Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
IATF Internal audit competency
Answer:
Internal audit can be done with internal audit certificate, that certificate is proof of competence for a person to conduct an internal audit.
2. Where could I find info on this matter?
Answer:
Internal audit against requirements of IATF 16949 must be performed by a competent person as defined in chapter 7, 7.2.3 Internal auditor competency. Based on it organization shall retain documented information to demonstrate the trainer's competency with these requirements.
Maintenance and improvement must be verified by:
• Minimum number of audits per year – as defined by the organization
• Maintaining knowledge of the relevant requirements (technology, standards, methods, customer-specific requirements)
So, if internal auditor left the company and wants to do the internal audit as an external party, he can do it if he can prove that he has the minimum number of audits and maintaining knowledge of relevant requirements (especially customer-specific requirements)
Please look at our article on this topic: Requirements for the competence of IATF 16949 internal auditors: https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/
In -
Questions to top management
Or the types of questions to direct to CISO, CIO, or CTO to identify the types of technologies they have implemented to mitigate future cyberattacks.
Answer:
First it is important to understand that in general the C-level will not think directly about risk (neither they have to), so you have to make questions about their concerns regarding the business objectives (which are them, which are the most important, and why) and how information can help achieve these objectives, or prevent these of being achieved. From these answers you will be able to identify their risk posture, the most relevant risks and what you can do to treat them.
Another important issue is that in general these questions are as ked by the responsible for the information security (i.e., the CISO or similar role).
These articles will provide you further explanation about requirements identification:
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- Management’s view of information security https://advisera.com/27001academy/blog/2011/05/16/managements-view-of-information-security/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ -
Information security cloud policy
Answer:
To elaborate an information security security policy which also considers cloud security, I suggest you to take a look at the free demo of these two templates:
- Information Security Policy https://advisera.com/27001academy/documentation/information-security-policy/
- Cloud Security Policy https://advisera.com/27001academy/documentation/cloud-security-policy/
They can guide you on how to define the purpose, direction, principles and basic rules for information security management, and how to manage the security of cloud environment infrastructure.
This article will provide you further explanation about information security policy:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/ -
Internal audit and certification
Answer:
You need to perform an internal audit and corrective actions for identified nonconformities before applying for certification so you can provide evidences of audits results required by the standard (e.g., audit report, nonconformities action plans, etc.). Additionally, the results of internal audit are required for the management review, another mandatory requirement for certification.
These articles will provide you further explanation about what expect from certification audit:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Objective and consequence
P – Profit
Q – Quantity
P – Productivity
D – Development
Q – Quality
C – Cost
D – Delivery
M – Morale (including safety, training, attrition, rewards/awards/appreciation)
The very first parameter is not easy to calculate. Pl. suggest”
Answer:
These things are not calculated sequentially but iteratively. I arrange your items according to the figure below in a sort of cause-effect relationship map.
Be aware of which items are critical to winning your target customers. Customers are not all alike, some value innovation and development, others value service and flexibility, and others value price above all. Operational perspective topics should be a function of your target-customers and not a general list.
Personally, I look into profit as a consequence of all other things. Your organization invests in resources and infrastructures, in order to be excellent at the operational perspective, to have results at the customer perspective translated into financial results. Your organization may need a certain level of profit to be sustainable or attractive to investors, you can start with a figure and see what level of sales, costs, and prices you need and evaluate if it is reasonable and attainable. Perhaps your organization concludes that it has to change its strategy in order to meet a certain level of profit.
The following material will provide you with information about quality objectives:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Evidences for competence
Answer:
According ISO 27001, clause 7.2 (Competence), competences are based on appropriate education, training, or experience, which can be evidenced by means of certificates (e.g., ISO 27001 Lead Auditor or ISO 27001 Internal auditor), registered hours of work on specific activities (in this case audits on ISO 27001 or other ISO management systems), and records of attended trainings.
These articles will provide you further explanation about evidencing competencies:
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
These materials will also help you with internal audit issues:
- ISO 27001:2013 Internal Auditor Course htt ps://advisera.com/training/iso-27001-internal-auditor-course/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Incident response plan
Answer:
I'm assuming you are referring to the Incident Response Plan mentioned on section 3.4 of the Incident Management Procedure template. Considering that, first is important to note that an Incident Response Plan is needed only if you have an incident where activities are disrupted for a time above which is considered acceptable by business. If you have no situations like that, you do not have to develop an Incident Response Plan.
In case an Incident Response Plan is needed, it must include actions to:
- contain or stop the incident, in case it is still occurring
- minimize the im pacts of the incident
- recover minimal service levels
- recover normal operational conditions
And of course for each activity you have to define who will perform them. -
Filling in the risk assessment table
Answer:
The lists of threats and vulnerabilities provided in the Risk Assessment Table template are to be used only as guidance during the assessment process, so you do not have to repeat all of them for each asset, only the ones which are relevant to each asset.
By the way, included in the toolkit you bought you have access to a video tutorial that can help you to fill in the Risk Assessment Table, using real data as examples. -
Annex A control owners
Answer:
Controls are implemented in terms of policies, procedures and technologies, which many times involve the application of several controls, so it makes more sense to define owners for these elements than for each control of the standard.
In general, Top Management own policies and procedures that are systematically applied to the organization (e.g. Information Security Policy and Information Classification Policy), policies and procedures which focus on people behavior (e.g., Acceptable Use Policy, and Disciplinary Process) are owned by Head of HR, policies, procedures, and technologies which focus on IT-related technologies (e.g., Backup Policy) are owned by Head of IT, policies, procedures, and technologies which focus on physical or non IT-related technologies (e.g., physical access control) are owned by Head of Operations or similar role, and policies and procedures focused on legal compliance are owned by He ad of Legal (e.g. controls from section A.18.1). For small and mid-sized organizations which do not have so many roles the person responsible for information security is the one who owns the controls. -
Defining roles and responsibilities
Ideally we need you to guide us with the minimum team we need to implement the ISO 27001 standard 'in-house' and also what roles can be combined.
Answer:
ISO 27001 does not prescribe a "minimum team" for running an ISMS, so organizations are free to define the size of their teams according to their needs.
For very small organizations just one person with the proper competencies and authority is able to run an ISMS. For organizations up to 50 employees you may consider one person at top management level and one person to run daily activities. For bigger organizations you should consider including information security responsibilities on existing roles like IT manager, HR manager, and training them to perform relat ed activities.
These articles will provide you further explanation about roles and responsibilities:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/