Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Personas para implementar ISO 27001
He recibido la siguiente pregunta: "La compañia en la que trabajo actualmente tiene alrededor de 150 usuarios con equipos de computo y smartphone asignados por parte de la empresa, ademas de esto tenemos alrededor de 300 personas solo con un equipo smartphone para acceder a una plataforma web, mi pregunta es si solo una persona puede realizar de manera exitosa todo el procedimiento para llegar al ISO. y cual seria su consejo para los primeros pasos a seguir." Respuesta: Una persona podría desarrollar/manter la documentación necesaria para el proyecto, pero necesitas obtener el apoyo de la alta dirección de la organización para la implementación/certificación. Además, todas las personas implicadas en el alcance del SGSI tienen que seguir los procedimientos y políticas definidas para el SGSI. Si necesitas más información sobre los pasos a seguir para el proyecto, por favor, mira este artículo: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ También te recomiendo nuestro libro "Seguro y Simple" : https://advisera.com/books/seguro-simple-una-guia-para-la-pequena-empresa-para-la-implementacion-de-la-iso-27001-con-medios-propios/ -
Document numbering/coding system
Answer:
Document numbering/coding system is more relevant for documents like procedures, work instructions and forms. I cannot say that I use a best practice, I use a simple method: The management system is based on a map of interrelated processes. So, each process is numbered (1, 2, 3, …). Any procedure (PR), or work instruction (WI), or form (F), starts with a number identifying the process where is used or most used, followed by a sequence number. WI02.02.A is the second work instruction created to use in process 2. A means it is in version A.
The following material will provide you information about corrective actions:
ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Documents to be produced
Should be GDPR...... -
Number of root causes
Answer:
As a general rule an auditor, external or internal, should not impose a number of Root Causes for each NC identified during an audit.
The following material will provide you information about corrective actions:
ISO 9001 – How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Lead Auditor career
Answer: After passing the exam you will need to gain audit experience through performing audits for a certification body (this in fact is the most complicated part of the process). At first you start by participating as an observer, and after some audit hours you will participate more actively in the audit (as an audit team member, so you can gain understanding and experience in practical audits). After sufficient auditing hours, and good evaluations from your team leader, you can achieve the status of auditor and after that lead auditor.
Regarding the validity of the lead auditor certificate, you can extend the validity only by attending another course.
These articles will provide you further exp lanation about becoming an ISO 27001 lead auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Cybersecurity Framework or ISO 27001
Answer: First of all you should consider your needs:
- If you need quick wins to handle risks promptly and demonstrate the value of security, then you should start with Cybersecurity Framework, since it is better when it comes to structuring the areas of security that are to be implemented and when it comes to defining exactly the security profiles that are to be achieved.
- If you have to ensure the implementation will be well integrated to other aspects and areas of your organization, and you have time to plan and implement, then you should go first for ISO 27001, since it can provide a holistic picture for the designing of the security system and how it can be managed in the long run.
- The Cyber Security Framework is a legal issue in the United States - if you are a government agency from that country, you will need to implement it.
If your choice is to go first for Cybersecurity Framework, it is possible to integrate the implemented controls to the future implementation of ISO 27001, so you will not lose time and effort.
These articles will provide you further explanation about Cybersecurity Framework and ISO 27001:
- Which one to go with – Cybersecurity Framework or ISO 27001? https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
- How to implement the NIST Cyber Security Framework using ISO 27001 https://info.advisera.com/27001academy/free-download/how-to-implement-nist-cyber-security-framework-using-iso-27001 -
Risk management in projects
Which of the template documents would refer to that in the best way ?
Answer: I recommend you to use the following templates:
- Risk Assessment and Risk Treatment Methodology
- Appendix 1 Risk Assessment Table
- Appendix 2 Risk Treatment Table
All of them are located at the folder 05 Risk Assessment and Risk Treatment Methodology in your toolkit. Managing risks in a project is similar to managing risks in an organization, the difference is that a project has a defined duration and smaller scope (the project scope).
This article will provide you further explanation about risk management in projects:
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/ -
Question about course
Answer: An ISMS scope can be defined in terms of processes (referred by products or services delivered to the clients) and/or information to be protected and the locations. In the presented question Offices London & Edinburgh are only examples (names from other cities or places could have been used)
This article will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Requirements for additional certifications
Answer: The need for compliance with ISAE 3402, and with any other standard at all, when an organization already has ISO 27001 and it is compliant with EU GDPR (currently there are no available certification mechanisms pursuant to EU GDPR article 42 requirements - https://advisera.com/eugdpracademy/gdpr/certification/), may be required because of specific laws, contracts, agreements or other legal requirements demanding them.
Although ISO standards are world wide recognized, and EU GDPR is mandatory on EU territory, there may be situations in specific countries which require compliance with other standards. The positive thing is that ISO standards are comprehensive enough to help fulfil some of these requirements, minimizing the compliance costs and effort. -
Templates available
Answer: We provide templates for all mandatory requirements for implementing an ISMS according ISO 27001, and most common used policies and procedures. They can be bought individually or as part of specific toolkits. To take a look at our toolkits, please see this link: https://advisera.com/27001academy/product-tour/
This article will provide you further explanation about ISO 27001 mandatory documentation:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/