Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Certification scope


    Answer:

    I understand that you are asking if your organization should certify the remaining 8 branches that are not yet certified. The scope of implementation it is not a technical decision, it is a business decision based on your business objectives:
    - If the certificate is required by some of your customers, then those customer probably defined what should be the scope
    - Sometimes it is not possible to exclude some of the departments/locations/organizational units outside of the scope because they are too crucial part of the process
    - Sometimes it is desirable to exclude some of the departments/locations/organizational units because they are not important for e.g. QMS.

    Once your organization decide this, then you can go and make an arrangement with the certification body about the scope of certification. The main concern of the certification body is t he avoidance of misleading information.

    The following material will provide you information about correction, corrective and preventive actions:
    - ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

  • Continual improvement vs step change improvement

    Both sound same meaning.

    Answer:

    Continuous improvement, or Kaizen, is a method for identifying opportunities for streamlining work and reducing waste. The practice was formalized by the popularity of Lean / Agile / Kaizen in manufacturing and business, and it is now being used by thousands of companies all over the world to identify savings opportunities.

    Continuous Improvement is an evolutionary process. But extraordinary threats and opportunities require a revolutionary, targeted response. When an organization needs to act quickly to ramp up production, reduce costs, or meet other extraordinary changes or goals is where the step change improvement comes to action.Step change improvement is a significant change in policy or attitude, especially one that results in an improvement or increase.

  • How to become GDPR expert

    Sure, our DPO course will include the certification exam.

  • Mapping of risks to ISO 27001 controls


    Answer: Once you have identified the risk you should first look at the controls section objectives to find the one that are the most probable to treat the risk (some risk may be treated by controls from different sections). Once you find the section you should look into the controls description to find which ones are most adequate.

    For example, for the risk "loss of a notebook", you can identify the following section objectives, and respective controls:
    - Objective from section A.6.2 (Mobile devices and teleworking): To ensure the security of teleworking and use of mobile devices. Applicable control: Mobile device policy (A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.)
    - Objective from section A.11.2 (Equipment): To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. Applicable controls: Security of equipment
    and assets off-premises (Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises.) and Unattended user equipment (Users shall ensure that unattended equipment has appropriate protection.)

    This material will provide you further explanation about matching risks to controls:
    - Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

  • Scope definition

    Regarding the video tutorials, please check the "Repository" at the top left corner of your screen in Conformio. From there you can find the subfolder "Video Tutorials". Consult this screenshot as a reference: https://www.screencast.com/t/T5rLxMgc3UJz

    Since your scope is limited to IT, you should include in the scope only the IT personnel, but it is important that you state in your scope who is responsible for the information security regarding employees that have access to IT systems and resources in each branch (e.g., someone in headquarters or the head of each branch). To see more information about this issue, please read the section Interfaces and dependencies from the article "How to define the ISMS scope" (https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/) that was also included in the previous post.

    You can exclude elements from the scope (e.g fax or printers) only if they are not related to the information your ISMS is propose d to protect. For example, fax or printers located on branches that cannot be used to sent or print information related to the systems in your ISMS scope can be excluded from the scope.

  • IT risk identification


    Answer: According to ISO 27001, you must establish a risk assessment methodology, which involves:
    1) Defining how to identify the risks that could cause the loss of confidentiality, integrity and/or availability of your information
    2) Defining how to identify the risk owners
    3) Defining criteria for assessing consequences and assessing the likelihood of the risk
    4) Defining how the risk will be calculated
    5) Defining criteria for accepting risks

    For risk identification, the most common approach is the identification of assets and threats and vulnerabilities related to them.
    These articles will provide you further explanation about risk assessment:

    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    - ISO 27001 risk assessment: How to match asse ts, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Design, validation versus verification


    Answer:

    Verification is a sort of final control, you are going to control the output of the design project with the inputs for the project (performance requirements, legal and statutory requirements, for example).

    Validation is a field control, you are going to test if the output of the design project works in the customer environment. The output can comply with all specifications and yet not getting the favor of the customers. For example, after developing a product to use in a certain context, during validation one realize that customers can use it in another context where it will fail to deliver the promised performance.

    The following material will provide you information about the design system:

    - ISO 9001 – ISO9001 Design Verification vs Design Validation - https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
    - The ISO 9001 Design Process Explained https://advisera.com /9001academy/blog/2013/11/05/iso-9001-design-process-explained/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

  • Risk Assessment


    Answer: To put together a risk management process which includes criteria for Risk Appetite, including for IT related risks, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    This toolkit contains the following documents: Risk Assessment and Risk Treatment Methodology, Risk Assessment Table, Risk Treatment Table, Risk Assessment and Treatment Report, Statement of Applicability and Risk Treatment Plan. In the template Risk Assessment and Risk Treatment Methodology you can define the criteri for Risk Appetite you will use to perform the risk assessment and treatment with support of the other templates.

    This article will provide you further explanation about Risk Appetite:
    - Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-2700 1-implementation/

    These articles will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Page 837-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +