Search results

Home / Search

Category:
Select
Select

11278 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk management in ISO 27001 Lead Auditor Course


    Answer:

    Advisera's ISO 27001 Lead Auditor Course provides you the basics of risk management - how to identify assets, threats, vulnerabilities, calculate the level of risk, choose controls to mitigate risks, create reports, etc. It does not cover specific threats like manpower life threats although he does provide a couple of real-life examples using difference threats and vulnerabilities.

    By the way, you can watch all the video lectures completely for free, so you can check out for yourself the level of details: https://advisera.com/training/iso-27001-lead-auditor-course/

  • Preventive actions


    Answer 1: Although in the previous version of ISO 27001:2005 the preventive actions were included explicitly, in the current ISO 27001:2013 it is not referenced, so we don’t have a template for this anymore, because basically it is not necessary

    2.- Also I've got one question about the Risk Assessment: Is it necessary to add the serial number for each computer/laptop inside the company or can I just name the asset and the owner?

    Answer 2: From my point of view, the serial number of each computer/laptop is not relevant for the risk assessment, so you don’t need to include this information in the risk assessment, but for your asset management can be very interesting to have a control of the serial number of each equipment, because each equipment (with his serial number, that is unique), will be assigned to a specific person. So, you can include this specific information in your asset inventory.

    This article can help you with the asset inventory “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    3.- And the last question: Is it possible to get access to more tutorial videos? It's been really helpful.

    Answer 3: As customer, you can access to all our video tutorials, but if you need more, you can see our free webinars : https://advisera.com/27001academy/webinars/

    Furthermore, you have access to all documentation tutorials, and here you can also have a online course "ISO 27001:2013 Foundations Course" https://advisera.com/training/iso-27001-foundations-course/

  • Finding the root cause

    I really thanks for your reply and got answer for root cause analysis

  • Data processing agreement


    Answer:

    Based on your description both you and the company that would hire the seafarers are acting as independent controllers. Except for the instance where the hiring company would provide you with the data of somebody for you to contact and interview on your behalf.

    In the independent controller scenario, although is not strictly mandated by the GDPR, you could have a Controller to Controller GDPR Addendum (we are working in developing such a template) and for the scenario where you would be a processor, the hiring company would most likely ask you to sign a Supplier Data Processing Agreement similar to the one in our EU GDPR Documentation Toolkit ( https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ )

  • Segregation duties


    Answer: I am sorry, we don’t have a template for the segregation of duties, because this is not a mandatory document according to ISO 27001. Anyway, to implement this control, basically you need:

    1. Identification of functions that are indispensable to the organization’s activities
    2.- Division of the function into separate steps
    3.- Definition of one or more segregation principles to be applied to the functions

    For more information, please see this article “Segregation of duties in your ISMS according to ISO 27001 A.6.1.2” : https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

  • Internal auditors and implementation help

    1) Is it possible for someone who doesn't have a certificate to be an auditor? Is experience enough?
    2) Can a company without ISO certificate conduct an ISO process or help another company / business to be ISO certified? Isn't a legal issue?”

    Answer:

    It is up to the client of the audit to specify the requirements of competency to be an auditor. Different clients will have different requirements. Interestingly, the last version of ISO 19011 removed competency requirements from the auditor definition.
    There is no legal issue involved. A company without ISO certificate can help a company / business to be certified. Naturally, a certified company con argue commercially that it has first-hand experience of the process.

    The following material will provide you information about internal audits:

    - ISO 9001 – 13 Steps for ISO 9001 Internal Auditing using ISO 19011 - https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
    - free online training ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
    - free online training ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Internal audit scope


    Answer:

    There is no universal answer. In the past, I advised some companies to do precisely that, to have a particular internal audit with EMS documentation as the scope of the audit. Can be useful, particularly during the implementation phase or afyer several problems with documentation control.

    The following material will provide you information about internal audits:

    - ISO 14001 - Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
    - free online training – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • What part takes the most time


    Answer: From my point of view, the part that takes most time is the risk assessment & treatment, because it is also the most complex and most important part. Remember that the main objective of ISO 27001 is the protection of information, identifying risks and treating them.

    By the way, this checklist can help you to know what are the steps that you need to implement the ISO 27001 “ISO 27001 implementation checklist” https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    This course about ISO 27001 can be also interesting for you "ISO 27001:2013 Foundations Course" https://advisera.com/training/iso-27001-foundations-course/

  • Cryptographic controls

    thank you for your response, I agree with your comments; however, I am of the opinion that before deciding on the encryption key length whether 128, 512 or etc an assessment should be performed

  • Is ISO 27002 mandatory?


    Answer:

    I think there are a couple of thigs that need to be clarified here:

    1) The controls from ISO 27001 Annex A and from ISO 27002 are the same; what is different is that ISO 27002 provides detailed guidelines on how to implement controls, and ISO 27001 does not have those guidelines.

    2) ISO 27002 is not a mandatory standard if you want to get certified against ISO 27001. Or to be more precise, ISO 27001 does not mention that the control guidelines from ISO 27002 are mandatory. Therefore, the certification auditor cannot ask you to implement particular control in a way that is described in ISO 27002.

    3) However, you need to implement each control that you consider is applicable, so unless you have a very good idea on how to implement that control you can use ISO 27002 as a guideline.

    See also: ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

    These materials will also help you regarding ISO 27001 implementation:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
    Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course
    https://advisera.com/training/iso-27001-foundations-course/
Page 684-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +