Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Certification process
Answer:
The certification coverage will depend on the ISMS scope definition. If it is issued to corporate X, then we need to verify which locations (i.e., addresses) where included. If the address of any subsidiary or affiliated entity is included, then it is covered by the certificate (of course this entity will have to go through all certification process together with the main Corporate X)
Adopting a single certificate for all units or separated ones for each unit is a business decision, depending on their objectives and strategies, but in general organizations like these adopt the model of one certification for each unit, because a change on an unit does not impact the certification of other units.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
ISO 9001 and the use of mandatory terms
1. "competence" in place of "training"
2. "Leadership" in place of "management"
Answer:
No, ISO 9001:2015 does not mandate the use of specific terminology.
For example, this Advisera’s procedure use both terms training and competence: ISO 9001 document template: Procedure for Competence, Training and Awareness - https://advisera.com/9001academy/documentation/procedure-human-resources/
By the way, leadership and management are two different things.
The following material will provide you information about ISO 9001:
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Emergency change
Answer:
Emergency changes are specific to the organization and need to be defined on case-by-case basis. Meaning, they depend on the organization, services, processes in place, roles and responsibilities, etc. Therefore, it's not realistic to have common procedure for all possible cases.
However, what we have in our toolkit is definition of Emergency Change authority and respective roles (e.g. ECAB and its members).
Also, following article can provide you more information „How to manage Emergency Changes as part of ITIL Change Management“ https://advisera.com/20000academy/blog/2016/01/19/how-to-manage-emergency-changes-as-part-of-itil-change-management/ -
Rework or repair and ISO 9001
Answer:
Rework or Repair are possible ways of treating product or service non conformities. Product or service non conformities is the subject of ISO 9001:2015 clause 8.7.
Repair may also be used in the context of after sales service, for example, because the customer made a bad use of the product and broke it. After sales service is the subject of ISO 9001:2015 clause 8.5.5 as post-delivery activities.
The following material will provide you information about treating non conformities:
- ISO 9001 – Five Steps for ISO 9001 Nonconforming Products - https://advisera.com/9001academy/blog/2014/01/13/five-steps-iso-9001-nonconforming-products/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Several questions about documents
Answer: If the alternative controls chosen to be implemented have reduced the risks to acceptable levels, then controls A.10.1.1 and A.10.1.2 are not applicable and for justification you can state that there are no risks demanding control implementation.
On the other hand, if the alternative controls chosen to be implemented have not reduced the risks to acceptable levels, and you still decided not to implement controls A.10.1.1 and A.10.1.2 (e.g., because the costs related to the implementation are greater than the expected impact of risk occurrence), then you can state that related risks (IDs xxx, yyy, zzz, etc.) are accepted by top management decision.
2. If two controls have the same risk, what do we write at the justification for selection/non-selection at the second control if we implemented the first one and ther e are no other unacceptable risks?
Answer: If the first control applied has reduced the risk to acceptable levels, for the second one you can state that there are no risks demanding control implementation.
3. Do we really have to restrict access in case we'd like to access the information systems in the datacenter? We do have a Mobile Device and Teleworking Policy and Clear Screen and Clear Desk Policy which is being implemented.
Answer: If there are no unacceptable risks related to unrestricted access to information (not only by employees, but by customers, suppliers, contractors, external parties, etc.), nor legal requirements demanding access control, you do not have to restrict access to information, but this is almost an impossible situation, because any organization has in some degree some information it wants to restrict access to. Additionally, Mobile Device and Teleworking Policy and Clear Screen and Clear Desk Policy implement some degree of access control (e.g., by defining who is eligible for teleworking an by requiring screen lock when user is absent of his workstation).
4. Besides the GDPR, is there anything else that may be relevant to document in the 'List of Legal, Regulatory, Contractual and Other Requirements' ? Perhaps eventual NDA's with stakeholders (e.g. customers) that are very sensitive to security, data, etc. ?
Answer: GDPR is an example of legal requirement related to laws, and your business probably will have some other laws or regulations related to its business that it must comply with. Other examples may be contracts with bug customers and SLA with suppliers. Since we are not legal experts, in these cases we recommend that organizations hire local legal advisers to guide them in this requirements identification.
5. If we implement control A.9.2.5 (Review of users access rights), what should we as a webhosting company review for sure (systems, networks, services and physical access) ?
We definitely have to review the physical access to the datacenter. I think we have to review access to Jelastic (server management) as well. Aside of that I wouldn't know anything else. I don't think we'd have to review access to more than 90 servers, right?
Answer: What you should review will depend on the results of risk assessment and the identified legal requirements (without these information we cannot provide a more precise answer). For example, why are you sure you have to review physical access (e.g., because of risks, or because of legal requirements)?
Regarding the review of your servers, the same concept applies. If you have risks or legal requirements that demand the review of 45 servers (because of information stored or processed by them), then you only have to review these 45.
6. If we implement control A.12.3.1 (Information backup), we must test backup copies. If we are going to test these manually, it will take a very long time (since there are only 4 employees which are doing the webhosting services), is there a more 'achievable' way to test these backup copies?
Answer: Besides automatic tests (which require investment on equipment and software), an alternative you could use is to define a sample size with an acceptable degree of confidence and perform the tests only on the samples, changing the samples every time you perform the test (for sample size definition statistical knowledge is required). This is a way to ensure the backup process is working without a 100% test.
For example, you may find that for a 98% of confidence your backup process is working, you need to test 8 of 100 backup units, and only 1 can fail (if more that 1 fail you will have to test all units). This way, if your process is working properly you have to work on only 8 backups each time you have to test your process (of course, each time you perform the test you have to use a different set of backup units).
7. Records of testing backup copies: Which fields are mandatory?
Answer: ISO 27001 does not prescribe mandatory fields for backup record, but as good practice you can consider at least these fields: which information was requested to be backed up, the requester, the date of request, the date when the backup was performed, the result of the backup procedure (successful / fail) and where the backup was stored.
8. Records of log reviews: Which fields are mandatory?
Answer: Also for this one ISO 27001 does not prescribe mandatory fields for log reviews, but as good practice you can consider at least these fields: Source of log information (e.g., access control server), purpose of the log (e.g. identify unauthorized access, attempts of unauthorized access), expected results (e.g., no login attempts on non working hours) recorded results (success/fail logins), decisions taken (e.g., situation ok, open an incident, etc.). -
Certification coverage
Answer:
The certification coverage will depend on the ISMS scope definition. If it is issued to corporate X, then we need to verify which locations (i.e., addresses) where included. If the address of any subsidiary or affiliated entity is included, then it is covered by the certificate (of course this entity will have to go through all certification process together with the main Corporate X)
Adopting a single certificate for all units or separated ones for each unit is a business decision, depending on their objectives and strategies, but in general organizations like these adopt the model of one certification for each unit, because a change on an unit does not impact the certification of other units.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
Results description
Business Continuity Management Policy – sets a basic framework for the BCMS, determines the scope and responsibilities
Business Impact Analysis (BIA) questionnaires – analysis of qualitative and quantitative impacts on business, of necessary resources, etc.
Business Continuity Strategy – defines critical activities, interdependencies, recovery time objectives, strategy for managing and ensuring business continuity, strategy for recovering resources, strategy for individual critical activities
Business Continuity Plan – a detailed description of how to respond to disasters or other business disruptions, and how to recover all critical activities
Training and Awareness Plan – a detailed overview of how employees will be trained to execute planned tasks, and how they will be made aware of the importance of business continuity
Business Continuity Exercising and Testing Plan – describes how plans will be exercised and tested with the objective of identifying necessary corrective actions and improving the plan
BCMS Maintenance and Review Plan – a detailed overview of how plans and other BCMS documents should be maintained to ensure their functioning in the case of business disruption
Post-incident Review Form – a form used for reviewing effectiveness of plans after an incident
I need to add the following for BCMS but there are no descriptions included. Do you have them?
Document and record control, Procedure for Identification of Requirements, Internal audit management, Management of Procedure for corrective and preventive actions,Form for Management Review Minutes
Answer:
You may consider these descriptions:
- Document and record control: a procedure to ensure control over creation, approval, distribution, usage and updates of documents and records used in the Business Continuity Management System (BCMS).
- Procedure for Identification of Requirements: a procedure to define the process of identification of interested parties, as well as statutory, regulatory, contractual and other requirements related to business continuity, and responsibilities for their fulfillment.
- Internal audit management: a procedure to describe all audit related activities – writing the audit program, selecting an auditor, conducting individual audits and reporting.
- Management of Procedure for corrective and preventive actions: a procedure to describe all activities related to the initiation, implementation and keeping of records of corrections, as well as corrective and preventive actions.
- Form for Management Review Minutes: a form used to document the results of management review. -
Corrective action and root cause
Answer:
I would consider a correction and a corrective action.
What is the NC? Lack of understanding of the standard. How can we eliminate the NC? Correction: Identify all functions and roles with lack of understanding of the standard and provide a training action, or a workshop, or any other way of removing that lack of understanding.
What is the cause of the NC?
For example (clause 1): That requirement was not included in the job description. Corrective action: Update the job descriptions where that requirement is missing.
For example (clause 2): People had training, but it was not effective.
Corrective action: Update training requirements to be able to remove bad trainers from future training opportunities.
The following material will provide you information about root cause analysis:
- ISO 9001 – How to use root cause analysis to support corrective actions in your QMS - https://advisera .com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
- Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
About the life cycle perspective
Answer:
By life cycle consider the consecutive and interconnected stages of a product (or service) system, from obtaining of raw materials, or its production from natural resources, to the final disposal like in the picture below.
An organization should think about the life cycle stages that can be controlled or influenced by the organization. For example, an organization in the furniture business can develop actions to minimize the possibility of using illegal timber shoot down from protected forests, or an organization can take measures to inform customers about the correct ways of disposing the product at the end of life, like with toy batteries.
The life cycle perspective implies consideration of the material life cycle associated with the products and services and does not require a detailed evaluation.
The organizatio n should evaluate and determine which stages of the lifecycle it can control or influence, which can vary greatly depending on the context.
The following material will provide you information about life cycle:
- ISO 14001 – Lifecycle perspective in ISO 14001:2015 – What does it mean? - https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
- How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Certificación de varias sedes
Respuesta:
Si decide integrar varias sedes en un único sistema de gestión, esto deberá ser reflejado en el alcance del SGC, es decir cuántas empresas incluye y cuáles son las actividades de cada empresa.
En cuanto a la codificación, debería de compartirse, ya que formaría parte del mismo sistema de gestión, ya que el objetivo es la integración de todo el sist ema. Puede decidirse mantener el sistema de la casa matriz o elegir cualquier otro que se adapte mejor a las necesidades de la organización.
En caso de que todas las sedes no proporcionaran los mismos servicios, no habría problema ya que podrían existir procedimientos que sólo serán aplicables para algunas de las sedes, mientras que para otras no. Y en cuanto al mapa de procesos cada sede podría desarrollar su propio mapa, al igual que el organigrama del personal, que podría ser independiente para cada sede o conjunto.
Las auditorías internas se podrían llevar a cabo estableciendo un programa de auditoría para cada una de las sedes o por el contrario un programa de auditoría para el conjunto de la empresa.
Para más información, puede ver estos materiales:
- Artículo - Certifying different legal entities under one certification scope: https://advisera.com/9001academy/blog/2018/03/27/certifying-different-legal-entities-under-one-certification-scope-in-iso-9001/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/