Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Filling in the risk assessment table
Answer:
The lists of threats and vulnerabilities provided in the Risk Assessment Table template are to be used only as guidance during the assessment process, so you do not have to repeat all of them for each asset, only the ones which are relevant to each asset.
By the way, included in the toolkit you bought you have access to a video tutorial that can help you to fill in the Risk Assessment Table, using real data as examples. -
Annex A control owners
Answer:
Controls are implemented in terms of policies, procedures and technologies, which many times involve the application of several controls, so it makes more sense to define owners for these elements than for each control of the standard.
In general, Top Management own policies and procedures that are systematically applied to the organization (e.g. Information Security Policy and Information Classification Policy), policies and procedures which focus on people behavior (e.g., Acceptable Use Policy, and Disciplinary Process) are owned by Head of HR, policies, procedures, and technologies which focus on IT-related technologies (e.g., Backup Policy) are owned by Head of IT, policies, procedures, and technologies which focus on physical or non IT-related technologies (e.g., physical access control) are owned by Head of Operations or similar role, and policies and procedures focused on legal compliance are owned by He ad of Legal (e.g. controls from section A.18.1). For small and mid-sized organizations which do not have so many roles the person responsible for information security is the one who owns the controls. -
Defining roles and responsibilities
Ideally we need you to guide us with the minimum team we need to implement the ISO 27001 standard 'in-house' and also what roles can be combined.
Answer:
ISO 27001 does not prescribe a "minimum team" for running an ISMS, so organizations are free to define the size of their teams according to their needs.
For very small organizations just one person with the proper competencies and authority is able to run an ISMS. For organizations up to 50 employees you may consider one person at top management level and one person to run daily activities. For bigger organizations you should consider including information security responsibilities on existing roles like IT manager, HR manager, and training them to perform relat ed activities.
These articles will provide you further explanation about roles and responsibilities:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/ -
Certification importance and costs
Answer:
If that matters or not is up to you, or your customers, to decide. Do you, or your customers, think that ISO certification can be an advantage, for example, to prevent quality problems? If that is so, you should work with ISO certified manufacturers or ask them to get it in a time-frame
2. Also, what would be the cost of such a simple business getting certified be?
Answer:
What costs will be included in your organization’s certification? What options will you take? Will you be creating everything on your own by studying ISO 9001? Or will you buy and use documentation templates? Or will you hire a consultant? Then, you will have certification body costs. Organization dimension is very relevant to determine the number of audit days for the c ertification body costs.
The following material will provide you with information about certification costs and templates:
- ISO 9001 – How much does the ISO 9001 implementation cost? - https://advisera.com/9001academy/blog/2016/12/20/how-much-does-the-iso-9001-implementation-cost/
- ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Record retaining time
Answer:
As long as there are no legal requirements, and as long as there are no customer requirements, for example on contracts, organizations are free to determine the retention time for their records.
Normally, in these cases, I advise keeping records for 3 or 4 years, to assure that records generated during a certification cycle will be available.
The following material will provide you information about retaining records:
- ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Using templates on Conformio
Answer:
The folders are listed in the order the documents are to be implemented to make your implementation easier, so you must follow their sequence.
Regarding skipping folder 00, this happens because the Procedure for Document and Record Control is not mandatory for ISO 27001, and Conformio platform already complies with all standard's requirements for document and record control.
Included in the toolkit you bought there is a List of Documents file which shows which documents are mandatory to be compliant with ISO 27001. -
What is AS9101 Rev F?
Answer:
While AS9100 is the document which provides organizations in the aerospace industry requirements for creating a Quality Management System (QMS), the AS9101 document is used by the certification body auditors to guide them on auditing the QMS which has been created by the organization. This document gives information on how to structure the audits and also provides a checklist to score the different parts of the QMS as required by AS9100. The update to AS9101 Rev F is to bring this document inline with the updated structure of AS9100 Rev D.
For more information on this see the article, “How Does AS9101, AS9102 & AS9103 Relate to AS9100 Rev D?”, https://advisera.com/9100academy/blog/2017/10/23/how-does-as9101-as9102-as9103-relate-to-as9100-rev-d/ -
Auditor qualifications
Answer:
Persons are not ISO 14001 certifiable. So, your question can have two
meanings:
1. If a person helped an organization to get its certification, can it be
a qualified auditor?
2. If a person passed an exam about ISO 14001, can it be a qualified
auditor?
A qualified auditor is a person with knowledge both about the management
standard used as a reference, and about good auditing practices. Whatever
the meanings mentioned above, 1 or 2, there is no guarantee that the person
knows about good auditing practices.
The following material will provide you information about qualified
auditors:
- - ISO 14001 – What competences should an ISO 14001 internal auditor
have? -
https://advisera.com/14001academy/blog/2016/07/04/what-competences-should-an-iso-14001-internal-auditor-have/
- - free online training ISO 14001:2015 Lead Auditor Course -
https://advisera.com/training/iso-14001-lead-auditor-course/
- - book - The ISO 14001:2015 Companion
-
Control owners
Alternatively, should the annex a controls and implementation be owned by the Head of IT/information security?
Answer:
You can assign owners to controls applicable to your organization, but for small and mid-size companies this role is normally assumed by the risk owner, the one who is accountable for managing a risk. For small and mid-size companies the number of treated risks normally allows the risk owners also to be control owners, but when the number of risks is too high, or controls are used to treat multiple risks, assigning control owners may be a better approach, since the control owner will have a comprehensive view of how controls are used against multiple risks, while the risks owners can focus on keeping the risks on acceptable levels.
Considering your alternative, since inf ormation security controls can cover much more then IT-related controls, then the best approach would be for the controls to be owned by the Head of information security. Again, if the number of controls is too high, then you can split responsibilities considering people competencies.
This article will provide you further explanation about risk owners:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
Incident management
Answer:
The management understanding is correct. Having a single plan to cover multiple types of incidents or assets would be a big and unpractical document, then the best approach would be to have multiple small documents covering specific assets or incidents.
These articles will provide you further explanation about incident management:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- Using I TIL to implement ISO 27001 incident management https://advisera.com/27001academy/blog/2015/11/10/using-itil-to-implement-iso-27001-incident-management/t/
Em 02/01/2019 19:03, Vanda Pentic escreveu: