Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Cloud environment and information security scope/boundaries


    Additionally, where does the responsibility and accountability fall in this type of model.

    Answer: The main concern regarding information security in cloud environments when it is provided by cloud service providers is the level of access the providers will have to the organization's information and systems, because this will have a direct impact in the controls that will have to be implemented to each party, and in the contractual clauses that will have to be included in the service agreement with the providers.

    For example, a IaaS provider will not have access to the organization's systems, only to the physical infrastructure. On the other hand, a SaaS provider will have access to systems and data. So these two scenarios will require completely different security requirements to be fulfilled.

    This article will provide you further explanation about scope considering cloud environments:
    - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

  • Internal Audit performed using Annex A

    I'm assuming you are referring to plan specific dates to audit each control of the Annex A. Considering that, there is no problem with this approach. My only suggestion to you is, if you have many controls to audit, you should consider grouping them in a way that in a single audit you can cover as many controls as possible, reducing the quantity of audits you have to perform. As criteria to group controls you can consider controls related to the same process, or implemented in the same location or business unit you are going to audit.

    This article will provide you further explanation about internal audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

    These materials will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • Lack of statement of applicability

    First of all you should understand that if this organization is planning to be certified against ISO 27001, the lack of the statement of applicability is a major non conformity that can prevent the certification audit to proceed until an approved statement is available. So, if this internal audit you mentioned is related to an ISMS implementation aiming for certification, you should solve this question as soon as possible to ensure this issue will not compromise the certification audit. For more information about the Statement of Applicability, please read this article: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    Regarding internal audits, an organization can decide to proceed with the audit even with the lack of the statement. In practical terms, the lack of the statement of applicability only will make your audit work harder. You should look for the approved risk assessment report and risk treatment plan to identify which risks are to be treated a nd how the organization proposes to treat them. These information will not be sufficient to cover the requirements of the statement of applicability (this lack of documentation will be your first non conformity), but you at least will have some information to audit the controls the organization has decided to implement. In the case you do not have either the approved risk assessment report nor the risk treatment plan then you cannot proceed with the audit, because you will not have enough information to know which controls to audit.

    These articles will provide you further explanation about internal audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

    These materials will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

  • Documentation


    Answer:
    Most of the ISO standards, including ISO 20000 in section, contains requirements for the documents. Additionally, you have to be careful while creating document templates and documents related to processes and procedures in order to avoid overhead.
    Our toolkit contains "Procedure for Document and Record Control" (https://advisera.com//wp-content/uploads//sites/6/2015/06/Procedure_for_Document_and_Record_Control_Premium_EN.pdf) which is used to set rules for all documents in scope of the SMS.

    In following articles you can find few details how to approach the topic:
    "How to structure ISO 20000 documentation" https://advisera.com/20000academy/blog/2016/09/27/how-to-structure-iso20000-documentation/
    "Defining roles and responsibilities for ISO 20000-based IT Service Management" https://ad visera.com/20000academy/blog/2017/10/18/defining-roles-and-responsibilities-for-iso-20000-based-it-service-management/

  • Nonconforming output and nonconformity


    Answer:

    I would like to have more context about the use of the two words. Nevertheless I will try to give an explanation. Nonconforming output is related to the non-compliance with a specification associated with a final or intermediate product or service. Nonconformity can be used in the same context as nonconforming output or, more generally, whenever there is the non-fulfillment of a requirement of a management system. For example, a company did not performed the re-evaluation of its supplier base as scheduled.

    The following material will provide you information about nonconformities:

    - ISO 9001 – Understanding dispositions for ISO 9001 nonconforming product - https://advisera.com/9001academy/blog/2014/11/18/understanding-dispositions-iso-9001-nonconforming-product/
    - ISO 9001 - ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/ ion/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

  • Mandatory DRP


    Need your advice on this. As i feel its not mandatory to have DRP.

    Answer: Although ISO 22301 clause 8.4.4 requires procedures for responding to disruptive incidents (e.g. business continuity plan(s) and recovery plan(s), including the disaster recovery plans), neither this standard, nor ISO 27001, mention "badge access request", so you need to analyse the following issues to confirm if a DRP is required for this specific process:
    - the results of the business impact analysis (can the time needed to recover minimal conditions for this process after a disruptive incident prevent the organization to achieve its objectives for recovery or continuity of the business?)
    - legal requirements applicable to the organization (e.g., are there any laws or contracts demanding for this specific DRP?)
    - top management decisions specifically related to the recovery or continuity of this process (regardless of any other conditions, does the top m anagement require a DRP for this process?)

    If after verifying these issues you identify no reason to have a DRP for this process, then you can consider this DRP as no needed.

    This article will provide you further explanation about mandatory ISO 22301 documentation:
    - Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/

    This material will also help you regarding mandatory ISO 22301 documentation:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Auditing clause 4.1

    Hi.. May I know how to audit the clause 4.1. thanks.

  • Compliance of U.S. company dealing with B2B customers


    Answer: In order to provide a precise answer we would need some more information on the type of transactions and services provided by the US based company as well as the purpose of collection of the personal data.

    If these information are lacking my first choice would be to consider that the US based company is acting as a processor and since they are dealing with a EU based controller there is high chance that GDPR would be applicable for the processing activities involving EU citizens personal data.

    See also this article: EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

  • Risk assessment


    Answer:

    There is no requirement in the standard to update the risk assessment on a periodic basis. Nevertheless, a company can decide to update the risk assessment based on the calendar. Another possibility is to update the risk assessment based on nonconformities occurrence (see clause 10.2.1 e)) or after reviewing information about internal and external issues (see clause 4.1), or about interested parties (see clause 4.2).

    The following material will provide you information about risk assessment:

    - ISO 9001 – How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
    - ISO 9001:2015 Risk Management Toolkit https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
    - free online tr aining ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
    - book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Defining the scope of IATF 16949 based QMS


    Answer:

    Supporting functions, whether onsite or remote ( such as design centres, corporate headquarters, and distribution centres) should be included in the Quality Management System. you need to include all of them if they are part of your company. Auditing just a corporate headquarters won't provide evidence that you company is fully compliant with the standard, all processes and functions need to be audited.

    For more inf ormation, see: How to define scope of the QMS according to IATF 16949:2016 https://advisera.com/16949academy/blog/2017/06/28/how-to-define-scope-of-the-qms-according-to-iatf-16949/
Page 839-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +