Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11269 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Career on information security

Answer:

First step is for you to decide which path you want to follow among these general fields: security management, security assurance (i.e., security audit), or technical security, and this last one has many sub fields (e.g., software development, security operation, etc.). Once you has decided this path there are many certifications available for each field (e.g., CISM for security management, CISA for security assurance, and CISSP for overall technical security).

Considering specifically ISO 27001 career you can follow:
- ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process.
- ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISM S against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

These articles will provide you further explanation about ISO 27001 personnel certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

This material will also help you regarding ISO 27001 personnel certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
For courses related to these certifications, please see:
- ISO 27001:2013 LEAD AUDITOR COURSE https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 LEAD IMPLEMENTER COURSE https://advisera.com/training/iso-27001-lead-implementer-course/
May I ask which country can accept ISO 13485 and ISO 9001?

Answer:

ISO 13485 is accepted worldwide as a benchmark for Quality Management System evaluation for medical equipment. In specific, countries in Asia and the US are also adopting the ISO 13485 standards as part of their regulatory requirements.
Controlling documents after implementation

Answer:
My interpretation of your question is: How can someone ensure that after implementation documents are not changed by users without authority to change them?
I see several approaches being used by organizations:
* Only digital versions are considered as valid. People access documentation through smartphones, tablets, terminals or computers, and documentation is protected from changes. And when someone prints a document a watermark appears saying that the organization does not control printed copies;
* Any printed version is only valid if signed by the authorized issuer;
* Frequent internal audits ensure that document control is learned and practiced

You can find more information about document control and ISO 9001 here:
- Article - New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Free online course ISO 9001:2015 Internal Audito r Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
AS9100 Record Retention Timeframes

Answer:
As you have indicated, different types of documented information require different retention times, and these will come from different places. Unfortunately, these places are not the same for every industry in every country in the world. For instance, in Canada we need to keep financial records for 7 years, but this will be different in other countries, and different laws will apply to this.
However, in general the record retention times for production records will come from customer requirements, even if there is a legal requirement associated with them. For instance, for aircraft records in North America there is a legal requirement to keep records for the life of the aircraft, but this should be flowed down to suppliers through contracts stating how long records are to be kept, and what to do at the end of this time (such as forwarding the records to the customer). For non-aircraft aerospace suppliers, the cust omer requirements is also the place where customers indicate how long then need you to keep production records. If there is nothing there, then you need to determine a reasonable time-frame yourself.
For more on the requirements around document and record control, see this article: A new approach to document and record control in AS9100, https://advisera.com/9100academy/knowledgebase/new-approach-to-document-and-record-control-in-as9100/
ISO 9001:2015 and employee performance appraisals

love it
Is ISO 13485 required if we manufacture non-medical parts?

Answer:

ISO 13485 applies to all companies dealing with medical devices. Since in your case, you have clarified that the plastic part is not part of the medical device, ISO 13485 will not be applicable to you. However , you will still need to maintain the specifications and technical details about the part that you are manufacturing for the medical device manufacturer. Since you are currently certified to ISO 9001, it will be quite easy for you to adapt to ISO 13485 which will give you more advantage with your medical device clients in the future.

For more information, please refer to :

-Six key benefits of ISO 13485 implementation
https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/

-How to structure Quality Management System documentation according to ISO 13485
https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

-Checklist of ISO 13485 implementation and certification steps
https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

- ISO 9001 vs. ISO 13485
https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/
Toolkit content

1. Regarding Inventory of assets: Which assets must be documented? In the tab "Type of Asset" I see a very long list and I think it's not achievable to document all the risks for all these assets, hence the question.

Answer: First it is important to note that you do not need to use all assets listed on the "Type of Asset" tab, they are only suggestions to help you identify which risks are relevant to your organization (the risks that quickly come to your mind). Considering the asset-threat-vulnerability approach for risk assessment this is quite straightforward (from that list you pick the most common and important assets you have, and from them you identify related threats and vulnerabilities).

These articles can provide you additional information:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

2. Let us say a control is neither relevant for our company or mandatory for ISO 27001, would I be allowed to write at justification for non-selection that it isn't mandatory for us / ISO 27001?

Answer: A more robust justification for excluding a control would be "There are no unacceptable risks, or legal requirements that demand the implementation of this control", because this one makes explicit the main reasons not to implement a control.

This article can provide you additional information:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

3. Regarding the video tutorial 'How to Write Statement of Applicability' at minute +- 13:45: You're speaking about two mandatory documents, are these by default in the Statement of Applicability template? If that's not the case, in which document can I find these?

Answer: I'm understanding that you are referring to approval of residual risks and the approval for the ISMS implementation. As explained in the tutorial the approval of residual risks is included in the SoA. The record of the approval for the ISMS implementation is done through the Risk Assessment and Treatment Report, located on folder 05 Risk Assessment and Risk Treatment Methodology in your toolkit.

4. In case you're a Web hosting company, the Secure Development Policy isn't mandatory, right? If that is the case, is there anything specific that must be written, or is something similar to this alright: "This Policy is mandatory for ISO 27001, however this is not applicable in our business due to not developing software" ?

Answer: First it is important to note that in the Statement of Applicability the justification refers to controls, not documents. Documents are listed on implementation method, if a control is applicable.

Controls from ISO 27001 Annex A are mandatory only if:
- There are risks identified as unacceptable in the risk assessment that require the implementation of such controls
- There are legal requirements (e.g., contracts, laws, and regulations) that require the implementation of such controls
- There is a top management decision requiring the implementation of such controls

If none of these options occur there is no need to implement such controls, or documents which cover them. In you case you can use the same justification from answer 1 ("There are no unacceptable risks, or legal requirements that demands the implementation of this control")

5. Where could I document all the non-employees of the company in the ISMS Scope Document (apparently they have to sign the 'Statement of Acceptance of ISMS Documents'), do I just document them at 5.2 Organizational units?

Answer: The need for them to sign the 'Statement of Acceptance of ISMS Documents' does not mean they have to be part of the ISMS scope, only that they have to be aware of this document.
Non-employees which are related to processes, services, organizational units, locations, or IT infrastructure inside the scope are normally handled through clauses on contracts and service agreements.
Approaching a case - legal, policy and environmental assessment
QUESTIONS
1. Give the specific legal and policy provisions as per ISO 14000 environmental management framework for this project?”

Answer:
If the proposed location of the construction of the plant is a forest reserve area, then the specific legal provisions have to be directly negotiated with government and/or local authorities because that kind of organization is not easily compatible with a forest reserve area. Due to the planned location, policy should set guidelines around: “scenic areas, water sources, and ecologically sensitive areas within the radius of the project area”

“2. Give a detailed account on how you will carry out an environmental impact assessment?”

Answer:
I cannot give a detailed account of this space. However, I invite you to check these links:

Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business -https://advisera.com/books/the-iso-14001-2015-companion/
Updated article

Answer:

This article was already updated considering the 2013 revision of ISO 27001, so these tips are still applicable.

These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Controls information

Answer:

For domains A.5 (Information security policies) I suggest you these articles:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

For domains A.13 (Communications security) I suggest you these articles:
- How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
- Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls https ://advisera.com/27001academy/blog/2016/07/04/using-intrusion-detection-systems-and-honeypots-to-comply-with-iso-27001-a-13-1-1-network-controls/
- How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11269 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Career on information security

May I ask which country can accept ISO 13485 and ISO 9001?

Controlling documents after implementation

AS9100 Record Retention Timeframes

ISO 9001:2015 and employee performance appraisals

Is ISO 13485 required if we manufacture non-medical parts?

Toolkit content

Approaching a case - legal, policy and environmental assessment

Updated article

Controls information

Didn’t find an answer?