Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • GDPR privacy policy

    Only EU law

  • Controls development and implementation

    We received this question:

    >Thanks a lot for the support. I read it, but it dosent have answer to points 1to3. Request you to help me with the first 3 points mentioned my questions.
    >
    >I would like to know what I should keep in content of these? Or like share samples if possible.

    Answer: The content of policies and procedures related to information transfer, log on and log off, and publication of public information shall depend of the relevant risks identified in your risk assessment, and legal requirements applicable to your organization, so there isn't a definitive answer for your question.

    ISO 27002, a supporting standard for implementation of ISO 27001 Annex A controls can provide you a comprehensive set of guidance's and recommendations that you can use to tailor your documents. You should consider at least these controls:
    - 9.1.1 Access control policy
    - 9.4.2 Secure log-on procedures
    - 13.2.1 Information transfer policies and procedures
    - 13.2.2 Agreements on information transfer
    - 13.2.4 Confidentiality or non-disclosure agreements

    As for templates, I suggest you to take a look at the free demo of these templates:
    - Access Control Policy https://advisera.com/27001academy/documentation/password-policy/
    - Information Transfer Policy https://advisera.com/27001academy/documentation/information-transfer-policy/
    - Confidentiality Statement https://advisera.com/27001academy/documentation/confidentiality-statement/

    This material will also help you with ISO 27001 Annex A controls:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Inventory of assets


    I know have a better understanding of the 'Assets' that should be recorded in the risk register, you did answer a question yesterday for me about listing every server and you suggest to group them together.

    So, if I have an asset of a 'Database Server' on the risk register, what would I put in the 'Information Asset Inventory'? I was thinking of then breaking it down to the different applications that use the database server, does that sound correct?

    Answer: In the 'Information Asset Inventory' you must include all assets you identified in your risk register. Since the standard doesn't define to which level of details the assets need to be described in the Inventory of assets, you can list servers in general or not only the 'Database Server' but also all the different applications that use the database server that you have identified in your risk register.

    This article will provide you further explanation about inventory of assets:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    This material will also help you regarding inventory of assets:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Control implementation


    Thank,

    "Risk assessment is a crucial step in Information Security Management System (ISMS) implementation because it tells you the following: you should implement security controls (safeguards) only if there are risks (potential incidents) that would justify that particular control. In other words, the higher the risk, the more you need to invest in controls; but, on the other hand, if there are no risks that would justify a particular control, then implementing it would be a waste of time and money"

    Answer: Controls from ISO 27001 Annex A must be applied only if one of the following occurs:
    - There are risks identified as unacceptable in the risk assessment that require the implementation of the control
    - There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
    - There is a top management decision requiring the implementation of the control

    If none of these occurs there is no need to implement a control considering ISO 27001 requirements.

    These articles will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - The basic logic of ISO 27001: How does information security work? /27001academy/knowledgebase/the-bas ic-logic-of-iso-27001-how-does-information-security-work/

    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Product safety & continual improvement


    Answer:
    The requirements for product safety are directly related to your product. If you have a product with hazards (such as a battery with a hazard of shocking someone while using it) then you need to identify these hazards and decide what needs to be done (such as warning labels, protective covers, etc.) If your product does not have any safety hazard then you could simply demonstrate that this has been assessed and therefore no actions are required.
    Continual improvement is the incremental, planned changes that you implement to make things better in your organization (as opposed to continuous which means everything is improving all the time). This is to be applied to your products and service and the QMS to meet customer needs and enhance customer satisfaction (clause 10.1) as well as looking for opportunities to improve other aspects of the QMS not directly related to customer requirements or satisfaction (clause 10.3). In many ways one of t he biggest ways that a company demonstrates continual improvement is through the use of we planned quality objectives which give a target for improvement and follow through on plans to achieve them.

    For more information see this whitepaper: https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d

  • Safety Data Sheets in the AS9100 audit


    The other is ceramic dielecric powder company (ISO9001) who designs product for the customer. This company does provide SDS with the shipments.

    Will the auditor be reviewing SDS during the audit based on "statutory and regulatory requirements"?

    Answer:
    This is something that has two answers, and they are the same for AS9100 Rev D and ISO 9001:2015.
    First when it comes to having SDSs for the chemicals and materials that are used within the company comes under “Environment for operation of processes” (Clause 7.1.4). If these SDSs are required in your country to have in order to use the chemicals you must therefore have them to perform your processes. This was also previously the case in the last standard under clause 6.4 for “work environment”. If you needed to have these in place to perform your process then it is a resource that you needed to have and was therefore auditable.
    Secondly, if you are creating a chemical that requires an SDS to be sent with it, then this is a requirement of your product. Therefore, it falls under the standard in clause 8.2.2 “Determining the requirements for products and services”. If there is a requirement that you need to meet and are not doing so this could be an audit nonconformance. Again, in the previous version of the standards this was also a requirement in clause 7.2.1 “Determination of requirements related to the product” where it also stated that you shall determine statutory and regulatory requirements applicable to the product.
    So, this has really not changed. The auditors could have reviewed SDS during an audit against these requirements. That being said, just because an auditor can look at one aspect of a process does not meant hat they will.

  • Gender and date of birth

    Title (Mr/Mrs/Ms etc)
    Date of Birth
    Gender
    Are any or all of these classed as “Sensitive Personal Data” ? What extra precautions do we need to take for these?

    Answer:

    Gender and date of birth are not sensitive personal data as per the definition provided by the EU GDPR, there are no extra precautions needed.

    To learn more about sensitive personal data check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//

  • Certification bodies


    We are located in Eindhoven - NL. Our primary business is providing a SAAS solution, we work with an 27001 certified hosting partner.

    Answer: I'm assuming you are referring to certification bodies instead of auditing agencies. Considering that, we do not know Netherlands market in details to recommend specific certification bodies, but you should consider these references:
    - SGS https://www.sgs.nl/en
    - BSI https://www.bsigroup.com/nl-NL/

    To help you selecting an certification body, I recommend these materials:
    - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
    - List of Questions to ask an ISO 27001 or ISO 22301 certification body https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-certification-body

  • Integrating ISO 27001 and ISO 9001

    All ISO management systems published after 2012 have the same general structure, and this make integrating them a lot easier. In the integration process you should consider two phases: 1 – Integration of the common parts of ISO management systems, e.g., control of documents, internal audit, training, management review, etc. These have basically all the same requirements, requiring only minor adjustments to refer to all systems covered 2 – Integration of the specific parts of each system (basically sections 6 and 8 of each standard). Regarding ISO 27001, this means including in the organizational process the activities related to information security risk assessment and treatment processes. This article will provide you further explanation about integrating ISO management systems: - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/ - Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/ These materials will also help you regarding integrating ISO management systems: - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ - Free webinar – ISO 27001 implementation: How to make it easier using ISO 9001 https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/

  • Interna/External auditor role

    The auditor role is to verify if the management system is implemented, operated, maintained and improved according to the requirements of the defined standard, as well as according to other requirements defined by the organization that are relevant to the management system. The auditor has little to no role during the management system implementation. The internal auditor performs audits on behalf of the organization that owns the management system, while the external auditor performs audits on behalf of an organization's client (second-party auditor) or a certification body (third-party auditor).
    The role of the person in charge of information security is to ensure that the information security management system conforms to the requirements of the standard, and to report on the performance of the information security management system to top management. This person has an important role in the management system implementation, either as the leader of the implementation project team or as the person who will give the project's team the needed guidance for the project implementation.
    These articles will provide you further explanation about information security responsible and auditor roles:
    - How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
    - Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
    - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
    These materials will also help you regarding information security responsible and auditor roles:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Page 747-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +