Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Cuantificación impactos ambientales
He recibido esta pregunta: Estoy haciendo la cuantificación de impactos y tengo el histórico de consumo eléctrico, mi consulta es que si es necesario especificar en algún momento todos los aparatos eléctricos que posee en la empresa?? Realizar algún tipo de inventario detallada con, por ejemplo, detectores de humo, alarmas, computadoras, etc?? o con solo especificar la cantidad de kw es suficiente?? Mi respuesta: La principal razón para llevar a cabo la identificación de los aspectos ambientales es proporcionar los datos necesarios para decidir qué procesos requieren de un seguimiento y control, y qué procesos se tratan de los mejores objetivos para garantizar unos resultados óptimos en cuanto al impacto ambiental de tu empresa. Cada organización, sin embargo, debe establecer sus propios criterios en cuanto a la significancia, basándose en una revisión sistemática de sus aspectos ambientales y de sus impactos actuales y potenciales. Así que, si crees que identificando cada uno de los equipos y sus correspondientes consumos ayudará a la compañía a determinar qué y dón de tiene que ser controlado el aspecto ambiental, entonces podrías hacerlo. Para más información, vea"4 pasos en la identificación y evaluación de impactos ambientales ": https://advisera.com/14001academy/es/knowledgebase/4-pasos-en-la-identificacion-y-evaluacion-de-aspectos-ambientales/ Además estos materiales pueden ayudarte en la implementación de ISO 14001 : - Libro "Preparación para el proyecto de implementación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/ - Formación gratuita en línea: Curso de fundamentos ISO 14001 https://advisera.com/es/formacion/curso-fundamentos-iso-14001/ - Conformio (herramienta en línea para ISO 14001): https://advisera.com/conformio/ -
ISMS and QMS
I am still thinking of implementing the ISMS without QMS is possible (and it is a better approach) and it does not require additional workload. Beside many organization has done ISMS without QMS.
Note: The end goal is to have the system (operations & maintenance) to have its ISMS certified after 2 years in operations.
There is no rush to have it ISMS certified during the development stage.
Question – Thus, I am thinking of doing these steps first even before doing the rest of ISMS activities
1 - I am want to focus to the system requirements – security requirements to design the system to be delivered to the customers. The main input of security requirements will be from risk assessment.
2 - Establishing the context of risk assessment
3 - Conduct the risk assessments, risk evaluation & risk analy sis – thus the risk treatments.
4 - Identifying the all the relevant controls based on ISO 27001 Annex A/ISO 27002
5 - Implement all the security measures and controls in the system design.
6 - Write all the necessary security policies, procedures and guidelines in relations the systems.
7 - Built the system (based on the security requirements), Test and UAT, FAT and deliver.
While doing all the activities above, other ISMS compliance requirements will gradually implemented and done, as we have enough time to get it certified after its being delivered.
Answer: In fact there is no need to implement a QMS to implement an ISMS, although you can take advantage of some practices required by the ISO 9001 standard to improve ISMS performance (identifying and documenting the processes in the scope will help you understand the organization al context and perform the risk assessment). So, it may be a good idea to take a look at ISO 9001 to verify which practices you can adopt now without compromising your current deadline and resources. For more information about this, please see these materials:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
- ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
Regarding your approach, it seems fine considering a system development project. The only point you should consider is documenting a risk assessment and treatment methodology before performing it (so everyone in the project will have the same procedure to follow) and write the security policies, procedures and guidelines in relation to the systems before implementing the security measures and controls in the system design, because during the elaboration of these documents you can find further system adjustments to be made, and it will be easier to make the corrections before the security measures and controls implementation. For more information, please see these materials
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
These materials will also help you regarding implementing ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
NIST CSF, ISO 27002 and PCI
Answer: I'm assuming that for PCI you are referring to PCI-DSS. Considering that:
NIST Cyber Security Framework (CFS) gives you a methodology on how to implement information security or cybersecurity in an organization (in this point it is quite similar to ISO 27001, the ISO standard for Information security management systems).
ISO 27002 is a standard that provides guidelines and recommendations for the implementation of the controls listed on ISO 27001. It differs from NIST CSF in the point it does not establish a system methodology, only practices to be considered when implementing individual controls.
PCI DSS is a standard of data security for the credit card industry, providing a group of mandatory controls to be implemented by organizations that work with credit cards. Like ISO 27002 it does not define a methodology.
These articles will provide you further explanation about CSF, ISO 27002 and PCI:
- Which one to go with – Cybersecurity Framewo rk or ISO 27001? https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences https://advisera.com/27001academy/knowledgebase/pci-dss/ -
SOA content
I wonder if it is possible to fill in SOA Applicability ''No'' for a certain controls from Annex A/ table A.1, in the situation a risk is Shared with the Company. (e.g. HR security)
Answer: Sharing a risk means some part of the responsibility is divided between the Division and the Company, so you cannot state these controls as not applicable, but you can include observations stating this shared situation.
This article will provide you further explanation about SOA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Distance of recovery site
Answer: ISO 22301 and most regulations and industry practices do not define any specific distance to recovery sites because, as you mention, many factors can affect what would be considered a "safe" distance. From our experience I suggest you to start the discussion suggesting a distance between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location and from that analyse your organization's context (geographic situation, available resources, required investment, etc.).
This article will provide you further explanation about distance of recovery site:
- Dis aster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/
This material will also help you regarding distance of recovery site:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
BCMS presentation to top management
Answer: I suggest you to take a look at this free material: Why ISO 27001 – Awareness presentation, that you can find at this link: https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
You can use the general framework and adapt to your needs. For example, you can change the following information:
- “what ISO 27001 is all about” to “what ISO 22301 is all about”
- “why is it good for the company – and also for themselves” to “why BCMS are good for the company – and also for themselves”
- “what is their role in handling information security” to “what is their role in BCMS”
Then you can finish presenting the BCMS proposal.
Additionally, I suggest you these materials:
- Free webinar ISO 22301: ISO 22301: An overview of the BCM implementation process [free webinar] https://advisera.com/27001academy/es/webinar/iso-22301-an-overview-of-bcm-implementation-process-free-webinar/ – maybe you can use some items from here.
- ISO 22301 benefits: How to get your management’s approval for a business continuity project https://advisera.com/27001academy/knowledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/ -
How much time is needed before IATF 16949 certification
Answer:
Certification can happen fairly quickly once your management system is ready. Usually, the certification bodies define the time needed, and it is from three to six months after the system is implemented (last document is approved and published). Before the certification, you will have to run the full cycle of your QMS, this includes conducting internal audit and management review.
The typical certification process involves an onsite Pre-Assessment if you desire, a stage-1 Readiness Review of your system, the stage-2 Certification Audit itself, closure of any open issues, a review by the registrar, and the issuance of your certificate. -
Audit scope
Answer:
There is not a unique correct answer. Each organization should choose the best approach according to its own experience and system. Personally I like to program the internal audits based on the map of processes of each organization, but one can base the internal audits along departments, along clauses of the standard or mixes of these approaches.
The following material will provide you information about audit programs:
• - ISO 9001 – What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
• - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• - free online training - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/ -
GDPR compliance for accountancy business
Answer:
Based on the description provided the accounting company only acts as processor on behalf of sole traders and other limited companies.
If we are considering sole traders which are in fact natural persons (data subjects) the EU GDPR would be applicable and the documents found in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ would be useful. For example, data breaches should be notified, according to their severity, to the Supervisory Authority and to the data subjects themselves (the sole traders).
As for the limited companies the situation might differ depending on the type of activities provided by the accounting company. If we are talking about general ledger type activities, s uch as tax calculations, filing tax reports which do not involve personal data the EU GDPR is not applicable. However, if other accounting activities such as payroll for the limited companies employees or calculating tax deductions for employees, are delivered, this would mean that the EU GDPR would be applicable.
As a general remark, due to the fact that the accounting company has only one employee, there may not necessarily be a need to have procedures or complex processes set up in place. For example EU GDPR article 30 requirements (Records of processing activities) are not compulsory for companies under 250 employees which includes accounting companies (although it would be helpful to have it) and the Data Protection Impact Assessments will most likely not be necessary.
Nevertheless the only employee of the accounting company should be informed about the main GDPR provisions - especially the ones referring to personal data breaches and the use of sub-processors (if the accounting company outsources part of its activities to third parties). All relevant information can be found within the EU GDPR implementation toolkit.