Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Supplier evaluation


    Answer:

    For supplier evaluation I suggest you to take a look at these free demos to verify if they can fulfill your needs:
    - Procedure for Purchasing and Evaluation of Suppliers https://advisera.com/9001academy/documentation/procedure-purchasing-evaluation-suppliers/
    - Checklist for Evaluation of Suppliers https://advisera.com/9001academy/documentation/appendix-1-checklist-evaluation-suppliers/

    Although these templates were created for a Quality Management System, they also can be used for an ISO 27001 ISMS, but please note that ISO 9001 supplier evaluation does not cover information security aspects. For that I suggest you work these templates together with the Supplier Security Policy and Security Clauses for Suppliers and Partners, included in your toolkit on folder 08 Annex A Security Controls A.15 Supplier Relationships

    These articles will provide you further explanation about supplier evaluation:
    - How to evaluate supplier perfor mance according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
    - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  • PCI QSA certification and ISO 27001 LA course

    We received this question:

    >The response does not answer my question. The PCI QSA requirements stipulate that, in order to qualify for QSA, a candidate must hold certifications from each of two lists: a list of security certifications and a list of auditor certifications. The list of auditor certifications includes ISO 27001 Lead Auditor.

    >Would taking this course and passing the exam satisfy the requirement for an auditor certification as stipulated by the PCI QSA prerequisites?

    Answer:

    First of all, sorry for this misunderstanding.

    Our ISO 27001 Lead Auditor course is accredited by Exemplar Global (formerly known as RABQSA), so once approved in the final exam the issued ISO 27001 Lead Auditor certificate can be used to fulfill the related prerequisite to your path to become PCI QSA.

  • ISO 27001 - Policy for permitted use / Policy for information transfer


    The policy for permitted use contains the record of permitted communication channels. The same record I already added to the policy for information transfer. The policy for permitted use refers to the other policy, which contains the record. In my opinion I would be able to delete the record in the policy for permitted use (if it’s already in the policy for information transfer). Is that correct?

    Answer: Please note that section 3.6 of the Policy for permitted use (which refers to information transfer) must be kept only if you do not use the Policy for information transfer. In case the Policy for information transfer is a separated document you can delete section 3.6 and this related record from the Policy for permitted use. This way information about information transfer will be only in one document, minimizing risks of conflicting information.

  • Test requirements and ISO 9001


    Answer:
    ISO 9001:2015 considers tests requirements for:
    Approval of new products and services performance (clause 8.3.4)
    Approval of materials and services acquired to external providers (clause 8.4.2)
    Approval of final product or service (clause 8.6)

    The following material will provide you information about test requirements:
    ISO 9001: Requirements for the release of the product or service - https://advisera.com/9001academy/blog/2017/03/28/iso-9001-requirements-for-the-release-of-the-product-or-service/
    The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
    Enroll for free in this course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Policy users


    Answer: Please note that "organizational units for information and communication technology" is only an example to consider for users of this document. You can change it for whatever users you see are relevant for your organization.

    2 - Should the policy not be relevant to all employees of the company? Especially when the type of information (for which the communication channel will be defined) represent all assets of the organization? (Means the assets we chose for the risk assessment). So far I made a matrix about the allowed communication channels depending on the information type.

    Answer: Please also note that for ISO 27001 this policy covers external parts and electronic communication, so for employees that do not use electronic communication nor have contact with external par ts this policy would have no sense for them. Of course, if these scenarios do not occur in your organization you can state that this policy is applicable to all your employees.

  • ISMS processes for personnel security


    Answer:

    ISO 27001 ISMS processes are the same regardless to where they are applied once the ISMS scope is defined:
    - Risk assessment and risk treatment, for identification of risks relevant to personnel security and definition of proper controls
    - Controls implementation and operation, to effectively reduce risks to acceptable levels
    - Performance evaluation, to check and verify if expected results are being achieved
    - Improvement, by means of non conformities, corrective actions and continual improvement

    Specifically for personnel security, main controls applied are terms and conditions of employment, and awareness and training.

    These articles will provide you further explanation about awareness and training, and terms and conditions:
    - What are the benefits of security awareness training for organizations? https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/
    - What to consider in security terms and co nditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

    This material will also help you regarding awareness and training:
    - Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

  • Risk assessment and treatment

    How does Annex A related to the risks ? I understand there are 114 security controls (?) that the standard defines on Annex A. Do we need to refer to all of them and for each one indicate if that is relevant? And if relevant - then I fill the relevant doc? What table do I use to do that ?

    Actually, if I put it in other words, I would appreciate a clarification of the process between folders 5,6, and 8 (Annex A). For me there is too much info and videos in the site. It is overloaded and I can't find what is relevant and I do not want to spend to much time on viewing all of that. Can you list the process in few sentences in regards to the risk and security controls? What do I need to do and what tables to use ?

    Answer:

    Basically you are referring to the risk assessment and risk treatment processes, where relevant risks are identified and proper treatment actions and controls from ISO 27001 Annex A are chosen.

    For a view of these processes, with the use of real data as examples, you can see these video tutorials included in your toolkit:
    - #105 How to implement risk assessment
    - #106 How to implement risk treatment

  • Records in Service Desk tools


    Answer:

    Some records may be needed to be retained for longer if the processing is necessary for the establishment, exercise or defense of legal claims.

    If you want to find out more about retention periods check out this free EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

  • Company policies and HR


    Answer:

    Under ISO 9001:2015 those topics are not mandatory.

    The following material will provide you information about human resources:
    How to create an ISO 9001:2015 human resources audit Checklist -https://advisera.com/9001academy/blog/2019/02/28/how-to-create-an-iso-90012015-human-resources-audit-checklist/
    Understanding Resource Management in ISO 9001 -https://advisera.com/9001academy/blog/2014/02/11/understanding-resource-management-iso-9001/
    Free online training – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Supportive documents for Total Productive Maintenance


    Answer:

    There are no specific supportive documents required under the Total Productive Maintenance clause.

    It is common practice to have supportive documents with data about OEE (Overall equipment effectiveness), MTBF (Mean time between failures) and MTTR (Mean time to repair (MTTR) as inputs for management review.
    Also, for preventive and predictive maintenance, as well as for periodical overhaul, you should have some records about it.

    For parts and service management you should have some kind of documents such as instructions for use and similar.
Page 536-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +