Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11269 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Risk assessment

Answer:

There is no requirement in the standard to update the risk assessment on a periodic basis. Nevertheless, a company can decide to update the risk assessment based on the calendar. Another possibility is to update the risk assessment based on nonconformities occurrence (see clause 10.2.1 e)) or after reviewing information about internal and external issues (see clause 4.1), or about interested parties (see clause 4.2).

The following material will provide you information about risk assessment:

- ISO 9001 – How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
- ISO 9001:2015 Risk Management Toolkit https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online tr aining ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Defining the scope of IATF 16949 based QMS

Answer:

Supporting functions, whether onsite or remote ( such as design centres, corporate headquarters, and distribution centres) should be included in the Quality Management System. you need to include all of them if they are part of your company. Auditing just a corporate headquarters won't provide evidence that you company is fully compliant with the standard, all processes and functions need to be audited.

For more inf ormation, see: How to define scope of the QMS according to IATF 16949:2016 https://advisera.com/16949academy/blog/2017/06/28/how-to-define-scope-of-the-qms-according-to-iatf-16949/
CIA
First of all, you should note that threats in ISO 27005 catalogue are only examples. They are not mandatory, and probably your organization will have some threats that won't be there (you have to identify them by performing the risk assessment process).

That said, to identify if a threat is related to confidentiality, integrity or availability, you have to analyse how the threat will work over an asset. For example, a malicious software can either allow an unauthorized person the access an information in a database (compromising confidentiality), change it (compromising integrity), or destroy it (compromising availability). This will depend on how the malicious software work.

In case of embezzlement, it is, by definition, a financial fraud (a fraudulent conversion of the property of another person by the person who has lawful possession of the property). Basically this threat is related to the information related to the ownership of a property, then it can be r elated to compromise of information integrity, since in many times involves falsification of records in order to conceal the activity.
BCP presentation

Answer: I suggest you to take a look at this free to download presentation: Why ISO 27001 – Awareness presentation, that you can find at this link: https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation

Yo can use the general framework and adapt to your needs. For example, you can change the following information:
- "what ISO 27001 is all about" to "what ISO 22301 is all about"
- "why is it good for the company – and also for themselves" to "why BCPs are good for the company – and also for themselves"
- "what is their role in handling information security" to "what is their role in BCP"
Then you can finish presenting the BCP.

Additionally, I suggest you to watch this free webinar ISO 22301: Resum en del proceso de implementación de GCN https://advisera.com/27001academy/es/webinar/iso-22301-an-overview-of-bcm-implementation-process-free-webinar/ - maybe you can use some items from here.
Scope definition

Have you written a blog post that could help me and I’m sure others understand the boundaries of an ISMS scope.

Answer: The first thing you need to identify for the scope's limits is to understand the organization's purpose for its ISMS and the requirements this ISMS has to fulfill. Once you know that you can identify how each department you mentioned is related to this purpose and requirements and then you can define the scope limits.

Examples of limits for the scope related to Finance and HR may be:
- Financial reports deemed for regulatory bodies (e.g., as required by SOX)
- Employees' and customer's medical records (e.g., as required by HIPAA)

For IT departments, the scope could be limited to information systems used by Financial and HR departments.

These articles will provide you fu rther explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Risk assessment on Conformio

Answer: Conformio does not have a separate module for risk management, however if you go for the Startup Plan, you will get the ISO 27001 Documentation Toolkit which will enable to you to perform the risk assessment and treatment using the Word and Excel files.

Among other templates, this toolkit contains the following documents: Risk Assessment and Risk Treatment Methodology, Risk Assessment Table, Risk Treatment Table, Risk Assessment and Treatment Report, Statement of Applicability and Risk Treatment Plan. They can help you cover ISO 2700 1 requirements regarding risk management.

These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Meaning of information to ISO 27001
ISO 27002 corrigendum related to change of control objective A.8.1.1 in ISO 27001 does not add any clarification regarding the meaning of information. It only makes texts adjustments regarding the change of control objective. To see this related corrigendum, please access this ISO page: https://www.iso.org/obp/ui/#iso:std:iso-iec:27002:ed-2:v1:cor:1:v1:en
In fact, ISO 27001 series do not define the meaning of information, allowing organizations to use the definition considered more appropriate to their context. So, my recommendation to you is that your organization document a definition for information that is adequate to its context and implement its controls according this definition.
ISO 27017, ISO 27018 and ISO 27001

Answer: ISO 27017 and ISO 27108 only provide recommendations and guidelines to the implementation of controls of ISO 27001 Annex A, so their application is not mandatory for an organization to be compliant with ISO 27001.

These articles will provide you further explanation about ISO 27017 and ISO 27018:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

Regarding if you can skip cloud elements until the implementation of ISO 27001, you can only do that if there is no cloud-related elements on your ISMS scope.

These articles will provide you fur ther explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
ISO 27001 assessment

Answer: For a simple ISO 27001 assessment you can use our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

This gap analysis tool is a simple question-and-answer checklist that will help you identify which specific elements of ISO 27001 you’ve already implemented, and what you still need to do.
Mapa de procesos
El enfoque basado en procesos es uno de los principios más relevantes en ISO 14001, y el mapa de procesos forma parte de ello. Un buen mapa de procesos debe de contener todos los procesos dentro de la organización clasificado por tipo y orden de ejecución, lo cual proporcionará con una visión general de todo el sistema de gestión.

La responsabilidad ambiental es el principio más importante de un SGA, así que el mapa de procesos puede ser empleado para demostrar el control del impacto ambiental de los productos, servicios u operaciones de la organización.

Para más información, vea ".Cómo crear un mapa de procesos en ISO 9001": https://info.advisera.com/9001academy/free-download/how-to-create-an-iso-9001-process-flowchart

Estos materiales le ayudarán también con respecto a la implementación de ISO 14001:

- Libro “Preparación para el proyecto de implementación ISO: una guía en un lenguaje sencillo”: https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso gratuito en línea: “Curso de fundamentos ISO 14001”: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/
- Conformio (herramienta en línea para ISO 14001): https://advisera.com/conformio/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11269 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Risk assessment

Defining the scope of IATF 16949 based QMS

CIA

BCP presentation

Scope definition

Risk assessment on Conformio

Meaning of information to ISO 27001

ISO 27017, ISO 27018 and ISO 27001

ISO 27001 assessment

Mapa de procesos

Didn’t find an answer?