación de ISO 9001:2015
    - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
    https://advisera.com/training/iso-9001-foundations-course/

  • Project Plan in ISO 14001 toolkit


    Response:

    We do have included in our ISO 14001 toolkit a Project Plan. You can check it here and download a free preview: https://advisera.com/14001academy/iso-14001-documentation-toolkit/

    You can also download for free a Project Plan for ISO 14001 here: https://info.advisera.com/14001academy/free-download/project-plan-for-iso-14001-implementation-ms-word This template help companies to manage all aspects of the project of ISO 14001 implementation, although this is a non mandatory document, we recommend to write it.

    For more information about the Project Plan in ISO 14001:2015, see the following materials:
    - Book - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
    - Free on-line training – ISO 14001:2015 Foundations: https://advisera.com/training/iso-14001-internal-auditor-course/

  • Acciones susceptibles de producir impactos


    Respuesta:

    No existe tal definición de "acciones susceptibles de producir impactos" dentro de la ISO 14001. Se trata de un concepto mayormente empleado en las evaluaciones de impacto ambiental y son las actividades, operaciones, procedimientos, aspectos, elementos, etc. de un proyecto que se relacionan de alguna forma con el medio ambiente, y que por lo tanto, producirán de manera directa o indirecta, cambios (impactos) en el entorno.

    Dentro de los requisitos de ISO 14001:2015 la organización debe de determinar los aspectos ambientales significativos, es decir aquellos que generan un mayor IMPACTO en el medio ambiente conforme a unos criterios establecidos por la propia organización (por ejemplo frecuencia de ocurrencia de un aspecto ambiental, etc) . Este impacto es el cambio que se produce en el medio ambiente, ya sea adverso o beneficioso, y resulta del aspecto ambiental asociado a una actividad o proceso.

    Para más información sobre los aspectos ambientales y los impactos en ISO 14001:2015, puede ver los siguientes materiales:
    - Artículo - Environmental aspect identification
    and classification: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
    - Artículo - Catalogue of environmental aspects: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/
    - Libro - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
    - Curso gratuito en línea - Curso fundamentos ISO 14001:2015: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/
Page 526-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +