Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions to top management
Answer:
In fact you do not need 10 questions for top management regarding information security, because they do not need to have deep knowledge of information security to properly support it. These are the main questions you should consider asking them:
- Which benefits you understand information security management brings to your company?
- How information security objectives support business objectives?
- By which means do you support information security practices in your company?
Of course you can expand these questions to fulfill your needs (e.g., specific questions about communicating the information security policy and the realization of management review).
These articles will provide you further explanation about top management and ISO 27001:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in- iso-27001-and-iso-22301/
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/ -
Customer-facing Acceptable User Policy
Answer:
Included in your toolkit there is an "IT Security Policy" template, located on folder 08 Annex A ==A.8 Asset management, that define clear rules for the use of the information system and other information assets. -
SWOT, context, interested parties and risks
Answer:
So, you want to link:
* internal context;
* external context;
* interested parties and their needs and expectations;
* SWOT analysis;
* risk analysis.
I would start by your SWOT analysis and made a “retro-engineering” exer cise:
Your Strengths and Weaknesses are internal issues with positive and negative connotations.
Your Opportunities and Threats are external issues with positive and negative connotations.
Not all those issues have the same weight or the same impact for your organization. Use the needs and expectations of interested parties to evaluate which issues are more relevant.
Then, pick those relevant positive issues (internal or external) and see if you can find relevant opportunities to evaluate and act upon.
Then, pick those relevant negative issues (internal or external) and see if you can find relevant risks to evaluate and act upon.
You can find more information in the following links:
- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
ISO 45001 legal requirements and risks
Answer:
Strictly speaking, clause 6.1.3, determination of legal requirements and other requirements, talks about having a process to determine what laws and other requirements apply to your OHSMS, how they apply, and what you need to do about them. This section does not necessarily link to the previous clauses about risks and opportunities. They are only together in clause 6.1, actions to address risks and opportunities, because the final sub-clause 6.1.4, planning action, applies to everything in the clause (hazards, risks, opportunities and legal requirements). Plans need to be made for all four of these things which have been determined.
That being said, it is possible that legal requirements could result in risks and opportunities. For instance, if you found out that a legal requirement was changing that would make a chemical that was critical to your operations impossible to use this could be a risk or opportunity for you r company. If the easy replacement chemical is more hazardous to use, this is a risk for your organization. Likewise, finding a less hazardous chemical to use would be an opportunity to improve your OH&S performance, and this opportunity may only have come around due to the change in legal requirements.
For a better understanding of all the ISO 45001:2018 requirements, see the whitepaper; Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001 -
Scope of ISO 27001 and ISO 9001
Answer:
This article, How to define the ISMS scope - https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/, starts with this: “The main purpose of setting the ISMS (information security management system) scope is to define which information you intend to protect. Therefore, it doesn’t matter whether this information is stored within your company offices, or somewhere in the cloud; it doesn’t matter whether this information is accessed from your local network, or through remote access. The point is that you will be responsible for protecting this information no matter where, how, and by whom this information is accessed.”
So, if you only intend to protect the information around the scope of your QMS (quality management system) you could use the same scope.
The following material will provide you more information about ISMS scope and about ISMS and QMS integration:
Problems with defining the scope in ISO 2700 1 - https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Defining the ISMS scope if the servers are in the cloud - https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
Using ISO 9001 for implementing ISO 27001 - https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
How to integrate ISO 9001 and ISO 27001 - https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/
Free online ISO 27001:2013 Foundations Course - https://advisera.com/training/iso-27001-foundations-course/
Book – Secure & Simple - A Small-Business Guide to Implementing ISO 27001 on Your Own - https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
ISO 27001 controls and ISO 20000
Answer:
ISO 20000, different than in ISO 27001, does not have defined (explicit) security controls, like Annex A in ISO 27001. However, There is Information Security Management process in ISO 20000 and that process requires that risk assessment has to be performed and controls should be determined, implemented and operated. But, it doesn't define any particular controls, yet it refers to ISO 27001 for further details.
Meaning, if you have ISO 27001 in place, you can use controls applied in scope of the implementation.
See more details about relation between ISO 20000 and ISO 27001 in the article "Similarities and differences between ISO 27001 and ISO 20000" https://advisera.com/20000academy/blog/2018/05/09/similarities-and-differences-between-iso-27001-and-iso-20000/ -
Reports Date
The date of the audit report can be after the final date of the audit process, but you should not take too long to deliver the report, because there is the risk the scenario changes and the results of the audit cannot be used to correct or improve the audited process (in your example the time difference is one month, and normally it should not take more than 5 days).
This material will provide you further explanation:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 9001 and complaints handling
Answer:
In ISO 9001:2015 you can find mention to complaints in clauses 8.2.1 c); 9.1.2 (in a note) and 10.2.1. There is no reference to a mandatory procedure, but an organization with a quality management system:
must plan how to communicate with customers when handling complaints;
can include complaints as an input to the customer satisfaction assessment methodology; and
should evaluate the need for corrective action after receiving a complaint
The following material will provide you more information:
ISO 9001 – Effective complaints management in a QMS - https://advisera.com/9001academy/blog/2014/09/16/effective-complaints-management-qms/
Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Becoming lead auditor and trainer
Answer:
If you work at an organization certified several years ago you already have experience as an internal auditor at your own organization. What I can recommend is following two parallel ways:
Contact your professional network and offer your services to perform internal audits at other organizations: That will give you valuable experience in contacting other management systems, and different interpretations and uses of the management system standards; That will train your communication skills with strangers.
Enroll in a certified and recognized Lead Auditor Course, like this one from Advisera - ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/ - and offer your services to certification bodies (your experience as an internal auditor at several organizations will be highly valued)
2. I would like to become a trainer on QMS and EMS what will be the steps?
Answer:
I assume that you don’t wan t to be a full-time trainer. So, in that case, you should list and contact training or consulting organizations in your country that could be in need of an experienced practitioner. Many times, trainers have no hands-on experience, you can and should use your work experience as a competitive advantage. If you feel you need to certify your knowledge about management systems standards you can enroll in this course ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
BTW, if you consider starting to work as a consultant, somewhere in the future, perhaps this article could be useful for you - How to get new clients for your ISO 9001 consultancy - https://advisera.com/9001academy/blog/2019/03/05/how-to-get-new-clients-for-your-iso-9001-consultancy/ -
Retaining time for records
Answer:
Retention time will depend on several issues once there is no prescribed time in ISO standards:
*Are there legal or regulated issues? For example, do you need to keep evidence that you tested your product before delivery to the customer for as long as a warranty is valid?
* Are there after sale issues? For example, do you need to keep evidence to help you service customers a long time after delivery? Customers can order you parts or inquire you about parts or specifications long after the warranty period. Do your organization intend to serve them?
* Are there contract issues? For example, does a contract with a customer requires keeping certain records/evidence for a certain number of years?
* Are there internal issues? For example, does your organization has learning or improvement challenges that require a certain organizational memory? That may imply keeping certain records for a certain time.
You may find more information about doc ument control in the following links:
- Article - Records management in ISO 27001 and ISO 22301 - https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
- New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Managing Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/