Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions about assets
I have couple of questions about inventory of assets.
1. Who is owner of asset “People”. Is it HR Manager or the person with whom the contract is signed?
Answer: ISO 27001 does not prescribe who should be the asset owner, but in general, if by contract you refer to an employment contract with an organization, then the asset owner is his/her superior in the organization. On the other hand, if this contract refers to a hired freelancer, consultant or similar, that will work for the organization only for a defined time, and for a specific work, then the asset owner should be the person with whom the contract is signed.
2. As “Asset Owner” can we use Position Name (like CEO, HR Manager) or it should be personalized (John Smith, CEO)
Answer: ISO 27001 does not prescribe how to name the asset owner, so both approaches are acceptable, but in case you have a significant turnover on personnel related as asset owners then you should consider using roles not personal names, because this will reduce the need to update the inventory every time t he responsible person changes.
3. We are paperless company and all our contracts are in electronic form, which are stored on reputable cloud solution. Should we include all contracts in Inventory of Assets in that case?
Answer: Regardless if your contracts are stored on a third-party cloud solution, the contracts still belong to the organization, and if they are relevant to the ISMS scope then they should be listed on the inventory of assets.
4. If we have cabinets/drawers in the office where we do not store any document, should it be included in Inventory of Assets?
Answer: If an asset is not related to the information you want to protect, then it does not need to be included in the inventory of assets.
5. We rent office in technological hub and we are using theirs printer and scanner. Should we include it in inventory?
Answer: If the printers and scanners are part of the service delivered by the technological hub, and are relevant to the ISMS scope, then they should not be included in the inventory as equipment but as a third-party service (e.g., like a printer service), since these equipment are managed by a third-party.
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Is the course enough for certification?
Answer:
I'm not sure to which course you are referring to, but our online courses (e.g. ISO 27001 Foundations Course, Internal Auditor Course, Lead Auditor Course, Lead Implementer Course) give you an overview of all the requirements of the standard + necessary skills for e.g. auditing or implementing.
If you want to get certified as an individual, these courses will be enough for you to get ready for the exam & certification.
If you want to get certified as a company, you will also need the documentation and detailed guide for each of the implementation steps - these items are not included in the course - for that purpose see this ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
See also: ISO 27001 certification for persons vs. organizations https://advisera.com/27001academy/iso-27001-certification/ -
Is Inventory of assets a document or a record?
https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/"
Answer:
The purpose of a record is to evidence a previous situation, that an action was performed, and/or a result was achieved, so to be of use it cannot be changed over time (at least it shouldn't). On the other hand a document contains information that can be changed over time, and an inventory of assets is a living document that must be continuously updated to be of value for an organization.
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Implementing ISO 14001
Answer:
Once I have no information about your particular industry, I have to be very general in my answer. Start by determining how your organization interacts with the environment, by determining environmental aspects and impacts. Determine interested parties and compliance obligations and your conformance situation. Determine context and risks and opportunities.
With that information you can write an environmental policy, objectives and action plans. Then, monitor implementation, define and monitor performance, perform internal audits and the management review.
The following material will provide you more information about implementing an EMS:
- ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Mission, vision and strategy
Answer:
The mission is about the purpose of an organization, it is about the why an organization exists.
Vision is about the future, it is about an attractive mental image of where an organization will be at some point in the future.
The strategy is about the set of choices that an organization make in order to carve a path from where it is today, to where it wants to be in the future.
The following material will provide you information about the strategic direction:
- ISO 9001 – Aligning quality objectives of the QMS with the strategic direction of the company - https://advisera.com/9001academy/blog/2017/03/07/aligning-quality-objectives-of-the-qms-with-the-strategic-direction-of-the-company/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 45001: Hazard control for Silica Dust
Answer:
The controls for OH&S hazards follow a 5-level hierarchy, and the more hazardous something is, the higher up the hierarchy the control should be. The hierarchy is (most control to least control): elimination, substitution, engineering control, administrative controls and personal protective equipment (PPE).
So, for silica dust the lowest level of control would be providing masks as PPE, but if it is more of a hazard you should look at higher controls such as an engineering control like a dust collection system. It would be better if it was possible to substitute with a less hazardous material, or eliminate the need for the process, but this is often not the case, so the highest level of control is an engineering control that manages the hazard.
For more information on putting controls in place for OH&S hazards, see the article: 5 le vels of hazard controls in ISO 45001 and how they should be applied, https://advisera.com/45001academy/blog/2015/09/02/5-levels-of-hazard-controls-in-iso-45001-and-how-they-should-be-applied/ -
Anonymous data
Answer:
Anonymous data is not subject to the GDPR so there will not be any processing of Personal Data.
If you want to find out more about the applicability of the EU GDPR check out this free EU GDPR Foundation Course (https://advisera.com/training/eu-gdpr-foundations-course//) -
Combining multiple roles
Answer:
There are always risks while combining multiple roles in single person (although, such situation is sometimes inevitable).
In your case I see following risks:
1. Dynamics of activities and approach for Major Incident (as well as all incidents) is quite different than resolving problems or implementing changes
2. People you are working with are different (knowledge, experience...)
3. Incident is trigger for problem management. So, you can see it as “controlling” of the problem management's efficiency
4. Problem management is trigger for change management. So, mentioned in #3 is valid here.
5. Problem management efficiency influences incident management, Same relation is valid for change management – problem management. So, if you have all these processes in one person…
This is the article that can he lp: “
What ITIL roles can be combined in one person?” https://advisera.com/20000academy/knowledgebase/itil-roles-can-combined-one-person/ -
How to become a consultant in ISO 9001, ISO 22301
Answer:
If you are interested in working as a consultant implementing ISO 9001 or ISO 22301 you should consider attending Lead Implementer Course, since that course can help you to understand and implement the standards and then get the Lead Implementer certificate in order to prove your competence. Also, a Project Manager Certificate can be helpful because you will learn how to run projects.
This article will provide you further explanation about becoming a consultant:
- How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
These materials will also help you regarding becoming a consultant:
- How to become an ISO 27001 / BS 25999-2 consultant [free webinar on demand] https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
- ISO 9001:2015 LEAD IMPLEMENTER COURSE https://advisera.com/training/iso-9001-lead-implementer-course/ -
Best practice for BC Plans
Answer:
In our site you can find several resources about business continuity plans and how to integrate them on a business continuity management system. For example:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
As for how to see how a BCP looks like, at our site you can also access a free demo of our Business Continuity Plan at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/