Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documented information
Answer:
Your question is very particular and I only can give general answers because each case is a case and I don’t have enough information. Nevertheless, I would say that you can eliminate those databases from your QMS intranet. After that you will still control the information about your parts and product list (name, reference, version, change control, approval, distribution, obsoletes).
The following material will provide you information about document control:
ISO 9001 – How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
free on line training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ -
BCP and Measurement report templates
A: Business Continuity Procedures (Set of contingencies to minimize potential harm to businesses during adverse scenarios) - A.17.1.2
Would the Business Continuity Strategy and the Disaster Recovery Plan cover this, or there’s a specific document I could use from Advisera for this issue.
Answer: For this draft the Disaster Recovery Plan can help you, but instead of the Business Continuity Strategy template, I suggest you to take a look at the free demo of our Business Continuity Plan template at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/
This template can help you define precisely how the organization will manage incidents in the case of a disaster or other disruption of business, and how it will recover its critical activities within set deadlines.
This article will provide you further explanation about BCPs:
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
These materials will also help you regarding BCPs:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
B: Monitoring and Measurement Results (Determines what is to be monitored and measured above and beyond production processes).
Does Advisera have a document for this issue?
Answer: For this draft I suggest you to take a look at the free demo of our Measurement Report at this link: https://advisera.com/27001academy/documentation/measurement-report/
It can help you summarizes the objectives for your ISMS, the measurement method, the frequency of measurement, and the results..
These articles will provide you further explanation about monitoring:
- Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
These materials will also help you regarding monitoring:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Maintenance plan
Answer:
An organization normally has some kind of infrastructure. For example: it can be buildings, utilities, equipments, transportation, hardware and software.
As a good practice, organizations develop maintenance plans to prevent infrastructure failures that lead to production stoppage, non-delivery dates, customer dissatisfaction, overtime, extra-costs of parts and their supply, less reliability and decreased useful lifetime. Usually a maintenance plan includes: infrastructure identification, on which date preventive maintenance will be carried out; who is responsible for doing it; (the same machine can have several types of maintenance done by different people at different times) and what kind of maintenance will be done.
The following material will provide you information about infrastructure management:
ISO 9001 – Understanding Resource Management in ISO 9001 https://advisera.com/9001academy/blog/2014/02/11/understanding-resource-management-iso-9001/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
GDPR Consultant
Answer:
Currently there is no requirement for a formal examination to become a GDPR consultant. However, there are many trainings and tools that can help you become a consultant - for example, you can take an advantage of this GDPR Consultant Toolkit: https://advisera.com/eugdpracademy/consultants/ -
Information classification
1. How to clearly differentiate the cases in which i label the information as vital, working standard, restricted, group restricted, confidential, strictly confidential.
Answer: First of all, regarding your initial comment, you may be confusing the terms classification and labelling.
For information security, information classification means the identification of the value of the information to the organization, and this is generally done based on the results of the risk assessment: the higher the consequences of unauthorized access or disclosure of the information, the higher the classification should be.
On the other hand, information labelling refers to how the people who manipulate the information can quickly identify their classification and thus handle it correctly. For labelling, you can simply include in the label the classification level defined for the information (e.g., include in the header the words "vital", "confidential", etc .), or ,if you do not want identification to be so obvious, you can use a code that only internal personnel will be familiar with (for example, a colour code or number identification).
2. Who is Information Owner? The Head of the department who handles the information flow or the information creator (so the one who writes the document) ?
Answer: If the information is handled by few people or in a centralized way the head of the department would be a better choice to be the information owner, because he is in a better position to ensure the information is protected. On the other hand, if the information is handled by many people or in an decentralized way, the information creator, or the person handling the information, would be a better choice to be the information owner.
These articles will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding information classification:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Control justification on SoA
Answer: The justification for control selection/non-selection is mandatory by ISO 27001 (clause 6.1.3 d)). -
Legal requirements
Answer: To meet this control objective, you must include not only legal requirements that are specifically related to information security, but also those that may affect or be affected by the compromise of information that the Information Security Management System is intended to protect. For example, service level agreements for a delivery service may be affected if information delivery address is compromised.
This article will provide you further explanation about requirements identification:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
These materials will also help you regarding requirements identification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Financial Management
Answer:
ITIL. as well as ISO 20000, uses Financial Management for IT Services (Budgeting and accounting for service in ISO 20000) process to manage financial aspect of IT services . For these activities, help from someone with financial experience (e.g. from controlling) would be of great help. Close cooperation with corporate finance department is required.
Additionally, Continual Service Improvement is strongly related to finances (related to IT services) and their improvements. Improvements activities should be performed in scope of your usual improvement activities.
These articles can help you further:
"ITIL Financial Management – Charging as a moment of truth" https://advisera.com/20000academy/blog/2015/09/15/itil-financial-management-charging-as-a-moment-of-truth/
"Financial Management for IT services – the ory and practice" https://advisera.com/20000academy/knowledgebase/financial-management-services-theory-practice/ -
Alcance ISO 27001
Mi respuesta: Nuestra recomendación, si la empresa es pequeña, es que la participación, o el alcance, sea toda la compañía, aunque también puedes implementar el estándar en áreas específicas del negocio: IT, o Recursos Humanos, etc. Por tanto, la decisión es tuya, pero nuestra recomendación es para todo el negocio (siempre que se cumpla la condición de que la empresa es pequeña). Creo que este artículo te puede resultar interesante: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/