Search results

Home / Search

Category:
Select
Select

11271 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Documentation content

    I couldn't think of a vulnerability, so I assume I should not document this?

    Answer: In your example you have to document the risk because probably it is nearly impossible because of all controls you already have implemented (e.g., badge, security procedures, and authentication methods). These implemented controls should be included in the last column of the Risk Assessment Table.

    Included in your toolkit you have access to a video tutorial that can provide you guidance on hoe to fill in the Risk Assessment Table, using real dat a as examples.

    2. Regarding the tab 'Asset owner' and 'Risk owner' which is important in several documents: Let us take laptops as an example, each employee has received a laptop from the company but the legal owner of this laptop is the organization. Who shall I put as Asset Owner and Risk Owner? Asset Owner: CTO/Employer, Risk Owner: CTO/Employer?

    Answer: For ISO 27001, the asset owner is the person who is responsible for the asset, to ensure it is properly protected, not its legal owner. The risk owner is the person accountable for managing the risk, i.e., to reduce it to acceptable levels. In your example the asset owner can be the the employee responsible for the laptop, while the risk owner can be the CTO.

    3. Control A.12.1.3 Capacity Management, I'm trying to think of a possible risk but I wouldn't know what kind of information security risks there could be. I know that the budget for (potential) IT assets is a part of this control, but as for the rest it's not very clear to me. Could you possibly give me some more information about Capacity Management or at least about possible risks which are related to IT Security?

    Answer: Capacity management is related to planning resources to fulfill demand when required, ensuring agreed service levels, so risks related to capacity management are most related to information not being available when needed, e.g., due to a faulty equipment which has no redundancy, demands above implemented resources (e.g., during Denial Of Service - DOS - attacks), technology obsolescence, etc.

    For further information see:
    - Implementing capacity management according to ISO 27001:2013 control A.12.1.3 https://advisera.com/27001academy/blog/2016/02/22/implementing-capacity-management-according-to-iso-270012013-control-a-12-1-3/

  • Providing SoA to customers


    Answer:

    In fact customers can ask for your Statement of Applicability to have an overview of your information security posture and approach, but since it contains sensitive information about how you protect information, I'd recommend you to use some cost-benefit method or criteria to identify if providing this document would be worthy, considering the risks to the business regarding the confidentiality of the information provided, and the value of this customer to your business. In case you decide to provide the Statement of Applicability you should ask customer to sign a non disclosure agreement (NDA) before you send such confidential information.

  • ISO 27001 and ITIL


    Answer:
    If you are looking for Information Security implementation only, than ISO 27001 would be better fit. But, if you plan to implement/improve other aspects (organization, functions, processes, management of the services) than ITIL is better. ITIL will give you opportunity to manage various standards and best practices, like ISO 27001, Agile, DevOps, etc.

    Learn more about ITIL and ISO 27001 in the article „Similarities and differences between ISO 27001 and ISO 20000 https://advisera.com/20000academy/blog/2018/05/09/similarities-and-differences-between-iso-27001-and-iso-20000/“. It relates ISO 27001 and ISO 20000, which is ISO standard for IT Service Management.

  • Relationship between activities and stakeholders


    Answer:
    ISO 9001:2015 no longer require mandatory procedures. That does not mean that procedures are forbidden. So, if your organization want to use procedures they are allowed. These activities will not make part of the QMS Scope document. These activities can be related to relevant stakeholders through:
    -Procedures;
    -Flowcharts;
    -Job descriptions;
    -Templates;
    -Training records

    The following material will provide you information about certification:
    - ISO 9001 – How to document roles and responsibilities according to ISO 9001 - https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
    - Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO45001:2018 vs HSG65


    Answer:
    While I am not an expert on HSG65, both ISO 45001:2018 and HSG65 both seem to be Occupational Health & Safety Management System (OHSMS) requirements that can be implemented in a company. Both requirements follow the Plan-Do-Check-Act methodology, and include auditing to maintain the standard. One difference seems to be that ISO 45001 focuses on worker consultation and participation in the OHSMS, where I do not see this in HSG65. There may be some differences within the standards, but the biggest difference I can see is that ISO 45001 is an internationally recognized standard, where as HSG65 is only recognized in the UK. If you are looking at an international market for your customers, this could be a determining factor.
    One thing to remember is that ISO 45001:2018 also does not require certification if the const of cer tification is the driving factor to not implement this standard. The standard does give you the option to implement all aspects of the standard and then be able to claim compliance to ISO 45001:2018 (as opposed to “certification to ISO 45001:2018”). So, if the only drawback to ISO 45001 is the certification, you could compare the 2 standards to see which would be a better fit for your organization. Both will have implementation costs, and both will give you a working OHSMS, but which one will benefit you in the long term. With ISO 45001, even if you do not certify right away, you also have the choice of certifying in the future if this becomes something that will be useful to you. You will not have this choice with HSG65.
    For more information on the benefits of ISO 45001:2018, see the article: 4 key benefits of ISO 45001 for your business, https://advisera.com/45001academy/blog/2015/09/30/4-key-benefits-of-iso-45001-for-your-business/

  • Business continuity plan


    Answer:

    Once you have identified the disruptive scenarios you have to handle, broadly speaking, the development of a continuity plan based on ISO 22301: 2012 requires the development of:
    - incident response plans, with emergency actions to be performed right after the disruption being identified;
    - continuity actions to bring activities back to minimum agreed levels;
    - recovery actions to bring activities back to normal operations.

    These materials will provide you further explanation about developing a continuity plan:
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
    - How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
    - Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webina r/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • ISO 9001 applicability


    Answer:
    Yes, your organization can implement a quality management system and certify it. Certification grew precisely with the development of international trade after the ’80s to facilitate it.

    The following material will provide you information about certification:
    - ISO 9001 – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
    - ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
    - Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Internal audit frequency


    Answer:

    ISO 27001 does not prescribes frequency to perform internal audits, but requires that audits mus be planned considering the importance of the processes involved and the results of previous audits. For a certified ISO 27001 ISMS you have to ensure all elements in the scope are internally audited at least once during the certification period (three years).

    This article will provide you further explanation about planning internal audits:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

    These materials will also help you regarding internal audits:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 45001:2018 Opportunities


    Answer:
    OH&S opportunities and other opportunities as per clause 6.1.2.3 is asking you to have a process to assess both of these types of opportunities. OH&S opportunities (clause 6.1.2.3 a) are any opportunities that may exist to improve your OH&S performance within your organization. This could include adapting work to make it safer, organizing work in way that reduces workplace injury or eliminating hazards that may exist in the workplace. An example would be replacing a cleaning chemical that is a known carcinogen with a safer chemical to clean parts in your facility.
    Other opportunities (clause 6.1.2.3 b) come from outside of your organization such as changing legal compliance obligations or changes in external issues. An example of one of these other opportunities could be: if you find out that a supplier will not be able to provide you with a chemical that is critical for your product, and you can’t find the chemical anywhere else. This could be an opportunity to find a safer chemical to replace the chemical that is being made obsolete.
    In both cases, you assess these opportunities to decide which need to be addressed with planning actions (clause 6.1.4).
    For a more thorough discussion of opportunities in ISO 45001:2018, see the article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/

  • How to get started with the documentation?


    Answer:

    We have a free webinar on how to get started with the documentation: How to use a Documentation Toolkit for the implementation of ISO 13485: https://advisera.com/13485academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-13485-free-webinar/

    The next step would be to gather all your internal documents and information and start to create a quality manual followed by the relevant standard operating procedure (SOP) required by the Standard.
Page 592-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +