Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Template content
Provided template consist only requirements of deploying any sort of anvivirus software with auto-updates ON, but in our case it isn't enough.
The reason i ask for assistance is that we provide SMB SaaS with access for customers to terminal servers with this software installed on it, and this software has the functionality to modify clientside source code for customization needs. We dont surely know how we shall consider this threat: as a potential to execute any malware or just as a technical vulnerability (so shall refer to A.12.6).
Can you help us to complete understanding?
Answer: There is no extended template, but as a part of the toolkit you bought you can schedule a meeting with one of our experts so he can help you develop the extensions you need. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/
Considering the information you provided, the po ssibility to modify client's side source code should be treated as a technical vulnerability, because this feature is part of how the antivirus software works to protect the assets, but may have a negative impact that must be assessed first before releasing the software on operational environment, which can be handled by controls from section A.12.6. -
ISMS scope template
With the organisational user sec 3.2 do we have to list every type of unit I.E computer monitors .Key boards , Lap tops , Mouse etc etc. Also I really don’t get the how they are from units that are not in scope ? If we have a desk that is not in scope and a laptop that is on that desk that is in scope how would I document that ?
3.1 Processes and Services
Is this enough detail ? Below
Processes and services
Existing services - Pentesec will continue to deliver its services within a secure environment.
Development-Pentesec will conduct annual risk assessments to ensure that risk to information in the care of is minimalized or eliminated
Incidents – Pentesec will ensure that all systems are protected and resilient from breach by keeping firewall software and licences up to date with the latest patches to prevent entry of any malware.
Organizational units
Laptops, Docking Stations Keyboards and how they are separated from the organizational units that are not included in t he scope]
Answer: In section 3.1 you should detail the "existing services" to the services currently running (e.g., software development services, printing services, etc.).
For section 3.2 (Organizational Units) you should list the business areas included in the scope (HR department, IT department, R&D department, etc.), not the assets. As ways they are separated from units not in the scope you can mentions walls, doors, separated buildings, etc.
Included in the template there are comments with examples of how you can fill the templates. Additionally, you have access to a video tutorial that can help you fill the ISMS scope template. -
Roles y responsabilidades
Respuesta:
En cuanto a la pregunta sobre cómo puede la alta gerencia valorar ISO 9001 y, por lo tanto, obtener su compromiso en el proyecto, puede organizar una reunión con la alta dirección para presentar los beneficios y los mitos de ISO 9001: 2015 y cómo son relevantes para su empresa.
En este artículo puede encontrar algunas técnicas para convencer a su alta dirección - 4 técnicas cruciales para convencer a su alta dirección sobre la implementación de ISO 9001: https://advisera.com/9001academy/blog/2017/12/05/4-crucial-techniques-to-convince-your-top-management-about-iso-9001-implementation/#
Puede utilizar esta propuesta de proyecto gratuita para la implementación de la norma ISO 9001 para ayudarle a convencer a la alta dirección de que implemente ISO 9001: https://info.advisera.com/9001academy/free-download/project-proposal-for-iso-9001-implementation-ms-powerpoint
También puede leer este documento que explica cómo la implementación de la norma ISO 9001 puede ayudar a que su empresa crezca y tenga un mejor rendimiento - ¿Cómo puede la norma ISO 9001 ayudar a su empresa a crecer ?: https://info.advisera.com/9001academy/free-download/how-can-iso-9001-help-your-business-grow
Para el compromiso de los empleados, puede organizar una sesión de sensibilización con ellos presentando los mitos y los beneficios de la norma ISO 9001: 2015, así como la importancia de su papel en la implementación. Para ello, puede utilizar este documento técnico gratuito: por qué ISO 9001: 2015 - Presentación para la concienciación: https://info.advisera.com/9001academy/free-download/why-iso-9001-2015-awareness-presentation
Puede encontrar información sobre el enfoque de procesos en este artículo - ISO 9001: la importancia del enfoque de procesos: https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/#
Para la definición de indicadores, puede leer este artículo - definir indicadores clave de desempeño para un QMS basado en ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/ -
Quality and Information Security Manager combined?
Answer:
At small IT organizations (up to 20/30 employees), normally, the same person combines the two roles.
At larger organizations, particularly if the core is not software, like manufacturing, normally, each role is performed by different persons.
The following material will provide you information about combining ISO 9001 and ISO 27001:
- Free webinar – ISO 27001 implementation: How to make it easier using ISO 9001 - https://advisera.com/9001academy/webinar/iso-27001-implementation-how-to-make-it-easier-using-iso-9001-free-webinar-on-demand/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Design and nonconformities
Answer:
(1) – Who established the product requirements? Why did the customer asked for modifications? If the customer established the initial specifications and:
* now he is asking changes because those specifications were not met, that is a non-conformity;
* now he is asking changes because although the specifications were met, they are not useful during use, that is not a non-conformity.
If the initial specifications were developed by your company and were met, and t he customer is asking for changes, that is not a non-conformity about the product. Perhaps, your company could consider a non-conformity of the service: you want to improve future collection of input information for project development (not may companies follow this way)
(2) – I do not consider this situation as a non-conformity in the design. There is no agreed specification yet, many times this is a trial and error phase.
The following material will provide you information about design and development:
- ISO 9001 - The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Marketing activities
Answer:
The EU GDPR is meant to be applicable in all instances where personal data is being processed including marketing activities as long as is business to consumer. There are no specific sections in the EU GDPR dedicated to marketing or any other processing activities for that matter.
To learn more about marketing and the EU GDPR check out our webinar “How GDPR Affects Marketing Practices” https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/ -
Staff training on GDPR
2. Also, GDPR requires staff training, what should be the main focus of training, maintenance of privacy or any other procedures in particular.
Answers:
1. Registration to a Supervisory Authority is subject to local law. For example the ICO requires controllers to register https://ico.org.uk/about-the-ico/what-we-do/register-of-fee-payers/
2. The training should be targeted to the processing activities that your staff are dealing on their day to day activates. Of course all your staff needs to be informed on the basic principles of GDPR but some may need specific training such as marketing staff or security staff.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Convincing top management
So far, I have not been successful to convince the top management that it would be advantageous to educate ourselves about the ISO 27001 and eventually sign to it. I intend to learn the course as soon as possible.
Dejan, perhaps you could give me some tips on how to influence the top management.
Answer: To improve your chances to get support for an ISO 27001 initiative in your organization you should provide real examples of benefits related to:
- compliance to regulations regarding data protection, privacy and IT governance applicable to the organization
- competitive differential that can be achieved by being capable to demonstrate your organization can protect customer information
- decrease in costs incurred by information related incidents
- improving internal organization
Other important point to be considered is t he presentation. For top management you should avoid using technical jargon (concentrate on business benefits).
These article will provide you further explanation about ISO 27001 benefits and top management:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
These materials will also help you regarding ISO 27001 benefits and top management:
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Internal and surveillance audits
Answer:
You are mentioning two types of audits: internal or first party audits and third party audits. Certification and surveillance audits are third party audits. After certification audit you organization will have two yearly surveillance audits and three years after certification your organization will have a re-certification audit.
About your organization’s internal audits there is one requirement, not included in ISO 9001:2015 but included in the contract with the certification body: at least once per year in one or more audits all ISO 9001:2015 clauses will be audited.
The following material will provide you information about surveillance audits
- Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
- What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
- free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Correction vs corrective action
Answer:
When something goes wrong you have a non-conformity. For example, your company sent the wrong product to fulfill a customer order. Or your production line manufactured a product with a defect, or your after-sales service provided the wrong service.
When you have a non-conformity, you need to eliminate it. Correction attacks non-conformities, a correction focus the defect, focus what is wrong and tries to solve the situation. For example, through rework, through scrapping, through downgrading, through a discount with the customer to try to see if he agrees in receiving the wrong product.
Corrective action is done after the correction and has another purpose, try to eliminate the cause behind the non-conformity. When we do an effective corrective action we eliminate or reduce the non-conformity frequency of occurrence. For example, changing a raw-material supplier in order to minimize production problems due to a raw material.
The f ollowing material will provide you information about corrections and corrective actions:
- ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/