Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 Internal Audit for Human Resources
ISO 27001 clauses to be considered in an HR department audit are mainly related to sections 7.2 (competence), 7.3 (awareness), and 7.4 (communication).
Broadly speaking,you should verify how the organization has identified and ensured the necessary information security competence is available, how employees are aware of the importance of protecting information and how they can contribute, and how their need for communication are identified and ensured.
These articles will provide you further explanation about competence, communication and internal audit:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-englis h-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 27001 Certified ISMS Foundation (CISF) qualification
For information about the use of CISF credential you need to contact IBITGQ (International Board for IT Governance Qualifications).
-
ISO 14001 on a construction site
Answer:
An environmental management system is used, among other things, to manage environmental aspects. Environmental aspects are mostly related to construction sites and all construction sites are different. Considering that, some typical issues can be:
Landscape change;
Dust generation;
Waste generation;
Water pollution;
Vegetation removal;
Environmental noise;
Waterborne suspended substances;
Destruction of the habitat of endangered species;
Resource deterioration;
Energy consumption on site
Raw materials consumption
Generation of inert waste
Site Hygiene
The following material will provide you information about assessment of environmental interactions:
- ISO 14001 – Using ISO 14001:2015 to identify environmental aspects in the construction industry - https://advisera.com/14001academy/blog/2015/11/10/using-iso-140012015-to-identify-environmental-aspects-in-the-construction-industry/
- ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Becoming a BC consultant
Perhaps if you can point me for some cyber resilience book. BCM, information security or cyber resilience go hand in hand.
I'm not a tecnical professional, so any plain english guide will suit me just fine.
Answer: Cyber resilience goes through ensuring the management and delivery of IT services, so books about ITIL and ISO 20000, the ISO standard for management of IT services, can be useful for your purposes.
These materials will provide you further explanation about becoming a consultant:
- How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
- How to become an ISO 27001 / BS 25999-2 consultant [free webinar on demand] https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/ -
Integrating management systems
ISO 22301 & ISO 27001 are also framed as per the Annex SL Framework. ISO 45001, ISO 27001 and iSO 22301 are "Risked based" standards.
In view of this whether it will be possible to include ISO 22301 & ISO 27001 under "IMS" additionally ?
Answer: Certainly. Since all these standards are structured according Annex SL all their common requirements can be integrated in a single framework. As for the "Risked based" aspect of the standards, you can consider develop them accordingly ISO 31000, ISO standard for risk management.
These articles will provide you further explanation about integrating ISO management systems:
- How to implement integrated management systems https://advisera.com/27001academy/blog/201 5/10/05/how-to-implement-integrated-management-systems/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
RTO for critical application
Answer: There is no standard or default Recovery Time Objective (RTO) that can be attributed to an application, because the RTO value is based on the results of a Business Impact Analysis (BIA), which is unique for each organization context. The definition of RTO can be made by the person responsible by the application, considering the inputs of interested parties impacted by a disruption on application operation (e.g., customers, regulators, etc.), and it is approved by top management.
These materials will provide you further explanation about RTO and BIA :
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
- Implementing Business Impact Analysis according to ISO 22301 [free webi nar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
AS9100: Integrating QMS and business
The key to integrating the business processes and QMS processes, as mentioned in the article, is to first identify what the business needs are (a SWOT analysis is recommended), from which you can then create your quality objectives to support your business needs.
Once these quality objectives are created they can be integrated into your business processes so that the processes you use to run your business link to your overall business objectives. For instance, If you have a quality objective for improving on-time delivery, you can then have objectives and measurables for the important business process to meet to ensure this on-time delivery is improved.
For more information, see this article on writing quality objectives: https://advisera.com/9100academy/knowledgebase/how-to-define-quality-objectives-in-as9100/ -
Risk Assessment, Risk Treatment, and Data Protection Impact Assessment templates
Our priority at the moment is complying with GDPR (for obvious reasons) and ensure data protection, in particular in our cloud based solution. We will of course ensure data protection in other business areas also, but our main focus at the moment is within our solution. In relation to this, I have been looking into the ISO 27018 standard for controls, and I see that controls in this standard are much similar to the requirements from our customers and also GDPR.
As a risk manager I am trying to figure out an effective way to perform risk assessments in accordance with information security (ISO 27001) and personal data protection (ISO 27018). Do you have any advice on how I should structure this? In what end should I start? I have started several times, but I feel as though the structure in my Excel sheet is not good, when I try to combine this. Should I have an own file for personal data protection (privacy risks) and information security risks o r could these be combined in a way?
Could you provide a simple example on how you would structure the different risk assessments? Particularly risk assessing a cloud solution for personal data protection. Is this something I can find advise on in the ISO 27018 standard? Or in ISO 27017? We have not purchased any of these standards yet, but we are considering it.
Hope you can assist me on my doubts around this.
Answer: You should go for separated files for information security risks and privacy risks. In fact, in the EU GDPR & ISO 27001 Integrated Documentation Toolkit you bought you have the following templates that can help you:
- Risk Assessment and Risk Treatment Methodology, located at folder 7 - Risk Assessment and Risk Treatment
- Data Protection Impact Assessment Methodology, located at folder 8 - Data Protection Impact Assessment
Also included in the toolkit you have access to a video tutorial that will guide you how to fill the risk assessment and risk treatment methodology.
Regarding ISO 27017 and ISO 27018, they do not provide guidance on the risk assessment process, only on the implementation of security controls related to cloud environments and privacy, respectively.
These articles will provide you further explanation about Risk Assessment and Risk Treatment and Data Protection Impact Assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- 5 phases of the EU GDPR Data Protection Impact Assessment https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
These materials will also help you regarding Risk Assessment and Risk Treatment and Data Protection Impact Assessment:
- EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Drawing a checklist
Answer:
If you want to develop a checklist to audit top management you should start with the purpose of the audit: Is it to check conformity? Is it to check effectiveness? Let us suppose that it is to check conformity. Then, you should collect the audit criteria (Quality policy, quality objectives, procedures, ISO 9001 and any other external documentation that sets rules for the organization (for example, legislation).
Now is the time to develop the checklist:
Read the audit criteria, and ask yourself: Is this true? Are we doing this? Be suspicious, be cynical and underline all topics that mess with you and your curiosity. Then, for each topic start to list questions that you want to ask (where and to whom), things that you want to observe being done (where and when), things that you want to verify (where).
Now it is just a matter of organizing all those questions, observations and verifications to be done, along an itinerary for your audi t (when in one place you do everything there, to avoid come to a place, walk away and then come back again)
The following material will provide you information about checklists:
- ISO 9001 – ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
Internal Audit Checklist [ISO 9001:2015] - https://advisera.com/9001academy/documentation/internal-audit-checklist/
ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Document numbering
Answer:
They are not required to be the same as long as each numbering structure is defined for each facility and followed.
The following material will provide you information about documentation:
- ISO 9001 – How to structure quality management system documentation - - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/