Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Scope definition
Answer: In principle any process and/or organizational unit can be excluded from the ISMS scope, but sometimes the effort to implement such segregation is not worthy (e.g., the organization is too small or the process/organizational unit has many relations with elements included in the scope), so your organization should evaluate this situation first before deciding to include or not the purchasing in the scope.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://adv isera.com/books/secure-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
GDPR implementation process in a non-EU country
Answer: Your company needs to be compliant with the GDPR only if it collects personal data from citizens of European Union; if you do not collect such information, then you do not have to be compliant. This principle is valid no matter whether your company is based in EU or outside of it.
You can see the process in this EU GDPR Implementation Diagram: https://advisera.com/eugdpracademy/free-downloads/
Also, the whole process is described in details in the GDPR Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ -
Controls vs Threats
No. Since each organization has unique requirements for information security and risk tolerance, and a threat may be handled by different sets of controls, it is unfeasible to build such mapping considering all possible alternatives. To build a map considering your organization requirements you should perform a risk assessment.
This article will provide you further explanation about risk assessment applicable to information security:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment applicable to information security:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Information security policy content
Answer: In terms of mandatory documentation, ISO 27001 requires two types of policies:
- The Information Security Policy referred in clause 5.2 (Policy)
- Information Security policies related to controls from ISO 27001 Annex A if there are risks which would require their implementation (e.g., Access control policy, required by clause A.9.1.1)
For more information about ISO 27001 mandatory documentation, please see this article: List of mandatory documents required by ISO 27001 (2013 revision).
These materials will also help you regarding information security policies:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera .com/books/secure-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Non conformity identification
Answer: To support your assumption that there is no correct segregation of tasks or of environments, you have to identify a policy or procedure which defines the rules for access control, and then evaluate if the situation is complaint or not with the established rules.
If the situation is not compliant with the established rules you can declare a non conformity.
If there is no policy or procedure available, you should look for the risk assessment results and applicable legal requirements (e.g., laws and contractual clauses), and then evaluate if the situation is complaint or not with them. If the situation is not compliant with the risk assessment results or legal requirements you can decl are a non conformity.
This article will provide you further explanation about corrective actions:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
These materials will also help you regarding corrective actions:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Correction, corrective and preventive action
Answer:
In a management system one can consider three kinds of action:
• Correction action;
• Corrective action and;
• Preventive action.
Correction action is about dealing with a non-conformity. The purpose is to eliminate the non-conformity. For example, rework a defective part.
Corrective action is about eliminating the cause of a particular non-conformity. For example, why is the part defective? Because our temperature control system during production is not working properly. A corrective action can improve the temperature control system and eliminate that kind of defect.
Preventive action is about eliminating the cause of a potential non-conformity. For example, what kind of actions should the company develop to reduce the monthly frequency of defective parts.
The following material will provide you information about correction, corrective and preventive actions:
• - ISO 9001 – Difference between correction and co rrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
• - Seven Steps for Corrective and Preventive Actions to support Continual Improvement - https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
• - How to proceed once a QMS corrective action is defined? - https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/
• - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Clause 7.1.3 Infrastructure
Thank you very much for that great explanation. its help me a lot. -
Monitoring and measuring as inputs to the management review
Answer:
Your organization has determined what to monitor and measure (clause 9.1.1) and has analyzed and evaluated what resulted from monitoring and measurement (clause 9.1.3). Management should review and decide if it is needed to change anything about what to monitor and measure. What to monitor and measure is adequate or should be changed? Also, considering the results of monitoring and measurements, management should review trends and decide if it is needed to improve performance.
The following material will provide you information about monitoring and measure:
- Monitoring and Measurement: The basis for evidence-based decisions - https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Educational path
Answer:
Since you have IT service delivery experience I would suggest to consider two streams for further capability development:
1. ISO - ISO 20000 is ISO standard in IT Service management. With ITIL Foundation certificate there is small delta you need to gain ISO 20000 Foundation certificate. Afterwards - e.g. Internal Auditor course and certificate
2. ITIL - there are various trainings (and certifications) in ITIL that will give you detailed knowledge in e.g. delivery of IT Services. So, check the content and decide your educational path.
The articles
" ITIL Certification Path – list of all available ITIL trainings, exams and certificates" https://advisera.com/20000academy/knowledgebase/itil-certification-path-list-of-all-available-itil-trainings/
"How personal certificates can help your company’s IT Service Management" https://adviser a.com/20000academy/blog/2017/04/18/how-personal-certificates-can-help-your-companys-it-service-management/
"New ITIL Practitioner Guidance book – what does this mean for your certification and implementation?" https://advisera.com/20000academy/blog/2016/08/30/new-itil-practitioner-guidance-book-what-does-this-mean-for-your-certification-and-implementation/ -
Non conformity classification
Answer: ISO 27001:2013 clause 6.1.3 requires the retention of documented information about the information security risk treatment process, and if your organization does not have written risk owner's approval of the information security risk treatment plan and acceptance of the residual information security risks this would be a major non-conformity, because this is a failure in complying with a standard's requirement.
Regarding an OFI (Opportunity For Improvement), this is not a nonconformity, but an issue raised by the auditor that requires an evaluation by the organization, because in the auditor's opinion this could lead to a non conformity in the future. In this case, after the evaluation an organizatio n can decide to do nothing or implement an action plan to handle the situation. An OFI can lead to a non conformity if:
- no evaluation is performed by the organization until the next audit
- the organization decided to implement an action plan but has not resolved it within the deadline
This article will provide you further explanation about nonconformities:
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
These materials will also help you regarding non conformities:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/