Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS scope
Answer: Section 3.4 of the ISMS scope document requires an organization to document a general overview of which network and IT assets (e.g., firewalls, switches, communication links, etc.) are included in the scope, but you also have to understand how these assets relate to elements external to the scope (e.g., Internet, customer's network, communication providers, etc.), so you can have a precise understanding of your security context and environment.
Here is an example:
"The network and IT infrastructure included in the ISMS scope comprise of two local networks (user and system LANs) and a wi-fi network (for consultants), interconnected by two independent switches, and a backbone which connects all networks to the Internet."
These articles will provide you further explanation about ISMS scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
2 I also want to know if you have a gap assessment document for ISO 22301?
Answer: For ISO 22301 gap assessment I suggest you to take a look at the free demo of our ISO 22301 Internal Audit Checklist at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/
This document provides a list of questions in order to help identify compliance with ISO 22301. For each clause or control from the standard the checklist provides one or more questions which allows you to visualize which specific elements of business continuity management system you’ve already implemented, and what you still need to do. -
Availability of the policies and procedures of the ISMS
Answer:
The GDPR does not require you to have specific persons signing policies and procedures, this is usually an internal requirement of the companies. The only thing you may need to prove is the fact that the policies and procedures are available to the concerned employees and that there is a method in place to check if they are effective. -
ISO 27001 courses
Answer:
I suggest you to take a look at these ISO 27001 courses:
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
- ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/
All exams are accredited by Exemplar Global, and recognized world-wide. You can enroll each one for free (you only have to pay for the certification exam / workshop). -
What other regions are planning to apply GDPR?
Answer:
Not so sure about the US because privacy related concepts are a little different there, but Canada and other countries especially the ones that received adequacy decisions in the past will definitely be amending their local privacy laws to be as close as possible to the GDPR. -
Roles in a QMS
Answer:
When implementing a QMS you use the process approach. The QMS is nothing more than a set of processes. In each process you identify a flow of activities. Each activity has the participation of one or more functions (roles). What I recommend you to do is to list all the activities done by each function in each process.
This way you will develop a sound characterization of what is expected from each function (role).
The following material will provide you information about roles in a QMS:
- How to document roles and responsibilities according to ISO 9001 - https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
- What is the job of the Quality Manager according to ISO 9001? - https://advisera.com/9001academy/blog/2016/08/23/what-is-the-job-of-the-quality-manager-according-to-iso9001/
- free online training ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/ - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Quality objectives for a construction company
Answer:
You shouldn’t develop quality objectives without prior definition of the quality policy, and quality policy should be aligned with the strategic orientation of the company.
Consider a construction company that wants to be known by its ability to comply with project dates. So, a quality objective could be:
Next fiscal year, our rate of projects delivered beyond target delivery date should be below 3%. Responsible: Production Manager
The following material will provide you information about developing quality objectives:
- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- What has changed with quality objectives in ISO 9001:2015? - https://advisera.com/9001academy/blog/2018/05/08/what-has-changed-with-quality-objectives-in-iso-90012015/
- free online training ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 14001 and an environmental management strategy
Answer:
ISO 14001 does not tell us how to develop an environmental management strategy. ISO 14001 only tell us about requirements to consider, when developing an environmental management system, aligned with a particular environmental management strategy.
To develop an environmental management strategy, I ask organizations why they want to develop an environmental management system. For example, for industrial companies I ask them: how can an environmental management system help your organization’s business strategy? They can tell me that they win clients due to their low prices, but clients also want them to be ISO 14001 certified. In that case, I recommend developing the environmental management system with a particular focus on efficiency, on recycling and/or re-use.
The following material will provide you information about implementing ISO 14001:
- 6 Key Benefits of ISO 14001 - https://advisera.com/ 14001academy/knowledgebase/6-key-benefits-of-iso-14001/
- Download free ISO 14001 materials - https://advisera.com/14001academy/free-downloads/
- free online training ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Risk assessment
Answer:
In the Risk assessment spreadsheet a risk is described in terms of the asset, threat and vulnerability related to it, using the columns A, D and E of the spreadsheet. For example, for the risk "theft of unattended laptop" the description would be:
Column A (asset name): laptop
Column B (threat): thief
Column C (vulnerability): unattended asset
By the way, included in the toolkit you bought, you have access to video tutorials that will help you fill in the risk assessment table. -
BCMS implementation
Good day, thank you so so much for the guidance.
It is really appreciated :-)
Best regards,
Rene Pieterse -
Change management
Answer:
To manage changes in an effective way, the first thing you have to do is to define a change management policy, to explain to all interested parties how changes to information systems are controlled. In this policy you will define what is to be considered as a change (e.g., the addition, modification or removal of any authorized, planned, or supported component that could have an effect on IT services.).
Depending on the complexity of the environment and competence level of the team, you may also consider the development of change procedures to detail specific activities to be performed (e.g., procedure to change firewall rules, or update a database management system).
To see how a change management policy looks like, I suggest you to take a look at the free demo of our Change Management Policy at this link: https://advisera.com/27001academy/documentation/change-management-policy/
This article will provide you further explanation about change management:
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/