Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 Implementation

    We want to buy https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/
    For example risk department want to make risk assessments and treatment is it true?

    Answer:

    In general, the Chief Risk Officer (CRO) role is to identify, analyze and treat significant risks to business considering its various segments (e.g., quality, legal, financial, environmental, information, etc.). This is an independent role in organizations where there are multiple processes that require risk management and it is necessary to ensure a systemic approach.
    So the CRO role in implementation of ISO 27001 is to help identify and analyze (by means of risk assessment), and treat significant risks to business regarding information security.
    Since this role is separated in your organization, I understand that it has the prerogative to perform the risk assessment and treatment (the project team implementing ISO 27001 would be a customer to this "service"), to ensure the use of the general approach on risk management adopted by the organization, and the application of few adjustments where and when necessary.
    Regarding the purchase of the ISO 27001 and 22301 Premium Documentation Toolkit, you should consider it only if you intend to also implement ISO 22301 (for the management system for business continuity). The content of ISO 27001 Documentation Toolkit is sufficient to cover the requirements of ISO 27001, including those related to business continuity.

    These articles will provide you further explanation about ISO 27001 and risk management:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

    These materials will also help you regarding ISO 27001 and risk management:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Keeping information about risks


    Answer:
    First, remember that ISO 9001:2015 does not make mandatory to keep records about risk determination and classification. Keeping records is an option that organizations can and normally follow.
    Your organization can identify a set of situations where risks are determined (for example: during process performance review meetings, after complaints, when starting product or service development projects) and define how risks and opportunities are recorded, evaluated, and by whom.

    You can find more information about risk management at:
    - How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
    - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Free webinar on demand – How to implem ent risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
    - Free enroll at ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Is ISO 13485 applicable to a non-profit organization?


    Answer:

    In this case, you have to contact the donors ( the companies that donated the medical equipment) to get the ISO 13485 certification from them.

  • Risk assessment for ISMS and BCMS


    Answer:

    Since BIA relates Impact over Time, and RA relates Impact and Likelihood, I'm assuming by your statement that the RA process used for BIA is using a 1-4 scale, and on the RA for the ISMS you are using the 1-5 scale. Considering that, you have two options to consider to have comparable results:

    1 - Adopt a single scale for RA process used both for BIA and the ISMS

    2 - Uses a constant to convert the risk value used on BIA to ISMS and vice versa

    Considering the second alternative, for each risk value found using the scale 1-5 you must multiply it by .8 to find its equivalent risk value when using the 1-4 scale. For the reverse path (i.e., converting the value from 1-4 scale to 1-5 scale), the constant to be used is 1.25.

    This article can provide you further information regarding risk assessment and business impact analysis:
    - Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

  • Residual risk

    Is it possible NOT to provide employees with laptops and antivirus solutions. Our employees use their own laptops.
    Our employees use windows defender. But we can not control if antivirus is on. We can not control if antivirus is updated and scheduled to perform period scans. So, we do not have any control and evidence. What are the options for us?

    Answer:

    ISO 27001 does not specify who should be the owner of the laptops or which kind of anti-virus software you should use - key point in ISO 27001 is how you deal with risks.

    So if your risk assessment says that the risks to those laptops are acceptable even if you do not control the AV software, then you can leave the system as it is; if the risk is not acceptable, then you can require the users to install some kind of AV software where you can control how it operates.

    This article will help you more with how to handle risks: The basic logic of ISO 27001: How does information sec urity work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  • Document controller


    Answer:
    If you check ISO 9001:2015, clause 7.5, you will see several times the phrase “the organization shall”. However, the organization does not act as such, someone, a person or a function, has authority or responsibility to control the documented information. So, complying with ISO 9001:2015 clause 5.3, top management shall ensure that the responsibilities and authorities for relevant roles, including documented information control, are assigned.

    The following material will provide you information about organizational roles, responsibilities and authorities:
    - ISO 9001 – How to document roles and responsibilities according to ISO 9001 - https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
    - free online training ISO 9001:2015 Internal Auditor Course
    https://advisera.com/training/ course/iso-90012015-internal-auditor-course/
    - book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • ISO 9000 vs ISO 9001


    Answer:
    Since the beginning, since 1987, ISO 9000 and ISO 9001 always existed as separated standards. ISO 9001 includes the requirements associated with a quality management system and is auditable. ISO 9000 includes quality management principles and vocabulary and it is not auditable. So, ISO 9000:2015 still exists and is very useful for implementers.

    The following material will provide you information about ISO 9000:
    - List of Quality Management Standards and Frameworks - https://advisera.com/9001academy/knowledgebase/list-of-quality-management-standards-and-frameworks/
    - ISO 9000 - https://advisera.com/9001academy/knowledgebase/iso-9000/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Controller and processor obligations


    Answer:

    The controller should always have a Data Processing Agreement in place with its processors pursuant to art. 28 of the GDPR. Based on the provisions of art. 28.3 (a) the processor needs to act only on the instructions of the controller.
    So if the processor refuses to act based on the instructions of the controller it would be a breach of both the GDPR and the Data Processing Agreement.

    If you want to find out more about the obligations of processors under the EU GDPR check out this free EU GDPR Foundation Course (https://advisera.com/training/eu-gdpr-foundations-course//).

  • Toolkit content - BYOD policy


    1 - List of permitted devices: How detailed must the device be described? Is it enough to specify PC, laptop or mobile phone? Or should the exact type designation be given?

    Answer: ISO 27001 does not prescribe detail levels for device description, so you can use detail levels that you consider sufficient to fulfill your needs, so either a general description or the exact type designation are acceptable for ISO 27001.

    2 - Can you give me examples of mandatory device settings?

    Answer: As examples of mandatory device settings we have:
    - Use of screen lock with password
    - Device encryption enabled
Page 585-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +