Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Toolkits and CSA CCM
Answer: Our ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit templates can help you cover the requirements from CSA Star certification related to ISO 27001, ISO 27017, and ISO 27018 standards identified in the Cloud Controls Matrix (CCM).
To see the content of this toolkit, please access this link: https://advisera.com/27001academy/iso-27001-iso-27017-iso-27018-cloud-documentation-toolkit/
These articles will provide you further explanation about ISO 27017 and ISO 27018:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Risks and opportunities - an approach
Answer:
ISO 9001:2015 gives a lot of freedom in treating risks and opportunities. So, you will see different possible approaches.
First, what is a risk or an opportunity? A negative/positive deviation from an expected due to uncertainty is a risk/opportunity. The expected are desired results, are the outcomes of a QMS.
Second, ISO 9001 mentions risks/opportunities at three levels (clause 5.1.2b – risks about products and services. Clause 4.4.1f – risks about process outcomes. Clause 6.1.1 – risks about QMS over all results)
Third, with FMEA, with a conversation/discussion about internal and external issues, or with performance analysis one organization can determine relevant risks and opportunities and then evaluate them and decide what to do with them.
The following material will provide you information about risks and opportunities
- ISO 9001 – Methodology for ISO 9001 Risk Analysis - https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Implementar ISO 27001 en la nube
Respuesta: Basicamente ISO 27001 trata sobre riesgos relacionados con la información, y en tu caso, algunos riesgos están en el lado del proveedor (como por ejemplo ataques DoS, fallos hardware, fallos de suministro eléctrico, etc), por lo que tendrías que transferir estos riesgos. Pero también existen otros riesgos en tu lado, que también tienes que tratar, por ejemplo riesgos relacionados con la conexión remota a la nube, con los PCs usados para la operación de los servicios en la nube, las aplicaciones que estás usando, la concienciación de los empleados en materia de seguridad de la información, etc.
Este artículo te puede resultar interesante “Lista de apoyo para implementación de ISO 27001” : https://advisera.com/27001academy/es/knowledgebase/lista-de-apoyo-para-implementacion-de-iso-27001/
También este otro sobre riesgos “Evaluación y Tratamiento del riesgo en ISO 27001 - 6 pasos básicos” : https://adv isera.com/27001academy/es/knowledgebase/evaluacion-y-tratamiento-del-riesgo-en-iso-27001-6-pasos-basicos/
Y este otro "Defining the ISMS scope if the servers are in the cloud" https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
Por cierto, ISO 27017 es otro estándar relacionado con los servicios en la nube, y la ISO 27001, que también te puede resultar interesante. Aquí puedes encontrar más información al respecto “ISO 27001 vs. ISO 27017 - Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/ -
Required documentation
Answer:
ISO 9001:2015 considers two types of documented information: documentation to maintain – they give instructions about how to act in the future; and documentation to retain – they are records about what happened.
Organizations should consider mandatory documented information required by ISO 9001:2015 and non-mandatory documented information that can be decided as necessary or useful for the effectiveness of the quality management system. The first link below gives a complete answer.
The following material will provide you information about documented information:
- ISO 9001 – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- free online training ISO 9001:2015 Foundations Course – ht tps://advisera.com/training/iso-90012015-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Becoming an ISO auditor/consultant
Answer:
Regarding to the part of the auditors -There are two types of auditors:
Internal auditors, who carry out internal audits, and lead auditors, who work for certification bodies and perform the certification audits.
Regarding internal auditors - There are not mandatory qualifications to become an internal auditor, but certain skills, competencies, and qualifications can help a person become an internal auditor. A combination of knowledge of the ISO 9001:2015 internal process knowledge and attention to detail remain the primary attributes.
You can attend this course to help you to adquire the necessary knowledge - ISO 14001:2015 Internal Auditor Course: https://advisera.com/es/formacion/curso-de-auditor-interno-iso-14001/
Regarding the Lead auditor - To become a Lead Audito r first you need to have experience in applying ISO principles, procedures and techniques in the auditing. The next thing a candidate needs to become a lead auditor is to pass the Certified ISO 9001 Lead Auditor exam. This Lead Auditor course ISO 9001 is offered by many accredited bodies like certification bodies or approved training organizations. The scheme more widely offered by the main auditor registration organzations is a qualification scheme that requires you to pass a 5 day lead auditor class, demonstrate with a resume that you have work experience of about 4 years, that you have more specific work experience of about 2 years (e.g. in environmental sectors that you want to audit in) and then participate in audits to demonstrate audit experience.
To learn more about the benefits and problems of becoming a Lead Auditor, see this article - Benefits and potencial problems of becoming ISO 9001 lead Auditor: https://advisera.com/9001academy/blog/2020/04/10/how-to-become-an-iso-9001-lead-auditor/
Also, this book can help you to understand ISO internal audits - ISO Internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
If you are interested in working as a consultant implementing ISO 9001:2015 you can attend a Lead Implementer Course, since that course can help you to understand and implement the standards and then get the Lead Implementer certificate in order to prove your competence. Also, a Project Manager Certificate can be helpful because you will learn how to run projects.
We have aavailable this free on-line course – ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ After attending the course you can obtain a certificate that proves that you passed the exam.
To learn more about how to become a consultant, see these articles:
– How to become an ISO 9001 consultant: https://advisera.com/9001academy/blog/2016/11/15/how-to-become-an-iso-9001-consultant/
- How to sell your ISO 9001 consulting services: https://advisera.com/9001academy/blog/2017/06/20/how-to-sell-your-iso-9001-consulting-services/ -
información documentada de origen externo
Muchas gracias por las aclaraciones! -
7.5.1 b) Información documentada determinada por la organización como necesaria
Muchas gracias por las aclaraciones! -
Procedure for Document and Record Control
This is what the Paragraph states:
Each external document, which is necessary for the planning and operation of the ISMS, must be recorded in the incoming mail register. The incoming mail register must contain the following information: (1) document number, (2) sender, (3) document name, (4) date of receipt, (5) name of the person whom the document has been forwarded.
Answer:
An incoming mail register is a record used to identify any information received by the organization from external parties, either on physical or electronic media. Examples of incoming mail are hard copies of equipment manuals you use or standards you must comply with, or a customer e-mail requiring changes in a project's specification.
Your understanding is right about not all mail coming into the organization need to be in the incoming mail register. Examples of external documents necessary for the planning and operation of the ISMS are the ISO 27001 standard, customer requirements for service delivery, and audit reports from your certification body. -
BYOD policy
Answer:
In section 3.4, I understand that you are referring to the Information Classification Policy in the text "classified information must be additionally protected according to the [Information Classification Policy]". Considering that, this template can be found in folder 08 Annex A A.8 Asset management. -
Incident Management Procedure
Answer:
The Incident Management Procedure only covers requirements of ISO 27001, and for the EU GDPR & ISO 27001 Integrated Documentation Toolkit, the incident management process also must cover GDPR requirements (Articles 4(12), 33, 34), so for this toolkit yo can use the template A.16 Data Breach Response and Notification Procedure, located in folder 11 Security Controls of your toolkit.