Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Is advisory notice applicable to a subcontract manufacturer ?


    Answer:

    Even though your company might not be the product owner, Advisory Notice is still applicable for your organization as a manufacturer of the device.
    For example, in the situation where there is some field safety corrective action, you might be required to take part in the investigation and hence it is recommended for you to have a procedure for this in order to be compliant with ISO 13485 and local regulatory requirements in your country.

    For more information, you might refer to:

    How to manage recalls and advisory notices for medical devices according to ISO 13485

    https://advisera.com/13485academy/blog/2017/08/31/how-to-manage-recalls-and-advisory-notices-for-medical-devices-according-to-iso-13485/

  • Merging of QMS with Advisera template


    Answer:

    You should sort out your internal procedures and various QMS into one final version. The next step would be to merge it with Advisera's template and then upload it to Conformio.

  • Documentation content

    • updates of patches and other system settings are performed [specify how this is technically implemented, or make reference to a document defining the process]
    • protection against malicious code is installed and updated [specify how this is technically implemented, or make reference to a document defining this process]

    Answer: These lines only need to be implemented if there are unacceptable risks that can be treated by them, or if there are legal requirements, or top management decisions demanding their implementation. If none of these occurs, you do not need to implement these lines, and they can be excluded from the policy.

    2. Risk for not having information system requirements (A.14.1.1) defined: Threat would be unauthorized access to the information system, Vulnerability: no defined information system requirements. Right?

    Answer: In this case, no defined in formation system requirements is too generic. Here you may use "lack of access control rules", or "use of weak passwords".

    3. Asset name: Model name or do we have to choose a name for each asset? p.s. It might be important to know that we're using the same models of a specific asset (e.g. laptops, servers, ...)

    Answer: ISO 27001 does not prescribe detail levels for asset description, so you can use asset names that you consider sufficient to fulfill your needs.

    4. A.14.1.2 and A.14.1.3 It says [Job title] must describe security controls, but is this obligatory or is the text that you have in your template and the implementation of these controls enough?

    Answer: I'm assuming you are referring to the Secure development policy, section 3.5. Considering that, if controls A.14.1.2 and A.14.1.3 are applicable, then you have to describe the controls, because this description will be used as guidance for the implementation (i.e, without this description there is no way to know how to implement the controls).

    5. Regarding the question that I've asked the previous time. So let us say laptop A is the asset used by owner A, laptop B is the asset used by owner B and both these laptops have the same risks, does this mean I can only define it for owner A? or do I have to write both owner A and owner B in the Asset Owner tab?

    Answer: In the case of an asset where each single unit have a different owner, you can use an expression like "the asset user" to define its owner. This way it is clear that the person using the asset is responsible for its protection.

    6. Information Classification Policy: Do we have to add the confidentiality level on top of each document that we're using or do we have to start doing that after being certified?

    Answer: If the labeling of information is as an applicable control, you have to add the confidentiality level on each document before the certification audit.

    7. Is it obligatory to test backup copies ourselves? We are a webhosting company which has a lot of customers and it's nearly impossible for us to do this all on our own.
    However the software which is being used by us is testing the backups, is that okay?

    Answer: ISO 27001 does not prescribe who must test backup copies, only that they are tested, so you can define another party to perform the test. Considering that this may be a third-party (e.g., a contractor or a provider), you must ensure security clauses about this test are included on the agreement you have with them.

    8. Access Control Policy: Control A.9.2.5 is applicable. Does this mean we have to put all the servers, networks, laptops, facilities, etc... in this table? The servers are like more than 100 in total.
    Also, regarding the records of A.9.2.5: How are these records supposed to look like? Which tabs does it have?

    Answer: Please note that the information required is "Name of system / network / service / physical area", so you do not have to list the servers, but you have to consider all servers that are part of the systems listed in the table. For example, you may have the system ABC which is based on three servers (e.g., application server, database server, and web server), so you have to check special rights on all these servers.

    Regarding required records, ISO 27001 does not prescribe a format, but you can consider as information it has to contain the defined special rights, which special rights are currently implemented, and the date when the review was performed.

  • Framework for implementing and maintaining a QMS

    Is there any framework or theory that can be recommended for implementing and maintaining a QMS related to quality certifications? What I am searching for is the organizational content of getting certified, because for my study I need to write a thesis which relates to the Quality department of an organization.

    Yes, Advisera suggests a framework for implementing and maintaining a QMS in order to get and keep certification. Bellow, you can find some articles about our framework based on years of experience.

    And do you consult companies on organizing or structuring their ''Quality'' department? If so, do you use theory to do that, and which theory is that?

    Based on our experience we designed a course about implementing a QMS and an Implementation Toolkit to speed up implementation. Bellow, you can find a link to such Lead Implementer Course and Documentation Toolkit.
    Please note that Advisera's materials are fully aligned with ISO 9001 and IATF 16949. The following material will provi de you with information about implementing a QMS:
    - Checklist of ISO 9001 implementation & certification steps
    https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
    - What are the biggest challenges while setting up an ISO 9001-based QMS, and how do you overcome them?
    https://advisera.com/9001academy/blog/2016/06/28/what-are-the-biggest-challenges-while-setting-up-an-iso-9001-based-qms-and-how-do-you-overcome-them/
    - ISO 9001 Implementation diagram
    https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
    - ISO 9001:2015 Documentation Toolkit
    https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - You can enroll for free in this ISO 9001:2015 Lead Implementer Course
    https://advisera.com/training/iso-9001-lead-implementer-course/
    - ISO 9001:2015 Foundations Course
    https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples
    https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Becoming a lead auditor


    Answer:

    To start you journey to become an information security auditor you should attend an ISO 27001 lead auditor course, so you can understand the concepts of ISO 27001 management system and the processes and techniques involved in an audit. After being approved in the course, if you want to work as certification auditor, you need to accumulate audit hours working for a certification body, first as an observer, and after that as an audit team member, so you can gain understanding and experience in practical audits. After sufficient auditing hours, and good evaluations from your team leader, you can achieve the status of certification auditor and after that certification for lead auditor.

    These articles will provide you further explanation about becoming an lead auditor:
    - How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/ 2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

    Also I suggest you to take a look at out ISO 27001 Lead Auditor course at this link: https://advisera.com/training/iso-27001-lead-auditor-course/

  • Access control and working in secure areas


    Having in mind that first one is mandatory and the second one is not, how does it sound to merge them together? I find it much more comfortable and logical to have these procedures together, if there is a clear distinction in the document regarding facilities and systems/ equipment / networks and so on. Is this a valid approach?

    Answer:

    First it is important to note that controls from ISO 27001 Annex A are mandatory only if at least one of these situations happen:
    - There are unacceptable risks that justify the application of the control
    - There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
    - There is a top management decision to implement the control, by considering it as good practice.

    If no one of the above conditions happen, there is no need to implement a document related to that control.

    Considering that, you can merge these two controls in a single document if this makes easier for your organization to understand and implement them.

    These articles will provide you further explanation about selecting controls and access control:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

  • Elaborating a security policy


    My question for you is, can I modify the security control objectives from Annex A (ISO/IEC 27001) and rewrite them so that they represent my company's security policy?

    For example, take information security objective A.7.1.2, which states: "To ensure that employees and contractors are aware of and fulfill their information security responsibilities." Can I reword this to say (something like): "It is our company's policy to ensure that employees and contractors are aware of and fulfill their information security responsibilities."?

    Answer:

    First it is important to note that a policy sets general directions, while an objective is specific about what must be achieved. Considering that, you can use elements from security control objectives from Annex A to fulfill your needs regarding wr iting policy statements, but you must consider the different purposes they have to build the text.
    Your example is too specific to be used as a policy statement (e.g., what a about customers or suppliers which access your information? How do you handle them?). A proper example would be: "It is our company's policy that personnel which handles information must be prepared to protect them properly." In this example you do not limit to whom this statement applies to (it is valid also for customers, suppliers, and other entities), and how you are going to accomplish that (e.g., by means not only of awareness, but also by education, training, etc.).

    This article will provide you further explanation about controls objectives:
    - ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

    This article will provide you further explanation about elaborating the information security policy:
    - What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/

  • Mandatory documents


    The question is : in a small digital agency (up to 20 employees, including management), which documentation and policies / procedures are required and which ones are an overkill for such a small organization like my company?

    Answer:

    First it is important to note that some documents and records are mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10), and these are:
    - Scope of the ISMS (clause 4.3)
    - Information security policy and objectives (clauses 5.2 and 6.2)
    - Risk assessment and risk treatment methodology (clause 6.1.2)
    - Statement of Applicability (clause 6.1.3 d)
    - Risk treatment plan (clauses 6.1.3 e and 6.2)
    - Risk assessment report (clause 8.2)
    - Records of training, skills, experience and qualifications (clause 7.2)
    - Monitoring and measurement results (clause 9.1)
    - Internal audit program (clause 9.2)
    - Results of internal audits (clause 9.2)
    - Results of the management review (clause 9.3)
    - Results of corrective actions (clause 10.1)

    Another situation is that some documents are required to fulfill controls that are mandatory if at least one of these situations happen:
    - There are unacceptable risks that justify the application of the control
    - There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
    - There is a top management decision to implement the control, by considering it as good practice.

    If none of the above conditions happen, there is no need to implement a document related to that control. Examples of such documents are:
    - Inventory of assets (to implement control A.8.1.1)
    - Acceptable use of assets (to implement control A.8.1.3)

    Considering that, besides the documents to fulfill clauses from the main sections, without a detailed evaluation of an organization, it is not possible to define how many documents an organization would have, and which ones would be an overkill.

    These articles will provide you further explanation about ISO 27001 documents and selection of controls:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Categorization of assets


    Examples: Would you say contracts are a primary asset or a supporting asset. How about job descriptions, NDA, SLA, DPA, Sales offers. Is there a good technique on how to categorize properly? In the risk assessment table template from Advisera, only suggested assets are listed.

    Answer:

    ISO 27001 does not prescribe asset categorization, so you do not need to implement further categorization than that is already provided on the suggested list of assets on the risk assessment table template (add such categorization will only unnecessarily complicate the process.).

    Contract, job descriptions, NDA, SLA, and DPA are documentation, while sales offers is information (unless this refers to the name of a document)

    This article will provide you further expl anation about asset register:
    - How to handle Asset register (Asset inventory) according to ISO 27001https://advisera.com/27001academy/pt-br/blog/2016/10/25/onde-a-seguranca-da-informacao-se-encaixa-em-uma-organizacao/

  • ISO 9001 in Construction companies


    Answer:
    I worked with more than a dozen construction companies in implementing and certifying a quality management system according to ISO 9001.
    ISO 9001 is very helpful for organizations that work with projects and organizations that have no repetitive product or service year after year.

    The following material will provide you with the information about ISO 9001 and construction industry:
    - ISO 9001 – Would construction companies benefit from ISO 9001? -https://advisera.com/9001academy/blog/2016/06/07/would-construction-companies-benefit-from-iso-9001/
    - white paper - Case study for ISO 9001:2015 transition in a construction company -https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf
    ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/s -course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 586-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +