Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Templates content


    Answer: First it is important to note that the number of applied controls does not have a direct correlation with the number of treated risks. You can have scenarios with many risks treated by few controls, as well as scenarios with few risks treated by a large number of controls. This all depends of organization context, legal requirements to be fulfilled and business objectives.

    Considering that, to justify that a control is not applicable you should verify first if there are no unacceptable risks that justify the implementation of the control, or that there are no legal requirements demanding the implementation of the control. If both situa tions occur you can state that a control is not applicable on SoA.

    For further information, please read:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    2. Controls of A.16 and A.17: These controls can be applicable to each risk more or less, since you should document each disaster and aside of that it's important that your business still runs after a disaster. Is it okay to write at each control of A.16 that there is a legal requirement (GDPR) that enforces us to do so? As for the controls of A.17 is it okay to write that this is a management decision? (In this case we would basically not link them to any specific risk.)

    Answer: Both justifications you presented for applying the controls you mentioned are valid (demanded by a legal requirement or by a top management decision).
  • Auditing a production area


    Answer:
    When I audit a production area, I want to see evidence of:

    Operation parameters are defined, are monitored and the process is being controlled;
    SOPs if defined, are available and are being followed;
    Production and quality control records are being made;
    Non-conforming products are removed, identified, corrected or destroyed;
    Traceability is in place and working for machines, people and raw materials;
    Machines and other equipment have preventive maintenance according to plan;
    Operators are competent;
    Cleaning processes are in place and validated

    The following material will provide you information about auditing production:
    - Understanding Product & Service Provision in ISO 9001 - https://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/
    - Managing Production and Service Provision using ISO 90 01 - https://advisera.com/9001academy/blog/2017/11/21/managing-production-and-service-provision-using-iso-9001/
    - How to establish process validation in the QMS - https://advisera.com/9001academy/blog/2017/01/31/how-to-establish-process-validation-in-the-qms/
    - Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
  • 5S and ISO 9001


    Answer:
    When organizations want to include 5S as part of the QMS I include it as a way of complying with clause 7.1.4 of ISO 9001:2015, and is included in the initial training for new employees.

    The following material will provide you information about ISO 9001:2015:
    - Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
  • AS9100 Rev D additional purchasing requirements

    Disregard previous question.
  • ISO 27001 implementation


    Answer:

    Broadly speaking, to implement ISO 27001 an organization has to:
    - Obtain top management support
    - Define and document a scope based on the needs and expectations of interested parties relevant to information security
    - Define, document and communicate an information security policy
    - Define roles and responsibilities relevant to operation and management of information security
    - Define a risk assessment and treatment methodology
    - Define and allocate competencies and resources for the opera tion and management of information security
    - Implement risk assessment and risk treatment
    - Operate the security controls and generate the necessary records
    - Measure, monitor and evaluate the information security performance
    - Implement corrections and improvements

    To increase chances of success, it is important that persons involved have experience in project management and know edge of the standard.

    Since you stated that you are already using our free materials, as additional guidance, I suggest you to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    With this demo you can see how the mandatory, and most commonly used, documents to implement ISO 27001 looks like and they may give you insights to help with you implementation.
  • Template content - awareness and training

    „Job title or name“ - which department or employee is meant? The one who trains or the one which is being trained?
    The comment beside doesn’t really help in that case.

    Answer:

    First of all thanks for this feedback. The column "Job title or name" refers to personnel who must be trained.
  • Risks and ISO 22301


    Answer:

    First it is important to note that ISO 22301 does not focus on risk management, but on business continuity. The objective of this standard is to ensure continuity of processes and delivery of services after a disruptive event, and risk management is one approach to achieve this objective, by the identification and treatment of risks that can lead to a disruptive event, but the standard itself does not define which risks to be treated or how to identify and treat them, only that this activity must be performed.

    For detailed information about risk management you should consider the ISO 31000 standard

    These articles will provide you further explanation about ISO 22301 and ISO 31000:
    - What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
    - ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

    Although the last article mentions ISO 27001, the concepts of ISO 31000 included in the article are also applicable to ISO 22301.
  • BCM policy and a DR policy


    Answer:

    First it is important to note that both Business Continuity Management (BCM) policy and Disaster Recovery (DR) policy are top-level documents, covering management intentions. For operational purposes, i.e., detailed step-by-step activities and responsibilities, you also have to consider Business Continuity (BC) plans and Disaster Recover (DR) plans.

    Considering that, the Business Continuity Management (BCM) policy is a more comprehensive document, covering management intentions regarding keeping processes and services running at minimum agreed levels after a disruptive event, and returning them to normal operation as quick as possible, while the Disaster Recovery (DR) policy focuses on management intentions regarding only the recovery of infrastructure (e.g., physical and IT infrastructure).

    Reg arding documentation, you can have a single document to cover both issues, being the DR policy a section of the BCM policy.

    These articles will provide you further explanation about BCM and DR in the context of ISO 22301, the ISO standard for business continuity management:
    - What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
    - The purpose of Business continuity policy according to ISO 22301 https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/
    - Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

    This material will also help you regarding BCM and DR:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
  • Controls to be implemented


    Answer:

    First it is important to understand that any control from ISO 27001 Annex A is mandatory only if at least one of the following occurs:
    - There are unacceptable risks that justify the application of the control
    - There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
    - There is a Top Management decision to implement the control, by considering it as good practice.

    If no one of the above conditions happen, there is no need to implement a control.

    Considering that, by our experience a certified ISMS generally implements up to 80 from the 114 controls listed on ISO 27001 Annex A.

    This article will provide you further explanation about selecting controls:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Page 590-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +