Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Management principles


    Answer: Management principles are concepts that can be used as a foundation to guide an organization’s performance improvement. ISO 27001 shares some management principles with other ISO management standards, such as:
    - Leadership
    - Process approach
    - Improvement
    - Evidence-based decision making

    Specifically for the ISMS, we can consider as principles:
    - Risk-based approach
    - Protection of confidentiality, integrity and availability

  • Auditing ISO 27001 and ISO 27018

    Last December our 27001 documentation was audit and approved, and now we have planned an audit type two (implementation phase) for November, but we want to go a bit further and also get and audit against ISO 27018 and scope the requirement of the GDPR Regulation.

    My question are:
    1 - It is possible to audit both ISO 27001 and 27018?

    Answer: ISO 27018 is a supporting standard to ISO 27001, providing detailed guidance and recommendations on the implementation of ISO 27001 Annex A controls, considering privacy in cloud environments, so it is perfectly possible to perform an audit considering these two standards as references.

    This article will provide you further explanation about ISO 27001 and ISO 27018:
    -ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ loud/

    2 - Is it possible to audit the 11 extra controls of the ISO 27018 only as the controls of the ISO 27001/27002 already apply? how would you recommend to do it?

    Answer: You can reduce your audit scope to cover only the ISO 27018 extra controls and the other controls from ISO 27001 that have some specific recommendations provided in the ISO 27018 with no problem.

    To support this activity, I suggest you to take a look at the free demo of our Internal Audit Checklist for ISO 27001 & ISO 27017 & ISO 27018 at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/

    It provides a list of questions in order to help perform an internal audit against ISO 27001, considering also ISO 27018. For each clause or control from the standard the checklist provides one or more questions which should be asked during the audit in order to verify the implementation.

    This article will provide you further explanation about internal audits:
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    These materials will also help you regarding internal audits:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 20000 and Demand Management/Service Portfolio Management


    Answer:
    Demand Management and Service Portfolio Management processes are part of the ITIL i.e. ITIL/ISO 20000 Premium Documentation toolkit. You can find them in the list of documents https://advisera.com/20000academy/iso-20000-documentation-toolkit/#toolkit-documents-lightbox
    Additionally, list of mandatory documents, according to ISO 20000-1:2011 (still valid standard) can be found in the free Whitepaper Checklist of Mandatory Documentation Required by ISO/IEC 20000-1:2011 https://info.advisera.com/20000academy/free-download/checklist-of-mandatory-documentation-required-by-iso-iec-20000-1-2018/

  • Auditor certifications


    Answer:

    Passing those exams will document in a formal way that you acquired knowledge about ISO 9001:2015 and about preparation, realization and reporting of internal audits. Your previous experience and education will certainly be very useful for you and for your future audit customers, that kind of experience and education cannot be learned in a fast course and are very important to deal with situations and having a mature and business-friendly point of view. As soon as you get those two diplomas you can start acting as internal auditor for organizations and as long as you gather some actual experience you can start requesting to certification bodies if they have more particular requirements that you must obey in order to be able to apply.

    The following materials will provide you details with internal audits:

    - Article - ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/

    - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Third Party and cross border transfer data

    2. In cross border transfer data , if the adequacy is not fulfilled , what are the penalties?

    Answers:

    1. There are actually the same. In the context of the EU GDPR both are entities that are receiving personal data. Depending of the purpose of processing ad the business context the Recipient or Third Party can be a data processor, a joint controller or a controller in its own rights. You can find out more about controllers and processors from our article “EU GDPR controller vs. processor – What are the differences?” – https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

    2. Fail to comply with the requirements regarding cross border transfers of personal data can be sanctioned with fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. To learn more about sanctions under the EU see this free online training GDP R Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// as well as our webinar “ What to expect from Data Protection Authorities under GDPR” - https://advisera.com/eugdpracademy/webinar/what-to-expect-from-data-protection-authorities-under-gdpr-free-webinar-on-demand/

  • ISO 27001 competencies


    Answer: ISO 27001 only requires the definition of necessary competencies for persons that affect its information security performance. Considering that, only the persons that handles the information you want protect must be included in the competency matrix. For example, if you want to protect only the research and development information, most probably the HR and financial personnel won't be included in your competency matrix.

    2- And what type of competencies need to be included – do they have to be related to information security only ?

    Answer: The competencies to be included will depend on which roles you have in your matrix, but broadly speaking they are related to information technology, physical security, HR management and legal.

    As you can notice, they are not limited to information security. In fact information security competencies will drive which specific competencies in these areas must be developed.

    For example, for protecting confidentiality, competencies related to physical and logical access control must be developed, as well as security practices in systems development will need to protect confidentiality of information stored and processed by information systems.

    These articles will provide you further explanation about managing competencies:

    - How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
    - Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/

    These materials will also help you regarding managing competencies:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Context and organizational chart


    Answer:

    You should not build a management system in a limbo. Your organization’s management system will be a function of its context, external and internal. For example, imagine that your organization is American and exports very successfully to China. Will trade barriers be erected? How will that change the market? Imagine that your organization sells mainly to stores in shopping malls. I read today, honestly, someone defending that around 25% of shopping malls will close in the next years. Imagine that a competitor with a different business model is disrupting the market. Your management system must take this in consideration when thinking about the future. About the internal context, imagine that your commercial department is saying that customers want or need shorter delivery times, but your internal data reveal an opposite trend, your organization’s delivery times are becoming larger. Clause 4.1 of ISO 9001:2015 is about this kind of stuff. Normally, top management is who determines which issues are relevant. Most of these issues can be seen as the basis for uncertainty about the future of the business, and with that uncertainty comes risks and opportunities (clause 6.1.1). Because of the most relevant risks and opportunities, your organization can change some practices (clause 6.1.2), that is: change the way some processes are executed.

    The following materials will provide you details about the context determination:

    - ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
    - ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Objectives and KPIs


    Answer:

    I assume that by “objectives” you mean quality objectives and that by KPI you mean Key Performance Indicator.

    Since I do not have more information I will speculate upon the reasons that can support the auditor’s behavior. Normally, organizations develop quality objectives, stated challenges that imply a direction of improvement. Then they use indicators to monitor, measure performance and define a precise target to meet. Has your organization wrote any statements about each objective?

    Please, see below the first article where you can read “These product or process objectives are often referred to as Key Performance Indicators (or KPIs). By utilizing the KPIs that the company has identified as the important indicators that the processes are functioning well the overall QMS objectives for improvement become much easier to measure.” I believe your auditor feel s those statements are missing. Quality objectives can be measured by KPIs but are more than KPIs.

    The following materials will provide you details about quality objectives:

    - ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ITIL certification


    Answer:
    If you have ISO 20000 certification for your company - that's maximum you can get. There is no ITIL certification for companies, only individuals can be ITIL certified.

    These articles can help you clarify:
    ITIL Certification Path – list of all available ITIL trainings, exams and certificates https://advisera.com/20000academy/knowledgebase/itil-certification-path-list-of-all-available-itil-trainings/
    ITIL Certification https://advisera.com/20000academy/knowledgebase/itil-certification/
    New ITIL Practitioner Guidance book – what does this mean for your certification and implementation? https://advisera.com/20000academy/blog/2016/08/30/new-itil-practitioner-guidance-book-what-does-this-mean-for-your-certification-and-implementation/

  • Servicios y alcance de la ISO 20000


    2.- Estrategias para expandir el alcance de los servicios certificados de un grupo de servicios al total de los servicios orientados a los clientes externos.

    3.- Cómo migrar de un sistema basado en ISO 9001 con implementación de prácticas ITIL a un sistema ISO 20000-1

    Respuestas:

    1.- Mi recomendación es que deberías seleccionar los servicios principales del negocio, o los servicios que quieres dar más publicidad a tus clientes de que tienes implementado el estándar ISO 20000. Para más información sobre cómo definir el alcance de la ISO 20000 este artículo puede ser interesante para ti “How to define the scope of the SMS in ISO 20000” : https://advisera.com/20000academy/blog/2015/06/02/how-to-define-the-scope-of-the-sms-in-iso-20000/

    2.- Disculpa, pero no estoy seguro si he entendido bien tu pregunta, aunque si quieres proporcionar servicios de TI a clientes que están solicitando una certificación a sus proveedores, puede ser int eresante la implementación y certificación de la ISO 20000. Y esto puede ser la estrategia, es decir, dependiendo de los requerimientos y necesidades de tus clientes, puedes incluir en el alcance de la certificación ISO 20000, los servicios que estén relacionados con los clientes que lo requieran/necesiten.

    3.- Si tienes una ISO 9001 con ITIL, la implementación de la ISO 20000 puede ser muy sencilla, por lo que básicamente necesitarás conocer los requerimientos específicos de la ISO 20000, y cuáles de estos requisitos están cubiertos por la ISO 90001 + ITIL. Esta matriz gratuita puede ser útil para ti “ISO/IEC 20000-1: 2011 vs. ISO 9001:2015 matrix” : https://info.advisera.com/20000academy/free-download/iso-iec-20000-1-2011-vs-iso-9001-2015-matrix

    Con este artículo también puedes ver una comparativa entre ITIL e ISO 20000 “ITIL and ISO 20000: A comparison" : https://advisera.com/20000academy/knowledgebase/itil-iso-20000-comparison/

    Y aquí también puedes ver cómo están relacionadas ISO 20000 e ITIL “ISO 20000 and ITIL - How are they related?” : https://advisera.com/20000academy/knowledgebase/iso-20000-and-itil-how-are-they-related/
Page 772-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +