Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documents to be produced.
Even if you are an SaaS provider you will be a processor in terms of processing personal data that belong to controllers using your software, but I am pretty sure you have processing activities for which you act as controller for example managing your staff (HR administration). So, my advice is to consider all documents since is highly unlikely that you are only processor. -
Scope definition (virtual company)
How should I specify location in the ISMS Scope document?
Answer: In terms of certification you can state as location (company's headquarters) the home address of the founder / CEO of the company or the address of the office where the people accountable for the company can be found (you should ask the certification body what their preference would be in such situation). You can present this address as company's address and all other locations can be considered remote locations and can be audited accordingly. -
Certification for a specific issue
Trabalho com governança de TI, mas faço parte de uma liderança de infraestrutura BD e BI. Meu líder imediato me pediu para ver certificação ISO, voltada a banco de dados.Eu não achei uma especifica para banco de dados. Seria possível reduzir o escopo para uma área de conhecimento de BD?Visto que essas certificações geralmente toda a organização ou um departamento.
(I would like to know if it is possible to certify a company in an ISO 27001 OR 20000 in a specific area or on a specific subject.
I work with IT governance, but I am part of a BD and BI infrastructure leadership. My immediate leader asked me to see ISO certification, database-driven. I did not find a specific database. Could it be possible to narrow the scope to a BD knowledge area, since such certifications generally covers the organization or a department .)
Answer: The scope of an ISO 27001 or ISO 20000 certification can be defined in terms o f processes and locations (additionally, the scope of ISO 27001 can be defined in terms of information to be protected). So, both certifications are applicable to a database, but depending on your purposes the better option may vary:
- If you want to ensure proper operation and management of the database you should look for ISO 20000 certification
- If you want to ensure the protection of the data stored and processed by the database, then you should look for ISO 27001 certification
You also can consider both certifications. ISO 27001 and ISO 20000 have similar framework that allows to integrate the common requirements, so you can take advantage of both certifications.
These articles will provide you further explanation about ISO 27001 and ISO 20000:
- What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
- What is ISO 20000? https://advisera.com/20000academy/what-is-iso-20000/
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
These materials will also help you regarding ISO 27001 and ISO 20000:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/20000academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/ -
Personas para implementar ISO 27001
He recibido la siguiente pregunta: "La compañia en la que trabajo actualmente tiene alrededor de 150 usuarios con equipos de computo y smartphone asignados por parte de la empresa, ademas de esto tenemos alrededor de 300 personas solo con un equipo smartphone para acceder a una plataforma web, mi pregunta es si solo una persona puede realizar de manera exitosa todo el procedimiento para llegar al ISO. y cual seria su consejo para los primeros pasos a seguir." Respuesta: Una persona podría desarrollar/manter la documentación necesaria para el proyecto, pero necesitas obtener el apoyo de la alta dirección de la organización para la implementación/certificación. Además, todas las personas implicadas en el alcance del SGSI tienen que seguir los procedimientos y políticas definidas para el SGSI. Si necesitas más información sobre los pasos a seguir para el proyecto, por favor, mira este artículo: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ También te recomiendo nuestro libro "Seguro y Simple" : https://advisera.com/books/seguro-simple-una-guia-para-la-pequena-empresa-para-la-implementacion-de-la-iso-27001-con-medios-propios/ -
Document numbering/coding system
Answer:
Document numbering/coding system is more relevant for documents like procedures, work instructions and forms. I cannot say that I use a best practice, I use a simple method: The management system is based on a map of interrelated processes. So, each process is numbered (1, 2, 3, …). Any procedure (PR), or work instruction (WI), or form (F), starts with a number identifying the process where is used or most used, followed by a sequence number. WI02.02.A is the second work instruction created to use in process 2. A means it is in version A.
The following material will provide you information about corrective actions:
ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Documents to be produced
Should be GDPR...... -
Number of root causes
Answer:
As a general rule an auditor, external or internal, should not impose a number of Root Causes for each NC identified during an audit.
The following material will provide you information about corrective actions:
ISO 9001 – How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Lead Auditor career
Answer: After passing the exam you will need to gain audit experience through performing audits for a certification body (this in fact is the most complicated part of the process). At first you start by participating as an observer, and after some audit hours you will participate more actively in the audit (as an audit team member, so you can gain understanding and experience in practical audits). After sufficient auditing hours, and good evaluations from your team leader, you can achieve the status of auditor and after that lead auditor.
Regarding the validity of the lead auditor certificate, you can extend the validity only by attending another course.
These articles will provide you further exp lanation about becoming an ISO 27001 lead auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Cybersecurity Framework or ISO 27001
Answer: First of all you should consider your needs:
- If you need quick wins to handle risks promptly and demonstrate the value of security, then you should start with Cybersecurity Framework, since it is better when it comes to structuring the areas of security that are to be implemented and when it comes to defining exactly the security profiles that are to be achieved.
- If you have to ensure the implementation will be well integrated to other aspects and areas of your organization, and you have time to plan and implement, then you should go first for ISO 27001, since it can provide a holistic picture for the designing of the security system and how it can be managed in the long run.
- The Cyber Security Framework is a legal issue in the United States - if you are a government agency from that country, you will need to implement it.
If your choice is to go first for Cybersecurity Framework, it is possible to integrate the implemented controls to the future implementation of ISO 27001, so you will not lose time and effort.
These articles will provide you further explanation about Cybersecurity Framework and ISO 27001:
- Which one to go with – Cybersecurity Framework or ISO 27001? https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
- How to implement the NIST Cyber Security Framework using ISO 27001 https://info.advisera.com/27001academy/free-download/how-to-implement-nist-cyber-security-framework-using-iso-27001 -
Risk management in projects
Which of the template documents would refer to that in the best way ?
Answer: I recommend you to use the following templates:
- Risk Assessment and Risk Treatment Methodology
- Appendix 1 Risk Assessment Table
- Appendix 2 Risk Treatment Table
All of them are located at the folder 05 Risk Assessment and Risk Treatment Methodology in your toolkit. Managing risks in a project is similar to managing risks in an organization, the difference is that a project has a defined duration and smaller scope (the project scope).
This article will provide you further explanation about risk management in projects:
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/