Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Mandatory and non-mandatory documents


    Answer:

    In ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non mandatory requirements/documents are related to words “may”or “should”. Considering section 7.2 Competence, all requirements are mandatory (from a to d), and the single one requiring documentation is the retention of evidence of competence (item 7.2 d). Examples of evidence are certificates, university degrees, work declarations and attendance lists, which have their own formats, making unfeasible to define a single template for them. This means you have to conduct all the activities mentioned in a to c, but you do not have to document them (this is why there is no policy in our toolkit for that purpose) - what you need to have are records related to 7.2 d) mentioned above.

    These a rticles can be helpful for you:
    - Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/
    - Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

  • ISO 45001 Training



    Answer:

    The ISO 45001 standard is intended to be used by any organization that wants to improve their OHS performance. The standard is about implementing an OHS management system and goes beyond training to implementing all the processes that are necessary to identify and control hazards within the workplace, including meeting OHS legal requirements and improving the health & safety of the workers. The training element of this is to make everyone aware of the OHSMS processes and how they are involved, the hazards and consequences of not following the rules, and what has happened regarding the incident investigation. The role of this training is to make employees knowledgeable about the system and its risks and to make them more competent.

    For more about the ISO 45001 standard see this article: “What is ISO 45001?”, https://advisera.com/45001academy/what-is-iso-45001/

  • Toolkit content


    Answer:

    ISO 27001 does not require each control to be implemented, nor it requires each implemented control to be documented. Therefore, you have the following options:
    a) Exclude a control in the Statement of Applicability if there are no risks or requirements for this particular control
    b) Implement a control and write a separate policy or procedure for it
    c) Implement a control and document it though a policy or a procedure which covers also other controls
    d) Implement a control without documenting it - in this case you only describe briefly how you implemented it in the SoA

    These articles will provide you further explanation about selecting controls and SoA:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    2 - For my own reference: I assumed that the ISO standard and controls (Annex A or SOA) are copyright protected ? But I saw you used the numbering and especially “titles” from the ISO standard, is this allowed ? I’m just wondering if I can use my own excel “including the official control description” as well and store it in Conformio or on our file server.

    Answer: Using numbering and titles as reference to the standard is allowed because in many requires (like the one which defines the SoA content) you have to make reference to the standard to be compliant. What is not allowed is copy of sections content, as well as copies from description of controls, but you can write them in other words to use in your excel file with no problem

  • A quality plan can help


    Answer:
    I don’t know the purpose of that sampling that you made, but if I collected samples from a supplier and gave them for testing, I would want to keep a sample with me, a kind of “sample testimony”. Later, if you are suspicious of any thing you can take that testimony and request further testing by your team or a third party.

    To prevent any future problem, I advise you to create or update your quality plan. The following material will provide you information about quality plans:
    - ISO 9001 – Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/
    - free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9 001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Implemented controls


    Answer:

    Our experience show us that companies typically have ca 80 controls implemented before the start of an ISO 27001 project, and then they have ca 20 to 30 controls to implement during the project.

    The quantity of implemented controls does not have a direct impact in the certification, because information security management is about balancing needs and expectations with the level of acceptable risks (similar organizations may have different number of implemented controls and both can be certified).

    This article will provide you further explanation about selecting controls:
    - The basic logic of ISO 27001: How does information security work? https://advisera.co m/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    This material will also help you regarding selecting controls:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Filling templates


    Answer:

    Since you already have identified the interested parties, now you have to identify the documents in which their requirements can be located (e.g. service level agreements, outsourcing contracts, laws, industry regulations, etc.), and the precise requirements that must be fulfilled (e.g., the clauses).

    For example, a customer has a service level agreement with your company which defines, on clause 32-b, that access to all information provided by the customer to information system ABC are restricted to customer personnel only. In this case the person responsible for syste m ABC is the responsible to ensure compliance of the system to this requirement. Then your document would be like this:

    Interested party: Customer Jon
    Requirement: Clause 32-b (Information provided to system ABC are restricted to customer's personnel)
    Document: Service level agreement
    Person responsible for compliance: System ABC administrator
    Deadline: when system ABC is made available for customer use

    This article will provide you further explanation about identifying requirements:
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

  • ISMS manual


    Answer:

    In fact ISO 27001 requirements do not prescribe the development of an ISMS Manual, and for good reasons. If you put all the policies and procedures into a single document, this will make the reading of such document very difficult. Additionally, the standard already has a requirement for a document that describe how a company will implement its information security – it is called Statement of Applicability.

    This article will provide you further explanation about ISMS Manual:
    - Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

    This material will also help you regarding ISMS Manual:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Access profiles

    1. User Profile A (which Profiles are expected to be captured here?)
    2. User Profile B (which Profiles are expected to be captured here?)

    Answer:

    As example for profiles you can have Administrator profile (Profile A) and Common user profile (Profile B).

    For an operational system you can have the following access rights:
    - Administrator: read and write on flies and alter system configurations
    - Common user: read and write on flies only

    For an corporate networks you can have the following access rights:
    - Administrator: remote access to internal networks and full access to Intern
    - Common user: internal network access only

    This article will provide you further explanation about access control:
    - How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

    This material will also help you regarding access control:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Scope of information security


    Answer:

    ISMS compliant to ISO 27001 means to protect the information in all formats it exist, so if you have the same information on digital and hardcopy format, you have to evaluate risks for both formats and apply security controls properly to each format.

    These articles will provide you further explanation about ISO 27001:
    - ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    These materials will also help you regarding ISO 27001:
    - Book Secure & Simple: A Small-Business Guide to Imp lementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

  • Who can be internal auditor?


    Answer:
    An internal auditor specialized for finance and general operation of the organization, can conduct QMS internal audits and be the internal auditor as long as he or she has knowledge of ISO 9001 and ISO 19011.

    Today I spoke with a Quality Manager at a manufacturing plant that once worked at a bank, he told me that it was standard practice that auditors at the bank after finding a nonconformity proposed the action to close it, a practice not followed in the quality world.

    The following material will provide you information about internal audits:
    - ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
    - free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 644-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +