Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Audit and certification


    Answer: For certification purposes, only auditors related to certification bodies can perform such audits, and the choice regarding which certification body will lead the process is up to the organization itself.

    These articles will provide you further explanation about ISO 27001 certification process:
    - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
    - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

    These materials will also help you regarding ISO 27001 certification process:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 270 01 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
    This page can help you find a certification body: https://advisera.com/

  • Internal audit results


    Answer: Recurrent nonconformities may indicate a rupture in the management system (a failure in the maintenance of the system), and for certificated systems if such situation is not corrected until the next external audit, this may lead to a major nonconformity, which can compromise the management system certification.

    2 - Management has not taken corrective actions. Where in the standard can I find a reference to this.

    Answer: If you have evidence that recurrent nonconformities can be related to inaction of management, you can relate this situation as a failure to comply with one of the following clauses:
    - 10.1 c): implement any action needed (either to control and correct the nonconformity or, if necessary, prevent that it does not recur or occur elsewhere); or
    - 10.1 d): review the effectiveness of any corrective action taken

    This article will provide you further explanation about non conformities:
    - Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

    These materials will also help you regarding non conformities:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

  • Information security resources

    Even for my master's work, I read and learned a lot from your texts that I found online.
    Recently, I started to learn a bit more seriously about CyberSecurity, because it has always been a very interesting topic and I want to change my career and deal with the security of information.
    So I'm trying to get in touch with people who are experienced and from whom I can learn something.
    If you can give me any advice about learning, certification or the most important things that I should focus on, I would be very grateful to you.

    Answer: Besides our site, I suggest you to look for contacts and training opportunities in the websites of organizations such as ISACA (www.isaca.org), ISC2 (https://www.isc2.org/), SANS (https://www.sans.org/) and NIST (https://www.nist.gov/). Linkedin (https://www.linkedin.com/) is also a good source of contacts.

    Regarding what you should focus on, this will dep end on what type of career you want to pursuit (e.g., technical controls, risk management, audit, etc.)
    These articles will help also you with queries:
    - How to learn about ISO 27001 and BS 25999-2 https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
    - Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

  • Qualifications to perform ISMS internal audits


    We generally employee 2 persons, one Audit Lead and one Auditor. What trainings opportunities and certifications are available for these professionals?

    Answer: To perform audits a person should consider mastering competencies regarding risk management, information security and audit techniques. These competencies can be acquired by means of education, training or practice, so certifications are only one of the alternatives you should consider.

    Regarding ISO 27001, you should consider the ISO 27001 Internal auditor training or the ISO 27001n Lead auditor training.

    These articles will provide you further explanation about certifications and training:
    - Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
    - ISO 27001 Internal Auditor training – Is it good for my car eer? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

    These materials will also help you regarding certifications and training:
    - ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/
    - ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Patch management

    I would like to know where does patch management fit into the ISO27001. If for example a new critical security update was released by a vendor or a vulnerability management system discovered a missing critical update on an asset would I carry out a
    1. Risk assessment against the asset to determine the risk, then do the treatment options and treatment plan
    or
    2. Would missing patches come under defect management and go through some type of SDLC testing and change management before been applied and only do a risk assessment if the patch couldn't be applied because of either a system stability issue or because the patch won't be applied within the time-frame required in a patch management policy?

    The handling of a new critical security update that was released/discovered should go through change management (control A.12.1.2), and according to this control planning and testing changes should come before the assessment of the potential impacts of such changes (first you have to understand the change and verify if it is feasible, in a non-operational environment, so you can asses the involved risks). The scenarios you mentioned are only part of the possible alternatives (you can identify that the change is possible, but involves risks that can be managed by means of a roll back procedure for example).

    If a risk assessment should be carried out, does this also mean that after the treatment options are decided for every patch that requires a treatment option the Statement of Applicability must be updated with whatever potential control?

    If during the risk assessment you identify the need for a new control, then the Statement of applicability should be updated accordingly.

    If I had to carry out a risk assessment for every patch that came out it would create so much overhead that it just wouldn't get done. Would have you found as best practice for this?

    When defining your change management process, you can define which kind of patch and situations would require the performing of risks assessments, so you can balance the effort to perform risk assessments and the level of risk involving the change. For example, you can define that patches that do not require high level of skill, or are applied to non critical system do not require a risk assessment.
    These articles will provide you further explanation about change management:
    - How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/
    These materials will also help you regarding change management:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Supporting services


    Answer:
    If supporting services are provided by the same (part of the ) organization as customer facing services, then there is no point in looking for the customer of the supporting services.
    But, if supporting services are provided by external organization or some other department inside the same organization - then there is a customer of the supporting services.
    Read the article "
    ITIL Customer-facing vs. supporting services" https://advisera.com/20000academy/blog/2014/05/27/itil-customer-facing-vs-supporting-services/ to learn more.

  • Process approach


    Answer:

    The process approach is a management strategy. When managers use a process approach, it means that they manage and control the processes that make up their organizations, the interactions between these processes, and
    the inputs and outputs that tie these processes together. It also means that they manage these process interactions as a system. The process approach considers the interaction between these processes, and the inputs and outputs that tie these processes together. The output of one process becomes the input of another.

    For example, the production or manufacturing can be considered as a process. You can define what are the inputs for the process, e.g. raw materials, energy, people, work instructions, etc. and then you define the set of activities within the process. At the end you define the outputs, such as the product, scrap, waste, etc. This should be defined for every process in the organization, as well as the interaction and sequence of the processes, for example, the output of the design is the input for the purchasing and production process, the outputs of the production process is input for warehousing or distribution process.

    For more information, see: The importance of the process approach https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/

  • AS9100 Control of suppliers


    Can the same approach be taken in AS 9100? If we get good parts from Jimbo's CAD-Plating Service does it matter if I went to his shop and filled out a form that says he successfully executed our instructions that were flowed down through our purchase order?

    Answer:
    As with ISO 9001:2015 the requirements in AS9100 Rev D for control of providers for products, processes and services require that you identify the controls required for the providers. This will be dependent on what is supplied, history, experience, etc. On-site auditing of a supplier is only one method of control that can be put in place for a supplier, as are such things as incoming inspection, testing of incoming parts to verify the data, etc.
    So, as you have identified you can use the same thinking for suppliers that you have identified that no on-site auditing is required as a method of control for these suppliers. It is all about how you have identified the controls to be in place (i.e. if your process says you will do on-site audits then you need to do them). The one additional thought from AS9100 Rev D is the need to assess any additional controls that need to be in place to prevent counterfeit parts as applicable to your products and services. An audit may be something that you identify for a supplier to ensure that their systems are adequate to make sure you get what you want, but this is up to you.
    For a bit more information see this explanation of AS9100 Rev D: https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d

  • The training and awareness program

    Art 29: "anyone acting under his authority or under that of the data controller, who has access to personal data cannot process such data if it is not instructed to do so by the data controller"
    Art 39: "personal training involved in the treatment and related control activities" In other words, is there a document that we can distribute to the staff in order to satisfy the previous points?
    Does the Toolkit include templates that we can use for information treatment to be included on institutional and e-commerce sites?

    Answer:

    1. The training and awareness program is something each company should be creating by itself taking into account the business of the company as well as the processing activities and the relevant personnel which should be trained. So, this is why we did not include any training materials in the toolkit because we can`t know how det ailed the materials should be to satisfy your needs.
    2. The information that you need to put o your e-commerce site is consistent with the information form the “General Data Protection Notice” in the Toolkit. Be aware that e-commerce is regulated by a different act Directive No. 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce), so you should check your local transposition act in your local law.

    To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//

  • QMS and improving performance


    Answer:
    Implementing a QMS is a first step to establish standardized procedures for running several processes in an organization. For each process establish relevant performance indicators and monitor and evaluate performance regularly. I recommend using quality tools like control charts, Pareto diagrams and histograms to get the most information out of the data. When your organization decides to invest in improving performance it can use quality improvement tools and methods during the PDCA cycle.

    The following material will provide you information about QMS improvement:

    - ISO 9001 – How to maintain your ISO 9001-based QMS after certification - https://advisera.com/9001academy/31/how-to-maintain-your-iso-9001-based-qms-after-certification/
    - How to define Key Performance Indicators for a QMS based on ISO 9001 - https://advisera.com/9001academy/ 24/define-key-performance-indicators-qms-based-iso-9001/
    - How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 741-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +