Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Controls in SoA
Answer:
First it is important to understand that any control from ISO 27001 Annex A is mandatory only if at least one of the following occurs:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
- There is a management decision to implement the control, by considering it as good practice.
If none of the above conditions happen, there is no need to implement a control, and based on this situation the auditor will consider the SoA acceptable for certification.
By the way, by our experience a certified ISMS generally implements up to 100 from the 114 controls listed on ISO 27001 Annex A.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
List of legal requirements
Answer:
Contracts with employees are in general a response to external legal requirements (e.g., labor legislation, contract with customers, etc.), as a way to implement control A.7.1.2 (Terms and conditions of employment), so there is no need to include them in the list of legal requirements.
It is important to note that it is not needed to list those requirements in our template if they are already listed with other source document.
This article will provide you further explanation about employment conditions:
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.c om/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/ -
Auditing BCP and DRP
Answer:
First of all you must select competent and independent auditors to perform the audit (by independent you must understand people that are not involved with these plans). After that you must identify which requirements are applicable to your Business Continuity and Disaster Recovery Plan, by means of identifying legal requirements, and business objectives. Once these issues are identified you should elaborate a checklist to help you cover these issues with proper questions and evidences to be verified.
These articles will provide you further explanation about preparing for an audit (they focuses on ISO 27001, but the concepts are applicable to ISO 22301 as well):
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Additionally, this toolkit can help you plan and perform an audit compliant with ISO 22301: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
At this page you can download a free preview of the documents to see how they look like and if they can fulfill your needs. -
Management system integration
Answer:
Normally organizations start with ISO 9001 and then add the other standards. Some organizations start with the integrated system right from the beginning with all standards at the same time. Personally, when possible, I prefer to start with ISO 14001 before ISO 9001 because I believe it is easier to implement and start seeing real changes in the daily work. So, positive feedback from implementation is much more easier for all involved.
The following material will provide you information about implementing integrated systems:
- How to implement integrated management systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
- Free webinar – How to integrate ISO 9001:2015 and ISO 14001:2015 - https://advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/
- ISO 9001, ISO 14001 and ISO 45001 Integrated Documentation Toolkit - https://advisera.com/9001academy/iso-9001-iso-14001-iso-45001-integrated-documentation-toolkit/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Working from Home Monitoring
We potentially are looking to set up a number of employees for home working. From what I can tell from researching, the above monitoring from home options would not be legitimate and would be classified as intrusive on the employees privacy. Is this correct? Are there any forms of monitoring that would be legitimate under GDPR laws?
Answer:
This is a hot topic indeed. My advice to you is to perform a Data Protection Impact Assessment to she how much this activity will affect the rights and freedoms of the data subjects.
In order to be lawful such a processing activity would need to proportionate and transparent.
If you want to find out more about DPIAs check out this webinar “Seven steps o f Data Protection Impact Assessment (DPIA) according to EU GDPR” - https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/ -
ISO 20000 Tool
Answer:
In some of my recent implementation I used GLPI. But, there are also some other tools like described in the article "Free tools for ITSM – supporting IT Service Management for zero tool cost" https://advisera.com/20000academy/knowledgebase/free-tools-for-itsm/
Also, this article can help you choose appropriate tool "
5 things to beware of when selecting an ITSM tool" https://advisera.com/20000academy/blog/2016/03/08/5-things-to-beware-of-when-selecting-an-itsm-tool/ -
High Risk Apetite
Answer: Risk appetite does not depend ONLY on the nature of the business, because other aspects can affect it (e.g., cultural and technological issues).
The risk appetite can always be challenged, specially by the risk management officer, but you have to keep in mind that final decision is always up to top management (they set where the line must be drawn, depending on their perception of the risks). If you do not agree with their decision, then you have to review the data you present to them, or try to understand how they perceive risk, so you can adjust your approach or change your mind. In any case you have to be careful not to try to push your opinion too much (remember that the final decision is up to them). -
What standards or procedures to follow for medical mobile app?
Answer:
Design and development of medical mobile apps should follow the local regulatory requirements in the country where you will be producing these mobile apps, and should also follow some guidance from the ISO 13485 standard. You can look at clause 7.1 Product Realization and 7.3 Design and Development for some basic guidance on the documentation. As for design specification of the UI/UX of these mobile apps, there are no standards nor other requirements, so you have to tailor them towards the intended use of the mobile apps.
For more information, please read article:
How to manage design and development of medical devices according to ISO 13485:2016
https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/ -
Developing a checklist
Answer:
Below you can find an article about developing an ISO 9001 audit checklist, a link to our internal audit toolkit (with a preview to our Internal Audit Checklist), a link to a free course on ISO 9001:2015 Internal auditor course and a link to a book on internal audits.
- Article - ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
- Article - ISO 9001:2015 Internal Audit Toolkit - https://advisera.com/9001academy/iso-9001-2015-internal-audit-toolkit/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Managing regulations of different countries
Answer:
First it is important to define how the regulations will be identified and by whom, and after that how you will control them. For that I suggest these templates:
- Procedure for Identification of Requirements https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/
- List of Legal, Regulatory, Contractual and Other Requirements https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
In case you have the regulations documents in electronic form, you also have to consider a documentation repository with control and searching capabilities, so I'd suggest you to take a look at our Conformio platform at this link: https://advisera.com/conformio/
With Conformio’s bu ilt-in document management system, all your company documents and files are maintained in one place, allowing multi-user access in a safe and secure environment to store all your valuable information.
For further information see:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- Does ISO 27001 help CCPA compliance? https://advisera.com/27001academy/blog/2018/10/16/does-iso-27001-help-ccpa-compliance/