Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Internal Auditor requirements


    Answer:

    If you have persons trained as Lead Auditors 14001, you have persons that know how to perform an audit. Do they know ISO 9001? What are the organization requirements for internal auditors? Are they required to evidence knowledge of ISO 9001? Can they evidence it?

    The following material will provide you information about Internal Audits:

    - ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ or-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Risk Assessment


    While the organization has a number of security controls in place, they have a significant lack of documented policies, standard, and processes/procedures.  We are not specifically calling out in the risk assessment the lack of documentation, and maybe we should.

    When completing the risk assessment, I believe we are closely following the advice from the videos and blogs on your site.  For example, rather than listing out all of the assets during this initial risk assessment, we are grouping the assets into “asset categories” where very similar assets will have the same threat & vulnerability pairs.  We are selecting 2 or 3 threats for each asset and 2 or 3 vulnerabilities that can act on each of those threats.  Due to existing controls (while undocumented ), the subject matter experts are categorizing many of the risks as acceptable (score of 0, 1, or 2) and only about 25 of the risks as unacceptable (score of 3 and 4).

    When moving from the risk assessment to the risk treatment, I am a little confused.  We intuitively know that the organization expects to have 107 of the 114 ISO 27001 controls in place when the project is complete.  They are using many of those controls today.  However, as I mentioned, the organization has a significant lack of documented policies, standard, and processes/procedures.

    How do I create the association between the risk assessment and the controls selection when there are only about 25 risks being identified?  Should the risk assessment include a vulnerability like “inadequate documentation of policy, process, and standards”?  That would significantly increase the number of identified risks that need treatment, even if the treatment is simply creating the documentation around the controls.

    Does there have to be a direct correlation between the risk assessment and all of the controls selected in the SOA?

    If my email is confusing, perhaps we can have a conversation.

    Answer: First you have to remember that to treat a risk you can use more than one control. In general, the controls are combined in this way:
    - You establish policies, to define and formalize the rules and behaviors that are expected to be followed (e.g., information security policy, access control policy, backup policy, etc.)
    - You establish procedural, physical, and technological controls to enforce the policies (e.g., incident management process, physical and logical perimeters, two-factor authentication for access control, etc.)

    So, depending on the identified risks, you may have one or several controls associated to them, which may cover the 107 controls you are expecting. For example, for a risk of loss of data stored on servers due to a ransomware attack, you can consider the application of controls A.12.2.1 Controls against malware and A.12.3.1 Information backup.

    Regarding the lack / inadequacy of documentation, you can consider it as a single systemic vulnerability (this way it will not increase much the number of risks to be treated) and consider for the risks related to it the application of controls A.5.1.1 Policies for information security and A.5.1.2 Review of the policies for information security.

    Finally, the controls defined in the Risk Treatment, as well as those identified as implemented in the Risk assessment, must be identified as applicable in the SoA. Additionally, some controls can be marked in SoA as applicable even though they were not identified in risk treatment - in this case the reason for selection could be e.g. “good practice “.

    These articles will provide you further explanation about risk assessment and treatment:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding risk assessment and treatment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Nivel de confidencialidad


    Respuesta: Generalmente las compañías definen 4 niveles de confidencialidad: Confidencial (información más confidencial de todas), restringido (nivel medio), interno (el nivel más bajo), y público (lo puede ver cualquier persona, de dentro, o de fuera de la empresa). Por tanto, si todos los empleados (y sólo los empleados de la organización) pueden ver el documento, podrías establecer el nivel "Interno", o si sólo lo pueden ver algunos empleados (responsable de proyecto, responsables de área, etc), podrías establecer el nivel "Restringido", o si sólo pueden ver el documento roles específicos (por ejemplo, sólo la alta dirección), podrías establecer el nivel "Confidencial". Este artículo te puede resultar interesante “Information classification according to ISO 27001” : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  • Identification of applicable controls


    Answer: ISO 27001 it does not have a set of basic controls, rather they have to be selected through a risk assessment process, and to identify the controls required for an organization you must verify its Statement of Applicability (SoA) and results of risk assessment. These documents will provide you information about how the organization perceives its risks and how they are going to treat them (since each organization is unique in its context and risk appetite, they will have different approaches considering the same risks, and you should take that into consideration).

    This article will provide you further explanation about controls selection:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-l ogic-of-iso-27001-how-does-information-security-work/

    As for the general requirements of ISO 27001, this article will provide you documents and records that are mandatory and some common adopted practices:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    These materials will also help you regarding audits:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Surveillance audit

    Waiting the response please

  • ISO 9001 or ISO 13485


    Answer: I would say you have to identify first for what purpose this organization needs a certificate – if your clients prefer ISO 9001 better than ISO 13485, then you should go for the ISO 9001, and vice versa.

    This article will provide you further explanation about ISO 9001 implementation benefits:
    - Six Key Benefits of ISO 9001 Implementation https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/

  • The GDPR “right to be forgotten”


    Answer:

    The right to be forgotten is not an absolute right that the data subject has in relation with its data. A controller does not need to comply with such a request the processing is:
    - necessary for rights of freedom of expression or information;
    - for compliance with a legal obligation under Union or Member State law;
    - in the public interest or carried out by an official authority;
    - for public interest in the area of public health;
    - for archiving or research;
    - for legal claims.

    So, as you can see if there is a legal obligations set forth under Member State law then you need to keep the data even if the data subject requests for the data to be deleted.

    For more information about data subject rights you can check out or webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/

  • Deciding on what to check


    Answer:

    As you can imagine there is no explicit requirement in ISO 9001:2015 to support those auditor demands. I do not know the particular requirements that your customers demand about the painting job, in the past I worked with a company that had to ensure a certain thickness layer of paint over a metal. Th e requirement was not on the paint characteristics but on the result, on the thickness. For that, they used an instrument to measure the thickness. If there is no customer requirement, and if in your risk assessment you saw no problems with the viscosity of the paint, there is no requirement to do what the auditor is asking.



    The following material will provide you information about product release:

    - ISO 9001 – ISO 9001: Requirements for the release of the product or servisse - https://advisera.com/9001academy/blog/2017/03/28/iso-9001-requirements-for-the-release-of-the-product-or-service/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Documenting the context


    Answer:

    There is no mandatory requirement from ISO 9001:2015 to keep documented information about the context of an organization. That is up to each organization to decide if they will document it and how. For example, it can be a meeting minute where a SWOT matrix was created and analyzed. About legal requirements, your organization can keep a database of all the legal requirements applied to your own organization. Your organization should know the legal requirements to be able to assume the compromise of meeting them.

    The following material will provide you information about the context of an organization:

    - ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
    - ISO 9001:2015 Case stu dy: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Handling non-conformities


    Answer: According to ISO 27001, clause 10.1 b) 2), causes of nonconformities shall be determined in order to evaluate the need to take action to eliminate them and prevent nonconformities recurrence, or occurrence elsewhere. Considering that, since the outsourced services are affecting your ISMS, a root cause analysis must be performed.

    This article will provide you further explanation about handling nonconformities:
    - Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    These materials will also help you regarding handling nonconformities:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
Page 781-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +