Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Policy for sharing files externally


    Answer:

    ISO 27001 controls which can be related to protect file exchange, including exchanges with external parties, belongs to section A.13.2 Information transfer, and the following templates from ISO 27001 toolkit cover these controls:

    - Bring Your Own Device (BYOD) Policy, covering control A.13.2.1, located on folder 08 Annex A Security Controls ==A.6 Organization of Information Security
    - Confidentiality Statement, covering control A.13.2.4, located on folder 08 Annex A Security Controls ==A.7 Human Resource Security
    - IT Security Policy, covering control A.13.2.3, located on folder 08 Annex A Security Controls ==A.8 Asset Management
    - Information Classification Policy, covering control A.13.2.3, located on folder 08 Annex A Security Controls ==A.8 Asset Management
    - Security Procedures for IT Department, covering control A.13.2.1 and A.13.2.2, located on folder 08 Annex A Security Controls ==A.12 Operations Security
    - Information Tra nsfer Policy, covering control A.13.2.1 and A.13.2.2, located on folder 08 Annex A Security Controls ==A.13 Communications Security

  • Training records


    Answer:
    There is no specific requirement for training records, however, the clause that refers to this question is 7.2 Competence.
    We suggest that there should be a responsible person who is in charge of managing all training records and doing a competency check for an employee according to the attended training.
    For more information please read the following article:

    -How to ensure the competence of your employees according to IATF 16949: https://advisera.com/16949academy/blog/2017/10/04/how-to-ensure-competence-of-your-employees-according-to-iatf-16949/

  • Management review - how long?


    Answer: I do not know the dimension of your organization, but at least half a day seems to be the minimum time to perform an acceptable management review. If attendants study the documentation in advance, the management review timing can be focused on the discussion of topics and making conclusions and decisions.

    The following material will provide you information about management review:
    - How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
    - How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
    - Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2 015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Auditing the Plant Manager


    Answer:
    I would concentrate on the interactions of the Plant with the environment:

    What are the significant environmental impacts?
    What is planned to control or improve those impacts?
    Are those action plans being followed?
    Are those action plans being effective?
    Are procedures and or practices being followed?
    Are potential emergency situations being prevented? Are there procedures for answering to those emergency situations? Were those procedures tested?
    Is environmental performance improving?

    The following material will provide you information about the assessment of environmental interactions:
    - Defining and implementing operational control in ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/
    - Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
    - Free online training ISO 14 001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - Book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Scope of clauses

    Of courses these clauses are not requirement, but they are still clauses which need accurate information such as operation's address, provision/exclusion and scope of standard.”

    Answer:
    These clauses are not subjected to audit. If you check the templates that certification bodies use to report an overview of the audit, a number of observations and non-conformities per clause, you will see that clauses 1 to 3 are not included.

    The following material will provide you information about ISO 9001:2015:
    - Article - ISO 9001 – How to prepare for an internal audit - https://advisera.com/9001academy/blog/2017/09/26/iso-9001-how-to-prepare-for-an-internal-audit/
    - Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Mandatory policies for ISO 27001


    Answer:

    Regarding the main clauses of ISO 27001, only the Information Security Policy is required (to fulfill clause 5.2). Regarding Annex A controls, you must consider these policies as mandatory if there are risks which would require their implementation (i.e., controls related to these policies are stated as applicable on the Statement of Applicability):
    - Access control policy (if clause A.9.1.1 is applicable on SoA)
    - Supplier security policy (if clause A.15.1.1 is applicable on SoA)

    The document "11.A. 16_Data_Breach_Response_and_Notification_Procedure_Integrated_EN" is in fact a procedure (its ISO 27001 equivalent is the Incident Management Procedure). It is im portant to note that in the context of ISO 27001 the division between policies and procedures is not very important.

  • Risk control and risk mitigation


    Answer:

    These are two terms with the same meaning, referring to the decision about how to treat a risk, and the most common options are:
    - Decrease the risk
    - Avoid the risk
    - Share the risk
    - Retain the risk

    This article will provide you further explanation about risk treatment options:
    - 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

    These materials will also help you regarding risk treatment:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Toolkit updates


    Answer:

    Current customers, within 12 months of purchase, together with any upgraded documents we send information about what was changed and what should be considered when updating your own documents.

  • ISO 27001 clause 6.1.2.c.1

    6.1.2 The organization shall define and apply an information risk assessment process that: c) identifies the information security risks
    1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for Information within the scope of the information security management system

    This is the only clause in the ISO 27001 which I absolutely do not understand. Could you be so kind and give me a hint or explanation in ‘ human English ‘ 😄. My problem is that, for internal auditing purposes, I want to draft some ‘ audit-questions ' with reference to this clause but as I do not understand that ‘ beyond human imagination english of the ISO-guys ‘ I don’t manage to formulate the right audit question(s) with reference to subclause 6.1.2.c.1.

    Answer:

    Translating this clause to plain English, what you should question is:
    1 - were information security risks identified?; and
    2 - are the identified information s ecurity risks related to the information your organization want to protect?

    For example:
    - if you do not find a Risk Assessment Table, or similar document, then you would have a non-compliance here, since there is no evidence that risks related to the ISMS scope were identified.
    - if you find a Risk Assessment Table with risks related to a software development process, and your ISMS scope is about your Customer Management process, then you would have a non-compliance here, since the identified risks are not related to the defined ISMS.

    By the way, included in your toolkit there is an Internal Audit Checklist where you can find questions which cover clause 6.1.2.

    These materials will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • Conditions for ISO 27001 implementation


    Answer:

    First is important to note that depending on your business scenario and information security objectives, an Active directory may not be required for certification. If you want to go for certification you have to fulfill the mandatory requirements of the standard, which can be implemented through these general steps:
    - Obtain top management support
    - Define and document a scope based on the needs and expectations of interested parties relevant to information security
    - Define, document and communicate an information security policy
    - Define roles and responsibilities relevant to operation and management of information security
    - Define a risk assessment and treatment methodology
    - Define and allocate competencies and resources for the operation and management of information security
    - Implement risk assessment an d risk treatment (at this point you may or may not identify the Active directory as needed for your ISMS)
    - Operate the security controls and generate the necessary records
    - Measure, monitor and evaluate the information security performance
    - Implement corrections and improvements

    These articles will provide you further explanation about implementing ISO 27001:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    These materials will also help you regarding implementing ISO 27001:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 593-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +