Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Toolkit content


    Answer:

    ISO 27001 does not require each control to be implemented, nor it requires each implemented control to be documented. Therefore, you have the following options:
    a) Exclude a control in the Statement of Applicability if there are no risks or requirements for this particular control
    b) Implement a control and write a separate policy or procedure for it
    c) Implement a control and document it though a policy or a procedure which covers also other controls
    d) Implement a control without documenting it - in this case you only describe briefly how you implemented it in the SoA

    These articles will provide you further explanation about selecting controls and SoA:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    2 - For my own reference: I assumed that the ISO standard and controls (Annex A or SOA) are copyright protected ? But I saw you used the numbering and especially “titles” from the ISO standard, is this allowed ? I’m just wondering if I can use my own excel “including the official control description” as well and store it in Conformio or on our file server.

    Answer: Using numbering and titles as reference to the standard is allowed because in many requires (like the one which defines the SoA content) you have to make reference to the standard to be compliant. What is not allowed is copy of sections content, as well as copies from description of controls, but you can write them in other words to use in your excel file with no problem

  • A quality plan can help


    Answer:
    I don’t know the purpose of that sampling that you made, but if I collected samples from a supplier and gave them for testing, I would want to keep a sample with me, a kind of “sample testimony”. Later, if you are suspicious of any thing you can take that testimony and request further testing by your team or a third party.

    To prevent any future problem, I advise you to create or update your quality plan. The following material will provide you information about quality plans:
    - ISO 9001 – Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/
    - free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9 001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Implemented controls


    Answer:

    Our experience show us that companies typically have ca 80 controls implemented before the start of an ISO 27001 project, and then they have ca 20 to 30 controls to implement during the project.

    The quantity of implemented controls does not have a direct impact in the certification, because information security management is about balancing needs and expectations with the level of acceptable risks (similar organizations may have different number of implemented controls and both can be certified).

    This article will provide you further explanation about selecting controls:
    - The basic logic of ISO 27001: How does information security work? https://advisera.co m/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    This material will also help you regarding selecting controls:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Filling templates


    Answer:

    Since you already have identified the interested parties, now you have to identify the documents in which their requirements can be located (e.g. service level agreements, outsourcing contracts, laws, industry regulations, etc.), and the precise requirements that must be fulfilled (e.g., the clauses).

    For example, a customer has a service level agreement with your company which defines, on clause 32-b, that access to all information provided by the customer to information system ABC are restricted to customer personnel only. In this case the person responsible for syste m ABC is the responsible to ensure compliance of the system to this requirement. Then your document would be like this:

    Interested party: Customer Jon
    Requirement: Clause 32-b (Information provided to system ABC are restricted to customer's personnel)
    Document: Service level agreement
    Person responsible for compliance: System ABC administrator
    Deadline: when system ABC is made available for customer use

    This article will provide you further explanation about identifying requirements:
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

  • ISMS manual


    Answer:

    In fact ISO 27001 requirements do not prescribe the development of an ISMS Manual, and for good reasons. If you put all the policies and procedures into a single document, this will make the reading of such document very difficult. Additionally, the standard already has a requirement for a document that describe how a company will implement its information security – it is called Statement of Applicability.

    This article will provide you further explanation about ISMS Manual:
    - Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

    This material will also help you regarding ISMS Manual:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Access profiles

    1. User Profile A (which Profiles are expected to be captured here?)
    2. User Profile B (which Profiles are expected to be captured here?)

    Answer:

    As example for profiles you can have Administrator profile (Profile A) and Common user profile (Profile B).

    For an operational system you can have the following access rights:
    - Administrator: read and write on flies and alter system configurations
    - Common user: read and write on flies only

    For an corporate networks you can have the following access rights:
    - Administrator: remote access to internal networks and full access to Intern
    - Common user: internal network access only

    This article will provide you further explanation about access control:
    - How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

    This material will also help you regarding access control:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Scope of information security


    Answer:

    ISMS compliant to ISO 27001 means to protect the information in all formats it exist, so if you have the same information on digital and hardcopy format, you have to evaluate risks for both formats and apply security controls properly to each format.

    These articles will provide you further explanation about ISO 27001:
    - ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    These materials will also help you regarding ISO 27001:
    - Book Secure & Simple: A Small-Business Guide to Imp lementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

  • Who can be internal auditor?


    Answer:
    An internal auditor specialized for finance and general operation of the organization, can conduct QMS internal audits and be the internal auditor as long as he or she has knowledge of ISO 9001 and ISO 19011.

    Today I spoke with a Quality Manager at a manufacturing plant that once worked at a bank, he told me that it was standard practice that auditors at the bank after finding a nonconformity proposed the action to close it, a practice not followed in the quality world.

    The following material will provide you information about internal audits:
    - ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
    - free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Extending the scope


    Answer:
    Yes, you can change your QMS scope in your next surveillance audit. That change is called "scope extension". You must inform your certification body in advance, that extension can make them need to find a different auditor with different experience, or can increase audit time.

    Naturally, I assume that the QMS will be fully implemented in the extended scope.

    The following material will provide you information about scope:
    - ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
    - free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Personnel certifications


    Answer:

    IATF 16949 is management system standard for the organizations. An organization can be certified based on its requirements.
    Individual certification can be done for auditors so you can become an internal or external auditor for IATF 16949. As an internal auditor you can perform internal audits in your company and as external, you can work for certification body as an auditor.
    Certification for auditors is done based on some recognized certification scheme for personal and there are many organizations that offer this services.
    Also, there are some organizations where you can gain a certificate for the Lead implementer, Core Tools for IATF 16949 and similar.

    If you are interested in personnel certifications we would recommend this webinar: https://advisera.com/9001academy/webinar/personnel-certification-vs-course-certifications-what-are-the-differences-free-webinar-on-demand/

    On our Advisera eTraining website you c an gain personal certification for ISO 9001 that is basic for IATF 16949:
    https://advisera.com/training/
Page 644-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +