Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Toolkit updates
Answer:
Current customers, within 12 months of purchase, together with any upgraded documents we send information about what was changed and what should be considered when updating your own documents. -
ISO 27001 clause 6.1.2.c.1
6.1.2 The organization shall define and apply an information risk assessment process that: c) identifies the information security risks
1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for Information within the scope of the information security management system
This is the only clause in the ISO 27001 which I absolutely do not understand. Could you be so kind and give me a hint or explanation in ‘ human English ‘ 😄. My problem is that, for internal auditing purposes, I want to draft some ‘ audit-questions ' with reference to this clause but as I do not understand that ‘ beyond human imagination english of the ISO-guys ‘ I don’t manage to formulate the right audit question(s) with reference to subclause 6.1.2.c.1.
Answer:
Translating this clause to plain English, what you should question is:
1 - were information security risks identified?; and
2 - are the identified information s ecurity risks related to the information your organization want to protect?
For example:
- if you do not find a Risk Assessment Table, or similar document, then you would have a non-compliance here, since there is no evidence that risks related to the ISMS scope were identified.
- if you find a Risk Assessment Table with risks related to a software development process, and your ISMS scope is about your Customer Management process, then you would have a non-compliance here, since the identified risks are not related to the defined ISMS.
By the way, included in your toolkit there is an Internal Audit Checklist where you can find questions which cover clause 6.1.2.
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Conditions for ISO 27001 implementation
Answer:
First is important to note that depending on your business scenario and information security objectives, an Active directory may not be required for certification. If you want to go for certification you have to fulfill the mandatory requirements of the standard, which can be implemented through these general steps:
- Obtain top management support
- Define and document a scope based on the needs and expectations of interested parties relevant to information security
- Define, document and communicate an information security policy
- Define roles and responsibilities relevant to operation and management of information security
- Define a risk assessment and treatment methodology
- Define and allocate competencies and resources for the operation and management of information security
- Implement risk assessment an d risk treatment (at this point you may or may not identify the Active directory as needed for your ISMS)
- Operate the security controls and generate the necessary records
- Measure, monitor and evaluate the information security performance
- Implement corrections and improvements
These articles will provide you further explanation about implementing ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding implementing ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Changing AS9100 Scope for new products
We're manufacturing another product which is not covered under this certification. We're in the pipeline of implementing the requirements of the AS standard for this product. Can the new product be brought within the already available certification or else we've start afresh?
Answer:
You certainly do not need to start over. What you need to do is to discuss with your certification body the fact that you need to change the scope of your QMS to include this new product. They will discuss with you how to change your scope and what auditing they will need to do to update your scope on your certificate. Before they can perform any required auditing for this product you will need to apply the rules for the AS 9100 QMS this product, but make sure that you do n ot claim that this product is part of your scope until you have changed your scope within your QMS and with your certification body so that they can issue your new certification with the changed scope on it.
These changes may also affect your quality policy with the change is scope. For more on the quality policy for AS9100 RevD, see this article: How to write the AS9100D Quality Policy, https://advisera.com/9100academy/blog/2018/07/09/how-to-write-the-as9100d-quality-policy/ -
Metodología para abordar riesgos
Respuesta:
Mi recomendación es realizar el análisis de la identificación de los riesgos y las oportunidades de la manera más sencilla posible. Por ejemplo, organizando una reunión con los cargos más relevantes dentro de la empresa, llevar a cabo una tormenta de ideas para completar una matriz DAFO (debilidades, amenazas, fortalezas y oportunidades). Es conveniente centrarse en aquellos procesos más significativos de la organización, es decir aquellos que tengan un claro impacto sobre la satisfacción del cliente.
Una vez identificados los riesgos, debe de determinar las acciones que se llevarán a cabo para abordar dichos riesgos. Esto lo puede detallar en un documento. Y más tarde valorar la eficacia de las acciones tomadas en la revisión por la dirección.
Para más información sobre como abordar riesgos y oportunidades puede ver los siguientes materiales:
- Artículo - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Webinar - Cómo implementar la gestión de riesgos en ISO 9001:2015: https://advisera.com/9001academy/es/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso - Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Event Management
Answer:
While implementing Event Management you have to be aware of the following:
1. Event Management process efficiency depends on the tools you have. Some devices have
monitoring tools built in, and for some, you'll need to implement additional tool(s)
2. Event Management process does not involve many people (unless you are a huge organization).
But, you need to clearly define the role(s) (most probably one person responsible for the process) and related responsibilities. Maybe, in large organizations – you'll have several people, but mainly you need to make an interface to the Incident Management process and most of the activities will take place in the scope of that process.
Here are the articles that can help:
-ITIL Event Management – Entry point of Service Operation https://advisera.com/20000academy/blog/2015/03/10/itil-event-management-entry-point-of-service-operation/
-Eve nts – a flood or mountain creek https://advisera.com/20000academy/blog/2013/07/02/events-flood-mountain-creek/ -
ISO 9001 and the retail business
Answer:
Yes ISO 9001 is applicable to all kinds of organizations, private, public, governmental, profitable or non-profitable.
2. “I read How ISO 9001:2015 can improve your supply chain performance in the retail sector - https://advisera.com/9001academy/blog/2016/03/08/how-iso-90012015-can-improve-your-supply-chain-performance-in-the-retail-sector/, can it go beyond supply chain?”
Answer:
Yes. Consider a retail business. Consider how the process approach can help a sector with so much turnover, with a lack of internal standards, with lack of lead indicators, with a lack of trained professionals in contact with customers. For the retail business implementing an ISO 9001 QMS is more important or useful than certification.
The following material will provide you information about improvement:
- ISO 9001 – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Benefits of ISO 9001 implementation for small businesses - https://advisera.com/9001academy/blog/2018/09/17/benefits-of-iso-9001-implementation-for-small-businesses/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Where to start
Answer:
When you start reading about the topic quality, in general, you will most likely find the PDCA cycle, something that stands for
According to this cycle, we start by planning our objective and then work towards attaining it.
After years of using this approach, I found a better one, less known, developed by a Japanese, something like this:
We start in the Control Cycle. We have a standard (written or not), we work according to the standard, we check the results and we act, we decide what to do. If performance is OK we continue within the Control Cycle. If performance is not OK, or if we wa nt to improve current performance, our decision is to leave the Control Cycle and join the Improvement Cycle. We start with the problem, or challenge at hand, we plan a way to solve it or meet the target, we try an experiment (DO), we check the results, if the results are not OK our action, our decision is to plan another experiment. If the results are OK, our action is to set the experimental conditions as our new standard and we are back to the control cycle.
So, I would recommend to first define clearly your problem, why it is a problem, and what will be the success criteria for that problem.
The following material will provide you information about improvement:
- ISO 9001 – How to use quality control tools to improve your QMS - https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Normative reference
Answer:
According to ISO Technical Committee 207, a normative reference is a reference to another document that is indispensable for the application of the standard. If a document is normatively referenced, an organization must conform to it in order to conform with the standard. In the case of ISO 14001:2015 it is a standalone document that can be applied without reference to any other documents.
The following material will provide you information about the assessment of environmental interactions:
- ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- Free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book - THE I SO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Templates content
Answer: ISO 2701 clause 9.1 Monitoring, measurement, analysis and evaluation requires documented information as evidence of the monitoring and measurement results, and one way to ensure that is by using the Measurement Report. Of, course, if your organization already has another records you can use to fulfill this clause, this report is not needed.
For further information, please read:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
2. Unauthorized use of printers, photocopiers, scanners and other shared equipment for copying Dell S2825CDN in the office at the headquarters is prevented by [specify how – e.g. by locking the facility, use of PIN numbers, access cards, etc.]. All the employees are authorized to use the printer/photocopier/scanner. Is it okay to wri te it like that?
Answer: First it is important to note that any ISO 27001 control must be implemented only if you have unacceptable risks, legal requirements, or top management decisions demanding a control to be implemented.
Considering that, if at least one of the previous circumstances applies to employees, you have to evaluate if this implementation will decrease risks to acceptable levels, or fulfill legal requirements. On the other hand, if you do not have any of the previous circumstances, you do not need to implement access control.
Second, unauthorized use refers not only to employees, but to all people that can have access to the equipment (e.g., visitors, contractors, etc.). So, you also have to consider these personnel regarding risks, legal requirements, and top management decisions, to define if any control is needed regarding them.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
3. The IT Security Policy and Security Procedures for IT Department document have a section at the end which is called "Managing records kept on the basis of this document". I could not find any templates for these records, but I do have an idea what I could write at some of these documents but it wouldn't be that much, ex. I hereby state that ______________ may take organizational assets off-site. The employee is fully responsible to take the necessary care while the assets are off-site. (at the bottom of the document a place where employer and employee both could sign). However for records such as "Security features and level of expected service for network services" I wouldn't know what to write. Do you possibly have examples for the records or something else so I can get a better picture of what I exactly have to write?
Answer: A good example for "Security features and level of expected service for network services" would be a Specification of Information System Requirements, and you can find this template on folder 08 Annex A Security Controls = =A.14 System Acquisition Development and Maintenance
For other records, in many cases organizations already have versions of them on their own operation, in paper form (corrective action record) or in information systems ( e.g. the logs of your backup system. ), that's why we do not provide them (it would be infeasible to create a template to cover all possible possibilities). In these cases we recommend customers to evaluate if their current records already comply with information required by policies and procedures. If yes, you can use them. If not, you can make a list of needed records and schedule a meeting with one of our experts, so he can guide you on how to develop such records.
You can schedule a meeting at this link: https://advisera.com/27001academy/consultation/