Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Procesos y procedimientos
Respuesta: De acuerdo a la filosofía de ISO 9000, un procedimiento es una forma específica para llevar a cabo un proceso, por tanto no hay mucha diferencia con respecto a los procedimientos, por lo que podrías usar el artículo que comentas para implementar procesos.
Quizás también te pueda interesar el libro "Seguro & Simple" : https://advisera.com/books/seguro-simple-una-guia-para-la-pequena-empresa-para-la-implementacion-de-la-iso-27001-con-medios-propios/ -
Scope definition
Would we have a scope of entire organisation, but exclude physical management and operation of the Helpdesk/Monitoring system and ensure some sort of ISO compliance from the Datacenter provider. I assume we would then write policy for our staff access to Datacenter/Helpdesk and Monitoring and have defined roles ?
Answer: I'm assuming that by excluding physical management and operation of the Helpdesk/Monitoring system you are referring to focus only on using the Helpdesk/Monitoring system (like a Software as a Service - SaaS).
Considering that, for the relation with the datacenter provider you should consider a service agreement, establishing clauses to ensure it will apply the security controls you require for your business (e.g., based on ISO 27001 and ISO 27017). These clauses should cover not only the policy for your staff to access the Datacenter/Helpdesk and Monitoring system and necessary roles, but also refer to other controls, like your right to audit the provider operation and receive periodic performance reports.
These articles will provide you further explanation about scope definition and supplier management:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
These materials will also help you regarding scope definition and supplier management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Implementation consultancy
Answer: We provide documentation toolkits to support implementation of ISO 27001, and included in the toolkit you can schedule meetings with one of our experts so he can help you overcome potential difficulties. Additionally, you can send filled documents for review, and we will answer with orientations on how to improve them so they can become ISO compliant.
Please access this link to have an overview of our toolkits documentation review features: https://advisera.com/27001academy/iso-27001-documentation-toolkit/#toolkit-options
Access this link to understand the support: https://advisera.com/27001academy/iso-27001-documentation-toolkit/#toolkit-expert
2- If, what do you think is the best way to evaluate a consultant?
Answer: For evaluation of consultants some important criteria you should consider are Experience & skills., Reputation, Customized service.
For more information, please read this article:
- 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
3- And, is there any common knowledge on the cost?
Answer: There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information it's not possible to precise a value. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated / implemented
- Employee's effort and time
- The certification process
Regarding knowledge on costs, I suggest you these articles:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/ -
Performing audits
Answer: I'm assuming you are referring to the ISO 27001 Lead Auditor certification. Considering that, a certified lead auditor can audit a company to verify if it is ISO 27001 compliant, but only audits performed by auditors in the name of certification bodies are considered valid as a formal recognition that an organization is ISO compliant.
This article will provide you further explanation about becoming a lead auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
This material will also help you regarding becoming a lead auditor:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
ISO 27001 benefits
Answer: In general way, the benefits of ISO 27001 are related to:
- Enhanced competitive edge
- Reduction on losses due to security incidents
- Reduction on fines due to legal or contractual non conformity
- Improvement of internal organization
These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/
These materials will also help you regarding ISO 27001 benefits:
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your O wn https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
3402 statement and ISO 27001
Answer: I'm assuming you are referring to ISAE 3402, an assurance standard. Considering that, you must first evaluate your needs regarding compliance to legal requirements (e.g., laws, regulations and contracts). If you need to comply with multiple legal requirements, then ISO 27001 has a more comprehensive approach (it requires you to identify, evaluate and treat all requirements that can impact your organization in terms of information security, while ISAE 3402 focus on documenting that an organization has adequate internal controls, generally approached from a financial perspective).
These articles will provide you further explanation about how ISO 27001 can help comply with legal requirements:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How ISO 27001 can help suppliers comply with U.S. DFARS 7012 https://advisera.com/27001academy/blog/2017/04/24/how-iso-27001-can-help-suppliers-comply-with-usa-dfars-7 012/
- How can ISO 27001 help you comply with SOX section 404 https://advisera.com/27001academy/blog/2017/11/21/how-can-iso-27001-help-you-comply-with-sox-section-404/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Integrated internal audit
Answer: It is perfectly possible to combine ISO 27001 and ISO 9001 internal audit processes, since both standards have a lot of requirements in common (the requirements for internal audit in both standards are practically the same).
These articles will provide you further explanation about similarities between ISO 27001 and ISO 9001:
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
2. Is it mandatory for the author of the security policies and procedures to have appropriate trainings? Shall he/she be an internal certified auditor?
Answer: ISO 27001 requires that people with roles in ISO 27001 must have proper competencies, which can be fulfilled by means of training, education or experience, so it is not mandator y for the author of security policies to have related trainings, if he can demonstrate by other means (e.g., experience) that he has the necessary competence to elaborate the polices. The same applies to the need for an certified internal auditor.
3. Where shall I document the applicable legislation for the company?
Answer: I suggest you to take a look at the free demo of our "List of Legal, Regulatory, Contractual and Other Requirements" template at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/ so you can have an idea of how documentation of applicable legislation looks like.
This article will provide you further explanation about ISO 27001 required documentation:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Support contracts - are they required for ISO 27001?
Answer: ISO 27001 says that you have to assess how important that support is for the security of your data - if you conclude that this support really is important, then you should renew the contracts to be compliant with ISO 27001. This is done through the process of risk assessment.
These articles will help you:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
These materials will also help you regarding your suppliers:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/s ecure-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Develop a traceability system
Answer:
Start by the end. Imagine that you are with a finished product in the warehouse, or that you receive a complaint about a service provided. What kind of information is requested by legislation, by your customers, or by your own organization? Go backwards step by step and determine what kind of information you want to record and easily access. Stop where you want or need. For example some organizations only keep traceability after a certain operation. In the first case, with the finished product in the warehouse, with a particular lot number, perhaps you want to see:
Who and when controlled quality of the finished product
Who, when, with what machines/team/line manufactured the product
Who, when recorded process control verifications
What raw materials and subassemblies were used
Who manufactured those subassemblies
Who and when controlled raw materials used
Who and when supplied the raw materials
This is just an example.
The following material will provide you informati on about traceability:
- ISO 9001 – ISO 9001:2015 clause 8.5 Product realization – Practical examples for compliance - https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/
- Record of Traceability [ISO 9001:2015] - https://advisera.com/9001academy/documentation/record-traceability/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Transition of ISO 9100 Revision C to Revision D
The main changes come in the first paragraphs of the standard which will comprise the main transition points, defining the context of the organization and understanding your interested parties and their needs. Many other requirements are largely similar with some new operational requirements added for product safety and prevention of counterfeit parts. It can be helpful to do a gap analysis as well (we have a simple one here: https://advisera.com/9100academy/as9100-gap-analysis-tool/)
For a lot more detail on the transition process see this whitepaper: https://info.advisera.com/9100academy/free-download/as9100-twelve-step-transition-process-from-rev-c-to-rev-d