Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Process vs department
Answer:
A department not tracking and measuring objectives is not necessarily not complying with clause 9.1 of ISO 9001:2015. The standard does not mention departments, the standard promotes the process approach. If you consider the scope of your quality management system (QMS), any process belonging to the scope of your QMS, according to clause 4.4.1 c), must have performance indicators and targets and must be monitored. So, if a process is not tracking and measuring objectives it is not complying with clause 9.1.
The following material will provide you information about the process approach:
- ISO 9001 – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2 015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 22301 implementation
Answer: You can save up to 75% in terms of time and effort to implement ISO 22301 when compared to your previous ISO 27001 implementation, because these standards have a lot of requirements in common (e.g., control of documents, internal audit, management review, etc.).
2 - Also I’ve seen that ISO 22301:2012 will be replaced (https://www.iso.org/standard/50038.html) with ‘ISO/NP 22301’ and we were wondering how much will change.
Answer: The ISO/NP 22301 is on its early stage of development, so there are not much information about what will be changed until its final version, but for now we can expect the inclusion of the concept of resilience, which is far more embracing than business continuity to ensure business survival. The following article will provide you more information :
- Organizational Resilience – Positioning Against ISO 22301-Based Business Continuity https://advisera.com/27001academy/blog/2017/11/08/organizational-resilience-positioning-against-iso-22301-based-business-continuity/ -
GDPR compliance for possible new start up business
how much will a short consultation be with you? -
GDPR Article 27
Answer:
There is no such document in the Toolkit because setting up a company to act as your representative in the EU is subject to national Member State law.
Same if you want to have a representation/mandate contract with an existing company established in the EU, the contract will be subject to the rigours of the Member State law. -
Lead implementer exam
The foundation course is very very short and I I will take the exam next week.
After that I would like to attend a classroom course for the Lead Implementer certification.
1- The question is: If I read your book, Am I able to pass the Lead Implementer exam without attending the course? I am a Security Architect, CISSP, CASP and Security+ certified with more than 5 years of Security Experience.
Answer: Our book provides you a good basis for the implementation process, but it is not possible to take a Lead Implementer exam without attending the Lead Implementer course (rule followed by accredited providers, the ones that can issue certifications world-wide recognized.)
2 - If not, do you advise any another book?
Answer: The material provided by accredited Lead Implementer courses are designed to be sufficient to take the exam, so there is no need for add itional material.
3 - Do you also advice me to attend the Internal Auditor course first? I am not happy at all that the book exists only in electronic format. I am trying to printing it somewhere.
Answer: Regarding our book, unfortunately we do not have a printed version at this time, but you can read the eBook on his computer, smart phone or tablet.
About the course, the internal auditor course is not needed for the Lead implementer course, but it might be useful if you intend to perform internal audits for your clients.
These articles will provide you further explanation about lead auditor and lead implementer courses:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like?
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
This material will also help you regarding lead auditor course:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Performing risk assessment
I am not sure if I should be defining in terms of HOW LIKELY each supplier may be to let us down in some way , or THE IMPACT of a supplier letting us down.
For example. FIRE; Likely hood of our fire alarm supplier letting us down is very low as they are a reputable supplier who do regular maintenance visits, but the IMPACT should a fire destroy our office would be very HIGH.
Similarly, With Firewall provider; likely hood of issue is low but impact would be very high. Which way do I need to look at each supplier in order to define risk?
Answer: The definition of risk is a combination of likelihood and probability, so you must consider both aspects in your risk assessment.
Since you stated you are using the scale low-medium-high, then possible combinations for likelihood vs. impact are low-low, high-high, low-high, high low.
Considering these combinations you may defined that for a result low-low the risk is acceptable and do nothing. For combination high-high the risk is unacceptable and security controls must be defined and implemented. As for combinations low-high and high-low you should check then in a case by case basis considering the identified impact to make a decision to treat or not the risk.
These articles will provide you further explanation about performing risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
These materials will also help you regarding performing risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Project plan content
Answer: You can have both plans in a single document. In fact, because both systems, when based on ISO 27001 and ISO 22301, have a lot of common requirements, it is best to use a single document to coordinate the implementation.
These articles will provide you further explanation about ISO 27001 and ISO 22301 implementation:
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
These materials will also help you regarding ISO 27001 and ISO 22301 implementation:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-t he-iso-implementation-project-a-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
ISMS boundaries definition
Answer: You should consider for your ISMS all employees that have access to the information you want your ISMS to protect, so if all of your employees that work remotely in different states have access to these information, then all of them must be considered in the boundaries of your ISMS.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Threat, risk and assessment examples
Answer: To see some example of vulnerabilities, threats an asset assessment, plesase take a look at the following material:
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Non financial impact rationale
Answer: The point here is to explain about feelings and perceptions. If the persons involved in the analysis do not reach a consensus about the impact value for a specific situation, but they agree that the situation is significant enough to be taken into account together with situations for which they can determine the value, then you may have a situation where a non financial impact may be greater than any financial impacts they found related to other situations considered.
For example, in a plane crash situation, the value of the airplane can be determined, but what about the value of human lives? Someone may argue that he has a formula to calculate the value of a life, but the value may be questioned by relatives (which feelings may not be measurable), or employers (that may argue about the potential deli veries the professional would deliver to the company), making impossible to reach a consensus, but all of them would agree at certain point that the value of life is high.