Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 22301 continuity analysis and ISO 27001
Answer:
I'm assuming you are referring to Business Impact Analysis (BIA). Considering that, ISO 27001 is not required to implement requirements of ISO 22301, so you do not need to apply ISO 27001 to carry out business impact analysis compliant with ISO 22301
These articles will provide you further explanation about ISO 22301 and ISO 22301:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
Tool for carrying out security vulnerability assessment
Answer:
It's our policy not to make recommendations about specific tools, since the selection of a tool will depend on specific requirements and needs of each organization. Some features you can use to help you select a tool are:
- Capability to work with multiple operational systems
- Approach used to identify vulnerabilities (e.g., signatures database, heuristics, etc.)
- Reporting generator module. -
Corrective actions and corrections
Answer:
Since correction and corrective action have different focuses on what to solve this paragraph is necessary to avoid less instructed personnel on ISO standards to get confused. Since the template is fully editable, if you understand that for your organization this second paragraph is not needed, you can delete it (but we do n ot recommend this).
Regarding the form for corrective actions, ISO 27001 only requires the documentation of corrective actions, not corrections, so to avoid unnecessary effort this form does not cover corrections recording.
For further information, see: ISO 9001 – Difference between correction and corrective action https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
Although it is an ISO 9001 article the same concept applies to ISO 27001. -
Monitoring legal compliance
Is there any free services I can sign up to let me know when any legislation is modified or if there are any new ones to ensure I keep this up to date at all times.
Answer:
I don’t know any free service of that kind. In certain countries and certain industries, being part of a sectorial association can provide that service for free.
The following material will provide you information about compliance obligations:
- ISO 14001 – Compliance requirements according to ISO 14001:2015 – What has changed? - https://advisera.com/14001academy/blog/2015/09/14/compliance-requirements-according-to-iso-140012015-what-has-changed/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Starting a new document structure
We want to implement the New Document Structure for 2019 because we have so many things to change so we consider setting up the new document structure Start from Revision 00. My question is Can we do like that?
Answer
Yes, you can as long as it is clear that it is a new edition of the document structure. Some organizations include edition and revision in the document codification. Others consider the change in edition as a change in the format of the documentation. I helped an organization attain their certification in 2018. After certification we decided to change the process mapping and the document structure and naming and this year, they had their surveillance audit with their new document structure starting from revision 0 without problems.
The following material will provide you information about documentation:
- Article – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Transition and Construction
diferencias entre el iso 9001:2008 e iso 9001:2015
Answer 1:
You can find a great summary of those differences in this article - Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? - https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/
Question 2:
2. iso obras de infraestructura
Answer 2:
You can find a case study of application of ISO 9001:2015 to a construction company in this white paper - Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf
The following material will provide you more information about ISO 9001 transition and construction:
- Article – Would construction companies benefit from ISO 9001? - https://advisera.com/9001academy/blog/2016/06/07/would-construction-companies-benefit-from-iso-9001/
- Free webinar – ISO 9001:2015 vs ISO 9001:2008 – The main changes - https://advisera.com/9001academy/webinar/iso-90012015-vs-iso-90012008-the-main-changes-free-webinar-on-demand/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Physical controls selection
Answer:
ISO 27001 does not prescribe which controls for physical premises must be used.
A control is mandatory to be implemented only if:
- results of risk assessment identify unacceptable risks that can be treated by the control
- there are laws , contracts or regulations that require the control to be implemented
- there is a top management decision requiring the control Implementation.
If none of these occurs you do not have to Implement a control.
The following articles can provide you a view about physical protection:
- Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
- How to pro tect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/
This article will provide you further explanation about selection of controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
EU GDPR question
Answer:
The employer should have provided you with a Privacy Notice explaining what is it doing with your personal data as well as details on your rights as well, retention periods and other details as required under article 13 of the GDPR.
You can of course exercise you right to be forgotten and the employer (potential employer) and you should be provided with a reply within maximum of one month.
If you want to find out more about your rights check out this webinar “Data Subject Rights Under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/). -
Security requirements specification
Answer:
Version of existing information system refers to the codification used to identify a released software, so you can track the correct documentation regarding the development of that system.
For example, version 1.0 is commonly used to denote the initial release of a program.
Considering that, for each existing information system in the ISMS scope you must contact the internal development team, or manufacturer, responsible for that system to identify which is the current version on production environment. For some systems this information may be found on the main screen or as a sub-option on the "About" feature.
If you think any of the comments included in the template explaining which information has to be included in each field needs further clarification please let me know your specific doubt, so I can provide you a proper answer. -
Evidences of implementation
To comply with the standard, we created a Training procedure, however we cannot present evidences of its implementation. What can you advise us to do?
Answer
ISO 9001:2015 does not require a training procedure. Have your organization determined competence requirements for each job? Does your organization determine competency gaps? Does your organization provide training or other actions to eliminate those competency gaps? Does your organization evaluate the effectiveness of training or other actions to close those competency gaps? If your answer is not a yes to some of these questions you have to start recording evidences.
The following material will provide you information about mandatory documents:
- Article – Using Competence, Training and Aware ness to Replace Documentation in your QMS - https://advisera.com/9001academy/blog/2013/12/17/using-competence-training-awareness-replace-documentation-qms/
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/