Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11269 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Implementation timeframe

Answer: The time to implement ISO 27001 will depend on many variables, like the size of the organization, the complexity of the scope, the resources available, etc., but in general, for small and medium-sized organizations the implementation duration, can vary from 3 to 12 months.

To have an estimate based on your organization context, I suggest you to take a look at our free ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

These articles will provide you further explanation about ISO 27001 implementation:
- What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/o oks/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Integrating ISO 20000 and ISO 27001

Answer: Both ISO 20000 an ISO 27001 standards do not prescribe how to build the documentation, so you can elaborate your ISO 27001 documentation as you proposed (putting inside the ISO 27001 documents, where appropriate, the references to the ISO 20000 ones or parts of the ISO 20000 documents).

But before you do that you should consider if keeping separated documents wouldn't require more effort than using an integrated document (generally integrated documents are more useful and require less effort).

These articles will provide you f urther explanation about documentation and integration:
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/

These materials will also help you regarding ISO 27001 and ISO 20000 integration:
- How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/
- ISO 27001 vs. ISO 20000 matrix https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix
VAPT, cybersecurity and ISO 27001

Answer: ISO 27001 is a management standard, so it does not go far on technical aspects of security controls, including VAPT (Vulnerability Assessment and Penetration Test). It focus on establishing control objectives (which should be achieved by implementing the controls) and general requirements for applicable controls. ISO 27002, a supporting standard for implementation of ISO 27001 controls, provides additional details and guidance for controls implementation, but also does not go deep on technical details.

For details regarding cyber security, you should consider the ISO 27032 standard, which provides specific information about cybersecurity related controls. For more information, see this article: ISO 27001 vs. ISO 27032 cybersecurity standard https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/

These articles will provide you further explanation about ISO 27001 controls:
- The basic logic of ISO 27001: How does in formation security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Recovering a ISO 27001 implementation

Answer: To regain top management trust and support to an ISO 27001 implementation, you should focus on quickly solving relevant business problems currently affecting the organization by means of implementation of ISO 27001 related controls. At this point the focus should be on quick risk assessments and implementation of the easier controls that can achieve the faster and more important results (such things as internal audit and documentation control should be postponed).

Once significant results are achieved you can argument that to maintain them in the long run the other ISO 27001 requirements should be implemented.

These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Top management perspective of information security implementat ion https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
Organización y ejecución del SGA

Mi respuesta:

Puede organizar la implementación de su SGA siguiendo estos pasos:

1) Obtenga el soporte de la alta dirección real, esto significa suficiente dinero y recursos humanos para el proyecto. Para este propósito, el beneficio comercial del proyecto debe ser comunicado a la alta gerencia.
2) Establezca la estructura del proyecto, nombre al gerente del proyecto, el patrocinador del proyecto, el equipo del proyecto (si es necesario), defina los hitos, fechas límite, resultados y presupuesto.
3) Identifique los requisitos legales para su SGA.
4) Defina el alcance de su sistema de gestión ambiental
5) Defina los procedimientos y procesos del SGA. Puede verificar qué documentos son obligatorios y los recomendados en este artículo: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
6) Realice la formación y toma de conciencia
7) Opere su EMS, manteniendo los registros necesari os para la auditoría
8) Realice la auditoría interna
9) Realice la revisión de la gestión
10) Implemente acciones correctivas
11) Auditoría de certificación

Durante la implementación, no escriba demasiados documentos. Por supuesto, debe tener en cuenta lo mínimo necesario, pero evite escribir documentos demasiado detallados, ya que se mejorarán a lo largo del tiempo durante el proceso regular de revisión.

Para obtener más información, puede ver este artículo "Lista de pasos de implementación de ISO 14001: https://advisera.com/14001academy/es/knowledgebase/lista-de-pasos-para-la-implementacion-de-la-iso-14001/

Estos materiales también le ayudarán con ISO 14001: 2015:

- Libro "El compañero ISO 14001: 2015" (sólo disponible en inglés): https://advisera.com/books/the-iso-14001-2015-companion/
- Curso de Fundamentos ISO 14001: 2015: https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio - Herramienta de cumplimiento: https://advisera.com/conformio/
Context and risks (1)

Answer:

Consider your organization with a given strategic orientation and a quality policy. Your organization is an open system interacting with the environment, it is not wise to define objectives for the management system, for example, without considering the internal and external context. For that reason, organizations assess the environment and determine relevant internal (like process performance, like customer complaints, like downtime, like … ) and external issues (like legislation evolution, like technological evolution, like social and economic trends, like …). Then, your organization can evaluate those issues and see if they can be related with opportunities or risks. For example, a demographic evolution can be seen as an opportunity and an economic trend can be seen as a risk. An opportunit y is something that can help meeting an objective, and a risk is something that can hinder meeting an objective.

You can also look into a process or a product/service and think about the desired outcomes and/or desired performance. Then you can determine risks and opportunities about those expected results.

The following material will provide you information about context and the risk-based approach:

- ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Approved documented information
Answer:

As far as I understand your description of the situation, for example, an auditor can issue a finding regarding clause 7.5.2 c)

The following material will provide you information about documented information:

- ISO 9001 – Some Tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ 015-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Service Catalog responsibilities

Answer:
Following belongs to the Service Managers' responsibilities:
- accountable for the delivery of a specific IT service (ensuring that the ongoing service delivery and support meet agreed customer requirements)
- responsible to the customer for the initiation, transition and ongoing maintenance and support of a particular service and accountable to the IT director or service management director for the delivery of the service.
- the service owner’s accountability for a specific service within an organization is independent o f where the underpinning technology components, processes or professional capabilities reside.
- responsible for continual improvement and the management of change affecting the service under their care

So, if your sales team is capable to fulfill above requirements - then yes, they can be the service owners (of the business part of the service catalogue).
GDPR concern

Answer:

Is not that the EU GDPR forbids you to send or store data outside the EEA but rather it requires that you mention to the individuals that their data may be sent outside the EEA and the safeguards you took to make sure that the data is processed in a lawful manner.

So, you should first communicate this to your customers though you Privacy Notices.

To find out more about transfers of personal data check out our webinar “How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/
Gestión de riesgos y oportunidades en ISO 14001

Mi respuesta:

Corresponde a la organización seleccionar el método que se adapte mejor a sus características, situación, dimensiones , contexto en el que opera u ofrece sus conocimientos, pudiendo ser un simple proceso cualitativo o una evaluación completa cuantitativa.

Estos son algunos ejemplos de herramientas metodológicas:

- Norma UNE ISO 31000, "Gestión de riesgos, Principios y directrices" . Proporciona las mejores prácticas que han sido recogidas en la gestión de riesgos llevada a cabo en diferentes áreas.

- Norma UNE EN 31010 "Gestión de riesgos. técnicas de evaluación de riesgos". Utilizada como ayuda de la norma anterior, proporciona las directrices necesarias para seleccionar y aplicar las técnicas más eficaces para la evaluación de los riesgos.

- Norma UNE 15008 "Análisis y evaluación de riesgos ambientales". Describe la metodología para analizar y evaluar los riesgos ambientales y establecer una gestión eficiente de los mismos.

Estos materiales pueden ayudarle a conocer más sobre los riesgos y oportunidades en ISO 14001:2015:

- Artículo "Gestión de riesgos en ISO 14001:2015: qué por qué, y cómo" https://advisera.com/14001academy/es/knowledgebase/gestion-de-riesgos-en-iso-140012015-que-por-que-y-como/

- Libro "The ISO 14001:2015 conpanion"(disponible sólo en inglés): https://advisera.com/books/the-iso-14001-2015-companion/

- Curso de Fundamentos ISO 14001:2015: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/

- Conformio - herramienta de cumplimiento en línea: https://advisera.com/conformio/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11269 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Implementation timeframe

Integrating ISO 20000 and ISO 27001

VAPT, cybersecurity and ISO 27001

Recovering a ISO 27001 implementation

Organización y ejecución del SGA

Context and risks (1)

Approved documented information

Service Catalog responsibilities

GDPR concern

Gestión de riesgos y oportunidades en ISO 14001

Didn’t find an answer?