Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Is ISO 27002 mandatory?
Answer:
I think there are a couple of thigs that need to be clarified here:
1) The controls from ISO 27001 Annex A and from ISO 27002 are the same; what is different is that ISO 27002 provides detailed guidelines on how to implement controls, and ISO 27001 does not have those guidelines.
2) ISO 27002 is not a mandatory standard if you want to get certified against ISO 27001. Or to be more precise, ISO 27001 does not mention that the control guidelines from ISO 27002 are mandatory. Therefore, the certification auditor cannot ask you to implement particular control in a way that is described in ISO 27002.
3) However, you need to implement each control that you consider is applicable, so unless you have a very good idea on how to implement that control you can use ISO 27002 as a guideline.
See also: ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Information security management policy vs information security policy
Answer:
Yes, in the context of ISO 27001 this is the same document - such a document defines top-level management intent regarding information security and general roles and responsibilities.
Detailed security rules are usually written through detailed policies, for example in our toolkit you will see IT Security Policy that describes detailed general rules for all employees. -
Risk likelihood
Answer:
First of all, you should record an incident in the Incident log, not in the Risk register - the purpose of Incident log is to record all the incidents from the past, while Risk register tries to anticipate the incidents from the future.
If an incident has already happened in the bust, then it has a much higher chance of happening in the future.
See also this article: How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
These materials will also help you regarding risk assessment:
- book ISO 27001 Risk Management in Plain English https://advise ra.com/books/iso-27001-risk-management-in-plain-english/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Approach for the document management
1. Context – Read each template document to understand the context of each document.
2. Content – Replace the placeholder tags in the template documents with the relevant information as per the context of the document. Some of these information will be available in the current BCM document.
3. Compile – go through each document to check whether the document has no formatting issues.
What additional steps do we need to follow in addition to the approach described above?
Answer: Basically you are in the right way, but additionally, you can also define a method for the review and approval of documents. So, when you finish the documentation, some person can review each document (probably can identify some errors), and after a person can approval each document (if everything is ok). If after the review a change is necessary, you can also add this change in the change history.
It is also important to follow the sequence of folders for the implementation, because these are the optimal steps to implement the standard.
By the way, our solution Conformio can help you for these things, so this can be interesting for you “What kind of Document Management System (DMS) do you need for handling ISO documents?” : https://advisera.com/conformio/blog/2020/08/11/what-kind-of-dms-you-need-for-handling-iso-27001-documents/ -
Regulatory body audit as third-party audit
Answer:
A third-party audit is performed by an audit organization independent of the customer-supplier relationship and is free of any conflict of interest. An audit by a regulator is independent of customer supplier relationship, and the audit organization is independent of the audited organization. So, an audit by a regulatory body can be considered a third-party audit.
The following material will provide you information about audits:
- ISO 9001 – First-, Second- & Third-Party Audits, what are the differences? - https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Checking the EU citizenship on a website
Answer:
Usually controllers need to establish the identity of a data subject before answering any requests in order to ensure that they are dealing with the right person. However, asking you to provide a copy of your ID might be excessive especially because the EU GDPR does not apply exclusively to EU citizens.
To learn more about data subject right check our webinar “Data Subject Rights under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/). -
Cerificación asociación sin ánimo de lucro
Respuesta:
La certificación e implantación de las norma ISO 9001 e ISO 14001 es igual para todos los sectores, incluyendo asociaciones sin ánimo de lucro, teniendo que dar cumplimiento a cada uno de los requisitos de las normas, como ocurre en el caso de una empresa.
Para más información, estos materiales pueden serle de utilidad:
- How to integrate ISO 14001 and ISO 9001 (disponible sólo en inglés): https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
- Libro - Discover ISO 9001 through practical examples (disponible sólo en inglés): https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Libro - The ISO 14001:2015 companion (disponible sólo en inglés): https://advisera.com/books/the-iso-14001-2015-companion/
- Curso de Fundamentos ISO 9001: https://advisera.com/es/formacion/curso-auditor-interno-iso-9001/
- Curso de Fundamentos ISO 14001: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/ -
SMART objectives
Answer:
SMART objectives stand for (specific, measurable, achievable, realistic and time-based).
The following material will provide you information about SMART objectives:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
What clause of ISO 9001
Answer:
Clause 8.2.3 is about the need to check if the organization has the capacity to fulfill a customer’s order. Clause 8.4.1 (last paragraph) can be interpreted, not mandatory, as a need to do supplier rating.
The following material will provide you information about relationships with customers:
- ISO 9001 – How the ISO 9001:2015 standard can help improve relationships with your customers - https://advisera.com/9001academy/blog/2016/02/23/how-the-iso-90012015-standard-can-help-improve-relationships-with-your-customers/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Interfaces and dependencies
Answer:
Interfaces are the limit points between what is inside the ISMS scope and what is out (e.g., a website page is an interface between organization's information systems and the external public, a loading area is an interface between a supplier and the organization, etc.).
Dependencies are relations between organization's elements (processes, assets, etc.) that are needed to achieve a defined outcome (e.g., a datacenter depends upon a communication provider to make information systems available).
This article will provide you further explanation about examples of interface and dependencies:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
These materials will also help you regarding examples of interface and dependencies:
- Book Secure & Simple: A Small-Busi ness Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/