Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Incident management and Incident Response

    In your template at paragraph 3.4. Treating major incidents, is stated "In the case of major incidents that could disrupt activities for an unacceptable period of time, an [Incident Response Plan as part of the Business Continuity Plan] is invoked." In the note: "If such a document is not in place, describe here the procedure in the case of a major incident."
    Since Incident Response Plan is not in the toolkit, in pratice the content of your procedure is "you have to write the procedure"! This makes your template useless.
    Please provide more content for that document.

    Answer: Sorry for this inconvenience.

    To build a Incident Response Plan you should consider the following information:
    - Name, job title and contact information of personnel required to handle specific incidents (e.g., system / network administrator for IT related incidents, facilities manager for premises related incidents, etc.).
    - Which extern al parties should be contacted (e.g., customers, partners, media, public services / authorities, etc.), in which situation, through which communication channel (e.g., by phone, e-mail, press conference, etc.) and by whom.
    - Types of incidents that should be handled by the plan (e.g., fire, premises evacuation, service failure, etc.)
    - Details on how to treat each of the identified incident (e.g., for fire, summon the fire brigade, start premise evacuation, call fire department, etc.)

    These articles will provide you further explanation about incident management and response plan:
    - How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
    - How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/

    These materials will also help you regarding incident management and response plan:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Writing a business continuity plan according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

    If you think you still need more information, included in you toolkit you can schedule a meeting with one of our expert so he can help you build response plans that can fulfill your needs. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/
    By the way, the Incident Response Plan template is included in the ISO 22301 Toolkit, you can see here how this document looks like: https://advisera.com/27001academy/documentation/incident-response-plan/

  • Exclusions


    Answer:

    If your organization does not use any equipment during services it can state that clause 7.1.5 is not applicable.

    The following material will provide you information about exclusions:

    ISO 9001 – What is an acceptable exclusion in Clause 7 of ISO 9001? - https://advisera.com/9001academy/blog/2015/03/24/what-is-an-acceptable-exclusion-in-clause-7-of-iso-9001/
    ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
    free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

  • Standards controls


    Answer: In the ISO 27001 series of standards there is no standard with 27 groups of controls. ISO 27017 (for cloud services security), ISO 27018 (for privacy protection), and ISO 27019 (for energy utility industry) have additional controls that can be used with ISO 27001 Annex A controls, but they do not compose additional groups of controls.

    This article will provide you further explanation about ISO 27017 and ISO 27018:
    - ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
    - ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

  • Scope definition

    There is no need to include the customers as an exception in the audit scope. The fact that your customers may require the results of your internal or certification audit to complete their own audits (e.g., if their auditor is auditing their supplier management process) is not reason for you to include them in the scope of your audits either as an exception. The proper document to ensure customers access rights over your audit results is the contract or service agreement you signed with them.

    These articles will give you an idea on how customers may handle the audit of their suppliers according ISO 27001:
    - How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/
    - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  • Major Incident questions


    Answer:
    There is no pre-defined or out-of-the-box question set to resolve major incidents. One question that needs to be set for all major incidents is - How do we prevent repeating of such an incident. Rest of the diagnosis depends on the incident itself.
    This article may help you dealing with major incidents - "Major Incident Management – when the going gets tough…" https://advisera.com/20000academy/knowledgebase/major-incident-management-going-gets-tough/

  • Questions on document management


    To establish a process means to define how the process is conducted, what are the inputs, outputs, responsibilities and resources necessary within the process. It can be done in different ways depending on the complexity of the processes and risks of nonconformities emerging in the process. If you have complex processes where lot of things can go wrong, it is better to have documented procedure that explains in details how the process is carried out. If you have simple processes or your employees are very competent, you can define the process just with flowchart or quality plan.

    2. Which documents exactly should be recorded or retained?

    The standard has significantly decreased the amount of documents that are mandatory, basically only the scope, quality policy and the objectives are considered as a mandatory documents. The focus of the new version of the standard is more on providing evidence on whether something was done in ac cordance with requirements than how it was done.

    For more information, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

    3. If an organization already has a number of documented procedures but with 2008 reference, how to dispose of them?

    You should follow your current procedure for document control and apply rules for document disposal defined by this procedure. If you don't have such rules defined, I would suggest you to mark the documents as obsolete and keep them as a part of the archive.

    4. How to determine the required types of mandatory or non-mandatory documents & records based on different types of industries?

    The mandatory documents will be the same regardless of the type of industry, this will depend on which requirements of the standard are applicable to your organization. For example, if you exclude design and development, you don't need to have records required by the clause 8.3 design and development.

    When it comes to non mandatory documents that will be part of your QMS, you need to make a decision on what documents should be included. Usually for more complex activities or processes you will have more documents simply to ensure they are carried out as planned.

    These materials will also help you regarding the documentation:
    - Book DISCOVER ISO 9001:2015 THROUGH PRACTICAL EXAMPLES https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
    - Conformio (online tool for ISO 9001) https://advisera.com/conformio/

  • External DPO


    Answer:

    As regards to the duties of the Data Protection Officer (DPO) you can find a full job description in our EU GDPR consultation toolkit https://advisera.com/eugdpracademy/consultants/ . Among the responsibilities of a DPO I could mention:
    - providing and maintaining the necessary documentation to demonstrate compliance with the GDPR;
    - monitoring compliance with the GDPR and relevant local laws and regulations;
    - ensures that training and awareness is available and delivered to all members of staff involved in the processing of
    personal data; etc.

    The role of the DPO in light of the General Data Protection Regulation is described also at : https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/. You might find useful to go through Article 29 Working Party Guidelines on Data Protection Officers as well as Art. 39 of the EU GDPR "Tasks of the data protection officer".

    Regarding what to be expected from an external DPO, he or she should be performing the same tasks mentioned above, there should be no material differences between an internal and an external DPO. A key point to have in mind is that regardless if the DPO is a employee or an external consultant he/she must report directly to the organization’s management, must be guaranteed a degree of independence and must not be required to take instructions regarding the exercise of his/her functions

    What the external DPO would expect from you is a question that I cannot answer since is dependent on the mandate given to him/her.

  • KPI for QMS MR


    Answer:

    If I had to design KPI for a Quality Management System Representative, I would start by the end, by the purpose, by the reason for its existence. What does your organization want from the QMS MR? One important outcome should be to get and maintain certification. Another can be quality and timing of information about the QMS performance, and another can be about customer satisfaction, complains and lost customers as a measure of customer promotion in the QMS.

    The following material will provide you information about the Management Representative:

    ISO 9001 – What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
    How to comply with new leadership requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/
    What will be the destiny of the management representative in the ne w ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
    free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • IT policy development


    Answer: According to ISO 27001, the main issues you should consider in the development of policies and procedures are: legal requirements (e.g., laws and contracts), results of risk assessments and top management decisions (e.g., decisions based on strategic or operational plans and objectives).

    Considering your specific scenario, you also should consider a cross evaluation of the requirements related to each country involved, as well as the contracts related to cloud providers (e.g., cloud providers may have operations in additional countries that also should be evaluated.

    I suggest you to take a look at the free demo of our Operating Procedures for Information and Communication Technology at this link: https: //advisera.com/27001academy/documentation/operating-procedures-for-information-and-communication-technology/

    This document will give you an idea on ahat to consider to to ensure correct and secure functioning of information and communication technology.

    This article will provide you further explanation about policy development:
    - Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//

    These materials will also help you regarding policy development:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 821-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +