Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11271 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Templates identification

Answer:

First of all, we want to apologize for this confusion.

Acceptable Use Policy is an old name for the IT Security Policy, they are exactly the same document. This difference is a mistake in our website and we will correct this immediately.

If your organization is more comfortable to use one name over the other there is no problem to change the document name, you only have to take care to propagate this change to all documents which currently refer to this document.
Auditing subcontractors?

Answer:
ISO 9001:2015 does not mandate audits on subcontractors. It is up to each organization to decide what kind of control is needed. Be sure to evaluate your subcontractors periodically based on the results of your checks and other information considered relevant by your organization.

The following material will provide you information about evaluating suppliers:

- ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015: https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - ISO Internal Audit: A Plain English Guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
Audit scope
We've received additional question:

>Just to mention the team is not part of the scope as reply to the answer .

Answer: In this case the auditor has no previous authorization to audit this provider. He must justify his intention and the organization can decide to authorize or not the audit at its own discretion, but his most probable action is to check how you are managing the relationship with this service provider, i.e., how you can assure that this service provider is fulfilling your security requirements.

This article can provide you further information:
- How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/
Need for AS9100 Rev D

Answer:
As with any management system standard the requirement to implement AS9100 Rev D comes down to your customer requirements. If your customer does not require that you implement AS9100, even if you are an aerospace company, then the choice is up to you if you implement this standard. I do not know of a percentage of businesses that this would apply to as you have suggested, but in reality, everything comes down to the requirements of the customer, and baring that the desire of the company to use this standard to their benefit.
For more information on the benefits of AS9100 Rev D, see this article: 7 Key benefits of AS9100 implementation, https://advisera.com/9100academy/knowledgebase/7-key-benefits-of-as9100-implementation/
ISO 27001 Roles and responsibilities

Answer:

The definition of general roles and responsibilities for information security is made on the Information Security Policy. You can see how this policy looks like at this link: https://advisera.com/27001academy/documentation/information-security-policy/

Regarding specific roles and responsibilities for information security, they are defined through all documents used in the ISMS implementation.

Regarding the Risk Treatment Plan, the responsibilities are defined on column "Responsible person". By the information you provided, it seems you are referring to the Risk Treatment Table, which is a different document.

These articles will provi de you further explanation about documenting roles and responsibilities:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
BYOD and ISO 27001

Answer:

First of all, you have to perform a risk assessment to identify which risks related to BYOD practice you have to treat, and which legal requirements (e.g. clauses of contracts, laws or regulations) you have to fulfill. After that you have to identify proper controls to be implemented. In general, to secure BYOD practices you have to consider the following controls:
- A.6.2.1 Mobile device policy
- A.6.2.2 Teleworking
- A.13.2.1 Information transfer policies and procedures
- A.13.2.3 Electronic messaging

Normally these are implemented through a BYOD policy, which you can see how it looks like at this link: https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
This article will provide you further explanation about BYOD policy:
- How to write an easy-to-use BYOD policy complian t with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
Roles and responsibilities

Answer:

The definition of general roles and responsibilities for information security is made on the Information Security Policy template, which you can find at folder 04 Information Security Policy of your ISO 27001 Documentation Toolkit.

Regarding specific roles and responsibilities for information security, they are defined through all documents in the toolkit. If you note, every time an activity is defined, it is also required the definition of a “Job Title” or person to perform that activity.

These articles will provide you further explanation about documenting roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/ es-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
DPO role

Answer:

You can but you may find yourself in a potential conflict of interest as you as a CISO are in charge of keeping data assets safe and while doing that you will need to take some measures that may be intrusive. On the other hand, as a DPO you will need to ensure that those measures are not infringing the rights and freedoms of the data subjects.

If you want to find out more about the role of the DPO, check out our webinar “Role of the DPO according to EU GDPR” (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/)
Acciones que surgen de la identificación de riesgos

Respuesta:

No existe ningún nombre específico para esas acciones, sino que se suelen denominar acciones para abordar los riesgos y las oportunidades.

Dentro de las acciones tomadas la organización puede decidir entre varias opciones:
- Evitar riesgos
- Asumir riesgos
- Eliminar la fuente de riesgo, cambiando por ejemplo procesos, materias primas, etc
- Cambiar la probabilidad de que ocurra el riesgo o las consecuencias del mismo
- Compartir el riesgo, por ejemplo con los proveedores
- Mantener el riesgo asumiéndolo ya que su eliminación o mitigación no compensa a la organización.

Para más información sobre acciones para abordar riesgos y oportunidades puede ver estos materiales:
- Artículo - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/ ooks/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
Operational controls in ISO 14001:2015

Response:

An organization must decide how to develop processes to make sure that operational control of its environmental aspects is achieved. Among these controls could be included:
- building processes to get consistent outcomes
- analysing the life cycle of a product when putting controls in place
- using technology to ensure results
- ensuring employees are properly trained
- performing processes in a certain way
- monitoring and measuring of results

It is crucial that the organization also considers what parts of your operational control process are required to record as documented information. Controls can include engineering procedures and procedures.

You can see these materials to help you with the operational controls in ISO 14001:2015:
- Article - Defining and implementing operational control in ISO 14001:2015: https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/
- Book – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- Free on-line training – ISO 14001:2015 Foundations: https://advisera.com/training/iso-14001-internal-auditor-course/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11271 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Templates identification

Auditing subcontractors?

Audit scope

Need for AS9100 Rev D

ISO 27001 Roles and responsibilities

BYOD and ISO 27001

Roles and responsibilities

DPO role

Acciones que surgen de la identificación de riesgos

Operational controls in ISO 14001:2015

Didn’t find an answer?