Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISMS Budget


    Answer:

    There are a significant number of variables to be considered when estimating an implementation cost, but you already have figured out some important issues. Broadly speaking, I can suggest you these main topics to consider:
    - Training and literature
    - External assistance
    - Technologies to be updated / implemented
    - Employee's effort and time
    - The certification process

    Regarding ISMS maintenance costs, the above mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.

    These articles can provide you more information:
    - How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
    - 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
    - How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project

  • Interested parties, strategic orientation and ISO 9001:2015


    Answer:
    ISO 9001:2015 clause 4.2 has requirements about interested parties and their expectations. I like to address this topic with an overall strategic view. Your organization has customers, they are the reason for your organization’s existence. So, customers are a natural interested party. Customers are all different and can be group segmented. For example, some value above all a low price, some value the service, the customization, and some value brand or innovation. Each group has different expectations. Your organization can also work with:

    * influencers, for example, bloggers that promote your organization’s products and services among potential customers;
    * regulators, for example, to promote certain product or service requirements;
    * customers of your organization’s customers, for example, they can be more receptive to your organization’s value proposition, and they have power over your customer;
    * suppliers, for example, perhaps your organization has a particular supplier that is strategically important because they can give an important support;
    * employees, for example, perhaps your organization has some employee categories with well-trained people highly coveted by the competition.
    * What are their expectations, why should they work with your organization? Why should they prefer to work with your organization?
    It is becoming increasingly common for an organization to succeed to consider an ecosystem of stakeholders that extends well beyond the classic organization-client relationship.

    The following material will provide you information about interested parties:
    - Understanding needs & expectations of interested parties in ISO 9001:2015 - https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
    - How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
    - free online webinar (check after minute 12:30) - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Control A.14.2.5 Secure System Engineering Principles


    Answer:

    Since you have identified that control A.14.2.5 is applicable, I'd suggest you first to review your risk assessment and legal requirements, because principles and policies are closed related, and maybe the Secure Development Policy would also be applicable to your ISMS.

    If it is confirmed that there is no need for a Secure Development Policy, then you can use the text from section 3.3 of the Secure Development Policy template to develop a document that will fulfill your specific needs.

    These articles will provide you further explanation about selecting controls and development principles:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
    - How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

  • Developing documents


    Answer:

    You only have to develop polices and implement controls in these situations:
    - There is unacceptable risks that can be treated by the control/policy
    - There are legal requirements (e.g., laws, contracts, or regulations) demanding the implementation of the control/policy
    - Top management has decided to implement the control/policy (normally by considering it a good practice or because the organization will have a competitive advantage with its adoption)

    If none of these reasons occurs, you do not need to develop the policy / implement the control

    These articles will provide you further explanation about developing policies and implementing controls:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27 001-how-does-information-security-work/
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • How to define legal requirements


    Answer:

    Legal requirements are different for every country and don’t depend on standard requirements. IATF in clause 5.1.1.1Corporate responsibility requires compliance with all legal requirements in all countries the company is operating.
    Also, in other requirements, there is highlighted the need for compliance with legal requirements.
    From country to country there are numerous ways to find legal requirements, some are national official gazette, the software’s that combines all laws and obligatory documents, law firms, consulting agencies, etc.
    Definition of compliance with the legal requirement can be done for example in table wherein first column you write a law, in second requirements that are specific to your company and in the third column what organization did to fulfill the requirement and comply with the law.

    I suggest you to find out more in articles:
    - Determining interested parties and their requirements according to IAT F 16949:2016 https://advisera.com/16949academy/knowledgebase/determining-interested-parties-and-their-requirements-according-to-iatf-16949/
    -Procedure for Determining Context of the Organization and Interested Parties https://advisera.com/16949academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/

  • Filling in ISMS policy template

    Section 4.1 consists of 4 (under)sections. I have a question about (under)section 1, 3 and 4 of section 4.1. In section 1 our company defined JUST ONE general objective (reducing the number of incidents by XX %). Does section 3 and 4 refer to section 1 or to section 1 and 2? If I have just one general objective and section 3 and 4 refer to section 1 then I have to write section 3 and 4 in singular too. Does section 3 and 4 refer to section 1 and 2 (where the control objectives are involved too) I can leave it like it is (in plural). Whats is right? To which section refer section 3 and 4?

    Answer:

    Section 4.1 paragraph 2) speaks about objectives for controls, and paragraphs 3) and 4) refer to both top-level objective(s) mentioned in paragraph 1 and control objectives mentioned in paragraph 2.

  • Internal auditor certificate or qualification


    Answer:
    No, there is no requirement for any particular internal auditor certificate or qualification. Each organization has the authority to set the requirements for their internal auditors. Only your organization has the legitimacy to set the requirements applicable to your internal auditors. That said, it is wise to set as minimum requirements for internal auditors that they should know the standard (ISO 9001:2015) and they should know auditing practices. Your organization can ask for any evidence that they know or studied ISO 9001:2015.

    The following material will provide you information about internal audits:

    - Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
    - free online training ISO 9001:2015 Internal Auditor Course - https://tra ining.advisera.com/course/iso-9001-internal-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Interested parties - a management decision, not a technical decision


    Answer:

    Look into clause 4.2 of ISO 9001:2015 and note the vocabulary “the organization shall determine”, not “the organization shall identify”. That means that determining the interested parties is not a technical problem, it is a management problem. It will depend on your organization’s strategic orientation and business model. What interested parties are relevant for your organization strategic orientation and business model? Consider your organization’s strategic orientation and its competitive advantages. What interested parties must be present? What is expected from each one? What each one expects from your organization?

    The following material will provide you information about int erested parties:

    - How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
    - Understanding needs & expectations of interested parties in ISO 9001:2015 - https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
    - free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Can organization exclude requirement 8.3 from certification?


    Answer:

    The only requirement of the standard that can be excluded from certification is 8.3 Design and development of products and services (the development of the production processes must always be taken into account).
    This exception needs to be well explained in documented information with proof that the organization has no process that is related to design and development.
    Prior to certification, the organization must demonstrate that it can meet all requirements of IATF 16949 (readiness assessment with at least 1 day on location); this includes a full audit cycle including a QM assessment.

    I suggest you find out more about the topic please see article: How to write the IATF 16949 Quality Manual https://advisera.com/16949academy/blog/2017/05/31/how-to-write-the-iatf-16949-quality-manual/

  • Holistic approach


    Answer:

    The whole set of ISO 27001 mandatory documents ensure that an organization plans (e.g., define information security policy), performs actions (e.g., performing of risk assessment and risk treatment plan, and operation of security controls), controls results (e.g., through performance measurements, internal audits, and management reviews), and improves information security (e..g., by means of treating non conformities and opportunities of improvement).

    If you consider only part of the documentation, some steps of the information security management can be forgotten and the security will fail in to achieve the expected results.
    These articles will provide you further explanation about ISO 27001 approach:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - Has the PDCA Cycle been removed f rom the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/
Page 664-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +