Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Opposition to implementation
Answer: The main arguments against ISMS implementation generally are:
- the investment to be done
- lack of clear view of the benefits
- historical data supports the thinking "this will never happen to us"
- the thinking "no one is interested in our information"
These articles will provide you further explanation about ISO 27001 and how gain buy in from management:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
This material will also help you regarding ISO 27001 and how gain buy in from management:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001 benefits: How to obtain manag ement support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
Suppliers approved by customers and procedure requirement
Answer:
By “been approved by our customers” I imply that they have been selected by your customers. I would recommend keeping a procedure for Purchasing and Evaluation of Suppliers.
Although they have been selected by your customers your organization still needs to order them to deliver the right amount, of the right reference, with the right quality and with the agreed price in a particular date. Also, your organization must verify fulfillment of requirements upon reception of each delivery. Finally, although suppliers are selected by your customers it is wise to keep a record of suppliers’ performance. For example, it can be useful during negotiations with customers, particularly because your organization could be “importing problems” from those suppliers that affect your organization internal performance and even your performance at the eyes of the customers.
The following material will provide you information about the purchasing:
- ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- free online training ISO 9001:2015 Internal Auditor Course
– https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 22301 questionnaires
Answer: To evaluate the compliance situation regarding ISO 22301, I suggest you to take a look at the free demo of our Internal Audit Checklist at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/
Its list of questions will help you to verify the degree of implementation of the standard you client has achieved and guide you on the definition of the project scope.
This article will provide you further explanation about implementing ISO 22301:
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/
These materials will also help you regarding implementing ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Diagram of ISO 22301 implementation process https://info.advisera.com/27001academy/free-download/diagram-of-iso-22301-implementation-process -
ISO 22301 implementation
Answer: ISO 22301 was designed to be implemented in organizations of any size or industry, so there is no specific recommendation for financial organizations. In a general manner you should consider:
- Ensure the buy in of you top management for this project
- Make the employees aware of the importance of this implementation
- Identify and involve in the project the right people (the ones with the knowledge, experience and skills to help the implementation).
- Identify the proper implementation strategy
These articles will provide you further explanation about ISO 22301 implementation:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
- 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
These materials will also help you regarding ISO 22301 implementation:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/ -
Use of cryptographic controls
Answer: The control A.10.1.1 - Policy on the use of cryptographic controls defines the guidelines for the use of cryptographic technologies in an organization (e.g., which technologies to use, when, by whom, etc.). So, if you have cryptographic technologies in your organization (like the SSL certificate) you have to consider the implementation of this control to treat risks like:
- IT staff implementing SSL in different ways in different places because there is no general rule about the issue,
- Unauthorized people accessing cryptographic technologies, because there is no list defining who can use it
To have an idea about how a cryptographic policy looks like, I suggest you to take a look at the free demo of o ur Policy on the Use of Cryptographic Controls at this link: https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/
This article will provide you further explanation about control A.10.1.1:
- How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
These materials will also help you regarding control A.10.1.1:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Toolkit content
Answer: Included in your toolkit there is a List of Documents file which correlates each template with the clauses of ISO 27001 it covers.
Clause 6.2 is covered by the template Risk Treatment Plan, which can be found on folder 7. -
Critical processes, RTO and RPO
Answer: To identify the business critical processes you must first understand your organization's context and identify your relevant interested parties requirements (e.g., products and services they demand, delivery conditions, laws and regulations to be fulfilled, etc.). Based on that you can identify which processes are critical to your business.
Regarding RTO and RPO, they are more defined than calculated, because they are based on the needs and expectations of your interested parties, which most of the time reflects clauses in contracts, laws or regulations, and historical data (statistical data can also be present). So, if your definition of RTO or RPO can be supported by a solid justification, it is not mandatory for you do to search a formula to calculate them.
This article will provide you further explanation about BIA and RTO and RPO:
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
This material will also help you regarding BIA and RTO and RPO:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Where to start IATF 16949 implementation
Answer:
The best way to start is with gap analysis to determine to what level your organization is already compliant with requirements of the standard and what needs to be done to achieve full compliance. According to the results of the gap analysis, you can start planning the implementation project and define all activities to be performed.
Here you can download our free IATF 16949:2016 Implementation diagram https://info.advisera.com/16949academy/free-download/iatf-16949-implementation-diagram
As far as the internal audit goes, you can use internal audit checklist, it is a valuable tool that can help you avoid missing something out. Here you can download free previ ew of our Internal QMS Audit Checklist https://advisera.com/16949academy/documentation/internal-qms-audit-checklist/ -
Personal data protection policy
2. Ideally a DSAR should be in writing. Under GDPR, can a DSAR be made verbally by the data subject? Must my organization also be prepared to receive DSAR via social media?
Answer:
The Personal data protection policy is aimed to be a commitment of the Company towards achieving compliance with the EU GDPR and could be made public if the Company wants. The Employee data protection policy is meant to regulate within the Company how does the HR department uses employees data and what are the conditions in which those data are processes. So the main difference is the target audience for the two document.
It is advisable to set up dedicated channels to manage the data subject access requests and one reason for this would be to make sure you property identify the data subject so you would need to ask certain identification elements.
If you receive the requests via other channels you need to make sure that you can reasonably and accurately identify the data subject before providing the request. There is no obligation for the data subject to use a certain channel and you need to reply nevertheless.
To find out more about data subject access requests check out our webinar “Data Subject Rights under the EU GDPR” - https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
Auditees and corrective actions
Answer:
I presume that you are asking why auditees need to be involved in the development of a corrective action after an internal audit. The development of sound corrective actions depends on the determination of the cause(s) of a nonconformity. Normally, auditees are in the best position to identify possible cause(s) and to determine actions to remove or minimize them. Previous versions of ISO 9001 made it mandatory that the management of the audited areas were responsible for development of corrective actions, ISO 9001:2015 only requires that the audit results should be reported to the relevant management.
The following material will provide you information about the risk-based approach:
- ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Internal Auditor Course – https:// /course/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/