Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Major and minor nonconformities


    Answer:
    Minor nonconformity - a nonconformity that does not affect the capability of the management system to achieve the intended results.

    Major nonconformity - a nonconformity that affects the capability of the management system to achieve the intended results. For example, if the company completely failed to fulfill a certain requirement; if a process has completely fallen apart; or if you have several minor nonconformities that are related to the same process or to the same element of your management system.

    The following material will provide you information about audits:
    - Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
    - Free online training ISO 9001:2015 Internal Auditor Course - https://training.advisera .com/course/iso-9001-internal-auditor-course/
    - Book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Toolkit content


    Answer:

    First of all, sorry for this confusion. In fact you do not have to perform internal audits for ISO 22301/BS 25999-2 if you want to be compliant with ISO 27001 only.

    The "Annual Internal Audit Program" template was designed to be compliant with both ISO 27001 and ISO 223001/BS 25999-2 (these standards have the same requirements regarding internal audit), so the text on the template covers all these standards, but in the comments included in the template we show which text you can exclude in case you are using the template for only one of these standards.
    This article will provide you further explanation about ISO 27001 internal audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

    These materials will also help you regarding ISO 27001 internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 27001 lead implementer and audit responsibility


    Answer: ISO does not issue certificates, only standards. Those who issue certificates to persons are accredited training providers. At the end of an ISO 27001 Lead Implementer course you can take an exam, and if approved, you will receive a certificate of Lead Implementer.

    This article will provide you further explanation about the lead implementer course:
    - What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/

    This material will also help you regarding to become a Lead Implementer:
    - ISO 27001:2013 LEAD IMPLEMENTER COURSE https://advisera.com/training/iso-27001-lead-implementer-course/

    2. Internal audit is responsibility of the security team or other departments?

    Answer: ISO 27001 does not prescribe who has to be responsible for the internal audit, so you can define this responsibility according your needs, provid ed that you can evidence the auditors have the proper competence and they have no conflict of interest (i.e., auditor must not audit their own work).

    This article will provide further information about internal audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

    This material will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

  • Lead auditor certification


    Answer:

    Here is the Lead Auditor course from Advisera: https://advisera.com/training/iso-27001-lead-auditor-course/

    These articles will provide you further explanation about becoming lead auditor:
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    - How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/

  • Controls in ISO 9001


    Response:

    Depending on the context of the organization, the company will need to define and document specific controls. Also you need to look at the risks related to your products, processes and resources to determine the required controls. Those controls include engineering controls procedures (e.g. procedure for control of non-conforming product), work instructions, plans, etc. You can decide to implement them following a particular hierarchy (e.g. elimination) and also you can consider to use some controls in combination.

    You can also see these materials to help you with controls in ISO 9001:2015:
    - Article - How to control outsourced proccesses using ISO 9001: https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
    - Article - How to identify risk controls i n ISO 9001:2015: https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/
    - Article - What does external documents control mean in ISO 9001: https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/
    - Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/

  • Formulating a quality policy


    Answer:
    I like to link quality policy and strategic orientations. So, I start a conversation with top management about how to answer questions such as:

    How does your organization win its most desirable clients? What do they value the most? Are there relevant interested parties that help you win businesses? What do they value the most? The answers help realize if the business is mostly about cost, or service or innovation/creativity.

    Then, when I work with the top management to write the quality policy I follow this recipe:

    First write: Who we are and what is our business (for example, our business is not what we manufacture but the results that our customers get);

    Then write: To whom do we work.
    In what kind of challenges do we need to be the best.

    And include the two commitments of the standard (continual improvement and meeting customer and regulatory requirements)

    For example:
    ” Company name” is an industrial company specialized in comfort footwear.
    We serve customers who need a supply of comfort footwear for professional uses.
    In order to better serve our customers, we believe that we must seek to continuously improve:
    Our ability to develop, to be able to respond quickly to requests for samples;
    A language of product that differentiates us and supports the promise of comfort;
    The ace card of being a manufacturer and being able to be faster and more flexible in production;
    The fulfillment of our commitments…"

    This way the quality policy identifies clearly to whom do we work and sets the stage for the definition of quality objectives aligned with a strategic orientation.

    The following material will provide you information about the quality policy:
    ISO 9001 – How to Write a Good Quality Policy - https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
    Free online training ISO 9001:2015 Internal Auditor Course- https://advisera.com/training/iso-9001-internal-auditor-course/
    Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Audit program versus audit plan


    Answer:
    Consider the following image: https://www.screencast.com/t/6xjHjgE7P4L

    The audit program lists all the audits that an organization intend to execute within a certain time frame.
    Normally, an audit program includes scope for each audit, month or week when the audit should be done, and audit team composition and who is the lead auditor. The audit program is made by the audit manager or management system manager, the audit program is better to be approved by top management to give authority to internal auditors.

    For each audit included in the audit program, the lead auditor is responsible for preparing and approving an audit plan that is sent to auditees, sometime before an audit, to communicate audit date, audit objective, auditors, and audit schedule. An audit plan allows auditees and auditors to agree on date and schedule.

    The following material will provide you information with more information about the audit program and audit plan:
    - ISO 14001 – Creating an ISO 14001 internal audit plan - https://advisera.com/14001academy/blog/2017/01/16/creating-an-iso-14001-internal-audit-plan/
    - ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • BYOD policy content


    Answer:

    First of all, you have to perform a risk assessment to identify which risks related to BYOD practice you have to treat, and which legal requirements (e.g. clauses of contracts, laws or regulations) you have to fulfill. After that you have to identify proper controls to be implemented. In general, to secure BYOD practices you have to consider the following controls:
    - A.6.2.1 Mobile device policy
    - A.6.2.2 Teleworking
    - A.13.2.1 Information transfer policies and procedures
    - A.13.2.3 Electronic messaging

    Normally these are implemented through a BYOD policy, which you can see how it looks like at this link: https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/

    This article will provide you further explanation about BYOD policy:
    - How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

  • ISO 22301 and DRI practices

    I am participating in implementing BCP for a Insurance Organisation. My Colleague who leads the team is a trained DRI and hoods DRI certification of ABCP . I am certified DRI - ABCP and ISO 22301 Lead Implementer. My preference is to use the ISO standard for the implementation. My colleague being the Lead Consultant had his way and the implementation is ongoing according to DRI professional practice standard. In the course of our implementation, the Management of the Insurance Company informed us that they will go for certification on completion of the project.
    In our implementation process, there was no reference to the ISO standard, there was no training conducted using ISO 22301. None of the staff of the organisation is ISO 22301 certified though they have ABCP of DRI.

    I was in a serious argument with my colleague, insisting that though the organisation may request for certification, they may not get certified because it is not automatic and implementation mus t be conducted strictly to the standard. My colleague continue to maintain that DRI standard is superior to ISO 22301 standard and I should be rest assured that the company will be certified. I don't want to lead the company through a blind alley and am concerned about my professional integrity. Please, giving the scenarios painted above, is it wise to for the company to proceed for certification? The project is on going but nearing completion. Giving the status of the project, what can we do to bring the project to ISO standard? For a future occurrence, will it be sufficient for me to insist that the company purchase the ISO STANDARD and insist that we comply to the standard even though the project is being implemented using DRI professional practice standard.

    Answer:

    In terms of project management, once the requirement for certification was defined by the company, the proper course of action would have been to evaluate ISO 22301 requirements against what was already implemented, and what will be implemented, and report which adjustments should be performed. This practice is still valid even if your project is nearing completion (only any potential rework will be greater). So my advice before the organization goes for the certification audit is to perform this diagnostic, and based on its results, implement the adjustments that will ensure compliance with ISO 22301.

    For future reference, you should include in your project management approach that critical modifications on project requirements (i.e., modifications that can lead to not finish the project on expected time and/or cost) must be evaluated and approved by the project sponsor or customer.

  • ISO 27001 implementation challenges


    Answer: Regardless of the industry, the first step is to obtain management support for information security initiatives, because without this you won't have the minimal resources and engagement to implement the required controls. Second, you have to establish a systematic approach for the implementation, because you have to coordinate several people to perform dozens of activities, and without a methodology you will finish inside a huge mess with no security at all. Finally, the start of your journey has to define what you will protect and what you will not, i.e. the information security scope, so you can focus on what really matters.

    This article will provide you additional information:
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    2. Once the initial Risk Assessment is done, what approach would you recommend to continue?

    Answer: Once Risk Assessment is done, and you have your relevant risks prioritized, you have to define how risks are to be treated. The most common alternatives are mitigate the risk, transfer the risk, avoid the risk, and accept the risk. After risk treatment definition you have to define which security controls you have to implement (e.g., backup to mitigate a data loss risk, outsource processes for which you do not have the proper expertise to run them, stop a process or activity to avoid a risk, or simply do nothing and accept the impacts of the risk in case it occurs). The treatment selection will depend on your available resources, time to implement and tolerance to risk.

    These materials will provide you additional information:
    - 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

    3. Which key documents do you suggest a company should publish in initial stages of InfoSec process ? One of the challenges that I have is writing procedures/policies. It might sound ridiculous, but coming from a Technical background, I always had issues with the legalese writing and putting processes things in writing. I often requested about purchasing the template kit from Advisera, but never got around to having an approval for funding. Instead I have to scrape around various models and try to make use of the many university templates around the web. But the fact that the processes are vastly different with my situation remains a challenge.

    Answer: Not considering ISO 27001, the minimal documents and records you should consider to start an information security process would be:
    - Scope of the information security
    - Information security policy and objectives
    - Risk assessment and risk treatment methodology
    - Risk treatment plan
    - Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
    - Acceptable use of assets
    - Access control policy
    - Incident management procedure
    - Monitoring and measurement results
    - Results of corrective actions

    With these you can ensure a PDCA cycle is established and that the minimal (really minimal) information security process is in place and will be kept relevant to the business. I didn't mention other polices and controls because this will depend on the results of risk assessment.
    Regarding documents elaboration, trying to put together a document from pieces of other documents in fact is not a good approach for at least two reasons:
    - If you do not have the proper information security expertise, probably some gaps will be left on your documentation, compromising your security efforts.
    - Creating such documents takes time, and if you are not paying for them directly, the working hours involved in this activity probably will cost more then buying templates with general parts already ready for use, leaving behind only to include the details of your organization. In our experience, documents elaboration takes from 4 to 16h to be developed (depending upon their complexity).

    These articles will provide you further explanation about developing documents:
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
    - How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/
Page 607-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +