Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • 5S and ISO 9001


    Answer:
    When organizations want to include 5S as part of the QMS I include it as a way of complying with clause 7.1.4 of ISO 9001:2015, and is included in the initial training for new employees.

    The following material will provide you information about ISO 9001:2015:
    - Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • AS9100 Rev D additional purchasing requirements

    Disregard previous question.

  • ISO 27001 implementation


    Answer:

    Broadly speaking, to implement ISO 27001 an organization has to:
    - Obtain top management support
    - Define and document a scope based on the needs and expectations of interested parties relevant to information security
    - Define, document and communicate an information security policy
    - Define roles and responsibilities relevant to operation and management of information security
    - Define a risk assessment and treatment methodology
    - Define and allocate competencies and resources for the opera tion and management of information security
    - Implement risk assessment and risk treatment
    - Operate the security controls and generate the necessary records
    - Measure, monitor and evaluate the information security performance
    - Implement corrections and improvements

    To increase chances of success, it is important that persons involved have experience in project management and know edge of the standard.

    Since you stated that you are already using our free materials, as additional guidance, I suggest you to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    With this demo you can see how the mandatory, and most commonly used, documents to implement ISO 27001 looks like and they may give you insights to help with you implementation.

  • Template content - awareness and training

    „Job title or name“ - which department or employee is meant? The one who trains or the one which is being trained?
    The comment beside doesn’t really help in that case.

    Answer:

    First of all thanks for this feedback. The column "Job title or name" refers to personnel who must be trained.

  • Risks and ISO 22301


    Answer:

    First it is important to note that ISO 22301 does not focus on risk management, but on business continuity. The objective of this standard is to ensure continuity of processes and delivery of services after a disruptive event, and risk management is one approach to achieve this objective, by the identification and treatment of risks that can lead to a disruptive event, but the standard itself does not define which risks to be treated or how to identify and treat them, only that this activity must be performed.

    For detailed information about risk management you should consider the ISO 31000 standard

    These articles will provide you further explanation about ISO 22301 and ISO 31000:
    - What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
    - ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

    Although the last article mentions ISO 27001, the concepts of ISO 31000 included in the article are also applicable to ISO 22301.

  • BCM policy and a DR policy


    Answer:

    First it is important to note that both Business Continuity Management (BCM) policy and Disaster Recovery (DR) policy are top-level documents, covering management intentions. For operational purposes, i.e., detailed step-by-step activities and responsibilities, you also have to consider Business Continuity (BC) plans and Disaster Recover (DR) plans.

    Considering that, the Business Continuity Management (BCM) policy is a more comprehensive document, covering management intentions regarding keeping processes and services running at minimum agreed levels after a disruptive event, and returning them to normal operation as quick as possible, while the Disaster Recovery (DR) policy focuses on management intentions regarding only the recovery of infrastructure (e.g., physical and IT infrastructure).

    Reg arding documentation, you can have a single document to cover both issues, being the DR policy a section of the BCM policy.

    These articles will provide you further explanation about BCM and DR in the context of ISO 22301, the ISO standard for business continuity management:
    - What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
    - The purpose of Business continuity policy according to ISO 22301 https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/
    - Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

    This material will also help you regarding BCM and DR:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Controls to be implemented


    Answer:

    First it is important to understand that any control from ISO 27001 Annex A is mandatory only if at least one of the following occurs:
    - There are unacceptable risks that justify the application of the control
    - There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
    - There is a Top Management decision to implement the control, by considering it as good practice.

    If no one of the above conditions happen, there is no need to implement a control.

    Considering that, by our experience a certified ISMS generally implements up to 80 from the 114 controls listed on ISO 27001 Annex A.

    This article will provide you further explanation about selecting controls:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  • Implementing ISO 27001 for outsourced SOC services


    I would like to know the following:

    1. What is the best practice (from ISO 27001 and Governance perspective) for ownership of processes. Should these be under the SOC team, Corporate IT or other role?

    Answer: In this case there is no definitive answer on how to implement an ISO 27001 ISMS, because depending on the organizational context, legal requirements and business objectives, one approach can be better than the other.

    The ownership of processes should be designated to the entity in the organization with the authority to make and enforce the changes and adjustments required to achieve the proper level of security. In some organizations the SOC team has this level of authority, but in others this authority remains with the head of IT department or even with the main executive (in small organizations) .

    For further information, please read:
    - Should information security focus on asset protection, compliance, or corporate governance? https://advisera.com/27001academy/blog/2017/03/13/information-security-focus-asset-protection-compliance-corporate-governance/

    2 . Traditionally the SOC team has done whatever they want and purchased assets (systems, applications, etc). What is the recommendation for ownership of assets? Should this be under the SOC team, Corporate IT or other role?
    Answer: About ownership of assets, it should be designated to roles that can be made accountable for the protection of the asset. Since this is an issue more operational, you can consider the SOC team as responsible for the assets.
    For further information, please read:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
    - Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

    3 . Since the scope is the services provided by the SOC, how should the ISO 27001 documents be handled? Should they be written in the context of applying controls on the systems used by the SOC or in the context of systems the SOC supports for the customers?

    Answer: The best approach would be integrating controls on existing documentation, since this way the security will be perceived as part of the process, and it will easier to be understood and used.
    For further information, please read:
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Incident and Recovery Plan

    Many thanks, now everything is clear :-)
Page 591-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +