Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
A.13 security controls from ISO 27001 Annex A
Answer:
A.13.1 refers to a subsection of ISO 27001 Annex A, which have three controls, A.13.1.1, A.13.1.2, and A.13.1.3.
Control A.13.1.1 is related to the general need to manage and control networks, by definition of responsibilities and procedures, as well as by implementation of practices and technologies.
Control A.13.1.2 refers to the need to identify and document applied security controls and service levels, as well as the need to periodically monitor network security performance.
These articles will provide you further explanation about network security:
- How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
- Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls https://advisera.com/27001academy/blog/2016/07/04/using-intrusion-detection-systems-and-honeypots-to-comply-with-iso-27001-a-13-1-1-network-controls/
- How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
This material will also help you regarding network security:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
How contractors can help implement the OHSMS
Answer:
While it can be helpful to get some of this information from the contractors who are currently doing work, it is important to remember that this will not be the OHSMS of the contractor, but needs to be fully applicable to the company. For instance, it would be unreasonable for the contractors to be able to tell you the interested parties for your company, or to tell you what your OH&S policy should be. That being said, some of the clauses where the contractors might give valuable information would include:
4.2 – expectation s of workers (since the contractors are currently the workers)
6.1.2.1 - Hazard identification (for the processes that the contractors are using)
6.1.3 – Legal requirements (the contractors should know the legal requirements of the processes they perform)
7.2 – Competence (again, the competence requirements for the processes the contractors do)
8.1.2 – Eliminating hazards (for the processes the contractors perform hey may have some ideas)
8.2 – Emergency preparedness (the contractors may have plans in place for common potential emergencies that they can share)
For help in understanding the ISO 45001 requirements, check out this free whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001 -
Service Owner
Answer:
Service owner is someone accountable for the service throughout it's lifecycle. That includes defining requirements with the customer (together with Business Relationship Manager), design and transition inside the organization as well as maintenance and improvement.
These articles can help you further:
"Service Catalogue – Defining the service" https://advisera.com/20000academy/blog/2014/03/11/service-catalogue-defining-service/
"Service Catalogue – a window to the world" https://advisera.com/20000academy/blog/2013/03/19/service-catalogue-window-world/
Also, there is free webinar on this topic as well: "ITIL Service Catalogue from scratch " https://advisera.com/20000academy/webinar/itil-service-catalogue-from-scratch-free-webinar/ -
Cultura organizacional
Respuesta:
La cultura organizacional se refiere al conjunto de creencias, hábitos, valores y actitudes de una empresa. Esta cultura va a determinar la forma de funcional de una empresa y que se refleja en sus estrategias, su estructura y su sistema de trabajo.
Cambios en la cultura organizacional podrían incluir:
- Creación de equipos multidisciplinares que ayudan a la toma de decisiones con varios puntos de vista
- Introducción de beneficios sociales para los empleados como viajes, acceso a comida gratuita, gimnasio, etc.
- Introducción de las últimas tecnologías en los procesos de la empresa
Efectivamente el ingreso de personal de menor edad podría tener una repercusión en el cambio cultural organizacional de la empresa.
Para conocer más sobre la cultura organizacional, puede ver:
- Cómo identificar el contexto de la organizavción en ISO 9001:2015: https ://advisera.com/9001academy/es/knowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/
- Curso gratuito en línea de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Libro - Discover ISO 9001:2015 thorugh practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
How to fill in "Requirement" column
Answer:
A "requirement" is what a specific document requires you to perform - e.g. GDPR article 32 requires companies to use (where appropriate) pseudonymisation and encryption of personal data.
This article will help you more: How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ -
How to fill Statement of Applicability
For example this has for (6)
A.6.1.1 Information security roles and responsibilities
A.6.1.2 Segregation of duties
A.6.1.3 Contact with authorities
A.6.1.4 Contact with special interest groups
A.6.1.5 Information security in project management
Yet document "A.6.1_Bring_Your_Own_Device_BYOD_Policy_Cloud_EN.docxx" has the following in the table of contents. How are they linked ?
Table of contents
1. PURPOSE, SCOPE AND USERS 3
2. REFERENCE DOCUMENTS 3
3. SECURITY RULES FOR USING BYOD 3
3.1. COMPANY POLICY 3
3.2. WHO IS ALLOWED TO USE BYOD, AND FOR WHAT 3
3.3. WHICH DEVICES ARE ALLOWED 3
3.4. ACCEPTABLE USE 3
3.5. SPECIAL RIGHTS 4
3.6. REIMBURSEMENT 4
3.7. SECURITY BREACHES 5
3.8. TRAINING AND AWARENESS 5
4. MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT 5
5. VALIDITY AND DOCUMENT MANAGEMENT 5
Plus I do not see: 08_Annex_A_Security_Controls in the download yet it asks for them in 6_Statement_of_Applicability_Cloud
A.5, A.5.1, A.5.1., A.5.1.2
Answer:
To fill out Statement of Applicability (SoA) you have to:
1) Complete the List of legal, regulatory and other requirements, and the Risk treatment table - those two documents will be your main inputs for writing the SoA.
2) Based on those two inputs you decide whether a particular control is applicable or not, i.e. whether you need that control to satisfy a requirement, or to decrease a risk.
3) If a control is applicable, you simply have to look for a document that covers this control - in the "List of documents" (based in the root folder of the toolkit) you will find a cross reference on which controls are covered in which document. In the SoA template there are already suggested documents for most of the controls.
By the way, together with the toolkit you have received the access to the video tutorial which explains how to fill out the Statement of Applicability - there you will see lots of examples on how this is done. -
Is vendor agreement mandatory for ISO 13485?
We received another question:
>Purchase order mailed to supplier prior to purchase, can Purchase order be considered as an agreement. We are into manufacturing of class 1 medical devices , hence Purchase order can be considered as an agreement of ISO 13485 clause 7.4.2. As Some suppliers are unwilling for sign agreements
Answer:
If the purchase order contains the purchasing information of the products or services that you are sourcing from the supplier, it is valid. However, there should also be some email communication between your company and the supplier to ensure that the supplier will notify you of any changes made to the purchased product or service which could have an impact on the quality and performance of the medical device that you are dealing with. -
Privacy Laws outside EU
Answer:
You can find out more about privacy legislation around the world here: https://www.dlapiperdataprotection.com/ -
List of Legal, Regulatory, Contractual and Other Requirements
Answer:
In the List of legal, contractual and other requirements first you need to identify an external document where a requirement is specified - therefore “Intellectual property rights” is not precise enough - instead you should find out which law in your country regulates the intellectual property rights, and then copy from this law the requirements applicable to your business.
The rules you have specified in your message are much more appropriate for the IT Security Policy (you can f ind the template in our toolkit) - there you can formulate your own rules (based on the requirements you first identified in the List of legal, contractual and other requirements). -
ISO documents for IT
Answer: ISO 27001 does not prescribe a standardized reporting procedure or any other similar document, however it does list mandatory and suggested documents you might use - here is an article that might help you:
List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
2. On the other hand, may you guide us which ISO documents best suites us a IT .
Answer: If your question is about which standards might be the most suitable for IT, here are the 3 most popular:
- ISO 27001 (information security) https://advisera.com/27001academy/what-is-iso-27001/
- ISO 22301 (business continuity) https://advisera.com/27001academy/what-is-iso-22301/
- ISO 20000 (IT service management) https://advisera.com/20000academy/what-is-iso-20000/
If your question is about which IT documents to use for ISO 27001, here’s an article that can help you: How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/