Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Performing DPIA


    Answer:

    DPIAs are not depended on the size of the company but are related only to the processing activities. If you acting as a sole trader that would perform processing activities that would fall into the high risk category a DPIA would be needed.

  • BCMS performance indicators


    Answer: At this moment we do not have specific examples of performance metrics for a BCMS, but I suggest you to take a look at this article so you can have ideas from an ISMS perspective that can be adapted to a BCMS:
    - Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

    For example:
    - Percent of business initiatives supported by the ISMS may be changed to Percent of business initiatives supported by the BCMS
    - Percent of information security initiatives containing cost/benefit estimates may be changed to Percent of business continuity initiatives containing cost/benefit estimates
    - Percent of agreements with information security clauses may be changed to Percent of agreements with business continuity clauses
    - Numb er of security-related service downtimes may be changed to Number of service disruptions
    - Duration of service interruptions can be maintained
    - Incident resolution time may be changed to Achieved recovery time
    - Percent of controls assessment performed may be changed to Percent of BCP tests performed
    - Number of improvement initiatives can be maintained

    This material will also help you regarding BCMS metrics:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Who should implement IATF 16949

    (a) there is a requirement in the contract that you should follow this standard,
    (b) there is no mentioning of this, but cited that one should follow generally accepted practice in the industry, applicable standards, etc. (a vague reference to compliance with the applicable "rules"), and
    (c) if nothing is said at all (could this AITF-standard possibly be considered as future industry practice?).

    How specific are the demands of those who will need to follow the IATF standard? May I ask for any illustration about this? Is the standard just about to keep order and stay organized in general or is there more specific requirements that are measurable and can more easily be said to violate?

    It would also be interesting to know if there is any supervisory body and if there are any sanctions if you do not do what is required.

    Answer:

    Implementation of the standard is not mandatory in sense of legal requirement, but if the customer requires it, you should implement it in order to keep the customer. The standard itself requires from the organization to require either IATF 16949 or ISO 9001 from its suppliers, so ISO 9001 is very minimum required from the companies supplying the IATF 16949 certified companies.

    The standard represents the set of rules and best practices in the industry and covers all processes related to the manufacturing of the product, as well as requirements for continual improvement. Most of the requirements are general because they should apply to different types of industries and different types of companies and the requirements are in most cases regarding the organization and managing the processes. For more information, see: What is IATF 16949? https://advisera.com/16949academy/what-is-iatf-16949/

    There is a supervisory body, and it is called certification body. You can hire them to audit your system and issue you a certificate to testify that you are compliant with the standard. In case when there are nonconformities found during the certification audit, you will get a report about the nonconformities and once you remove the nonconformities, you will get the certificate. For more information, see: Checklist of IATF 16949:2016 implementation steps https://advisera.com/16949academy/knowledgebase/checklist-of-iatf-16949-2016-implementation-steps/

  • Lack of organizational chart as nonconformity in ISO 14001


    Answer:

    The standard has no explicit requirement for an organizational chart. Absence of the organizational chart is not a nonconformity if the organization meet requirements for roles and responsibilities and determining necessary competence in other way, e.g. through procedures.

    For more information, see: How to Allocate Roles and Responsibilities According to ISO 14001 https://advisera.com/14001academy/blog/2017/10/17/how-to-allocate-roles-and-responsibilities-according-to-iso-14001/

    These materials will also help you regarding roles and responsibilities:
    - Book THE ISO 14001:2015 COMPANION https://advisera.com/books/the-iso-14001-2015-companion/
    - Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
    - Conformio (online tool for ISO 4001) https://advisera.com/conformio/

  • Quality policy, a framework for setting quality objectives


    Answer:

    You don’t have to state that sentence in the Quality Policy. You have to demonstrate that your organization is doing it.
    In the Quality Policy your organization assumes a set of compromises with customers, and regulatory and statutory requirements. If your organization shows quality objectives that are derived from those compromises it is demonstrating the sentence of the standard (clause 5.2.1 b). For example, if your organization decides to work primarily for customers who value innovative products, a quality objective may be the number of patents registered. Another example, if your organization decides to work primarily for customers who value low-price and delivery time, quality objectives may be around cost reduction, efficiency improvement, delivery time compliance rate.

    The following material will provide you information about Qualit y Policy:

    How to Write a Good Quality Policy - https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
    How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
    free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • When go for ISO 27001 certification


    Answer: There is no single answer for this question, because the "right time" will depend on the the maturity and culture of each organization, as well as the size and complexity of the ISMS scope. For certification process purposes, an organization must have performed at least one cycle of its ISMS (from organizational context understanding to management review and continual improvement), and an ISMS implementation process can vary from 3 to 24 months (depending from the size and complexity of the ISMS scope).

    You can use our ISO 27001/ISO 22301 Implementation Duration Calculator, that can be found in this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/) to have an idea on the duration of an ISO 27001 ISMS implementation considering your organization context.

    These materials will also help you regarding ISO 27001 certification process:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Toolkit content

    I'm sorry about this confusion.

    The documents from sections A.5 and A.18 are not missing from the toolkit - you can find them here:
    - A.5 - all the documents from folder "08_Annex_A" cover the requirements about information security policies (A.5.1.1) and review of the policies (A.5.1.2)
    - A.18 - these documents are covered in the toolkit in folder "02 Procedure for identification of requirements”

    By the way, the ISO 27001 Documentation Toolkit is sold in more than 100 countries worldwide, we never received a complaint that some document was missing.

  • CRISC or ISO 27001 certifications


    Answer: First of all, I'm assuming that by ISO 27001 you are referring to the ISO 27001 Lead Auditor certification, so my answer will be based on this ISO 27001 certification.

    CRISC (Certified in Risk and Information Systems Control) should be considered if you want to evaluate how IT risks are managed and controlled in an organization.
    ISO 27001 Lead Auditor certification should be considered if you want to evaluate how the information security is managed and improved in an organization.

    In fact, these certifications have different purposes, but are complementary in nature, because a great deal of information security today depends on how IT risks are managed and controlled (and CRISC covers this part), and since information exists not only in IT systems, the understanding of ISO 27001 concepts and requirements can help an auditor better understand and identify problems and opportunities for improvement in overall information securi ty.

    These articles will provide you further explanation about ISO 27001 and ISO 27001 Lead Auditor:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

    These materials will also help you regarding ISO 27001 and ISO 27001 Lead Auditor:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/

  • Identifying a Cloud Service Provider


    "3.3. Backup information to cloud service customers
    Depending upon the cloud model adopted, the cloud service customer may be responsible for the backup process.
    For example, in an IaaS model, the cloud service provider is responsible for the backup of the infrastructure, while backup of data and systems are the cloud service customer’s responsibility"

    Answer: Cloud service providers (CSPs) are companies that offer network services, infrastructure, or business applications in the cloud. Since you offer trust services and a degree of data storage, your organization can be identified as a CSP and you should consider this situation when planning your ISO 27001 ISMS.

    This article will provide you further explanation about s cope definition:
    - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

    These materials will also help you regarding ISO 27001 implementation:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Configuration Item


    Answer:
    Configuration Item, or CI is service assets that need to be managed to deliver the service. That could be e.g. your PC, but also its hard drive, memory, processor...
    Following articles will give you more information:
    "What is the role of the Service Asset and Configuration Manager according to ITIL/ISO 20000?" https://advisera.com/20000academy/blog/2016/11/01/what-is-the-role-of-the-service-asset-and-configuration-manager-according-to-itil-iso20000/
    "Answers to 5 FAQs about the ITIL Service Asset and Configuration Management process" https://advisera.com/20000academy/blog/2016/03/29/answers-to-5-faqs-about-the-itil-service-asset-and-configuration-management-process/
    "Knowing your herd – Service Asset and Configuration Management (SACM)" https://advisera.com/20000academy/blog/2013/06/04/knowing-herd-service-asset-configuration-management-sacm/
Page 825-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +