Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Management Review inputs and monitoring and measurement
Answer:
According to the process approach, your QMS is a set of interrelated processes. Every process has indicators or some other methods of measuring and monitoring performance. The Management Review Meeting (MRM) is a good place to do two things with those methods. First, are they relevant? Do you still consider them to be good choices to monitor and measure performance? Do you see better choices? Second, what about the performance level according to those indicators and other methods? Should your company update the targets for performance? Should your company develop improvement actions?
The following material will provide you information about monitoring and measurement:
* Monitoring and Measurement: The basis for evidence-based decisions - https://advisera.com/ 001academy/blog/2014/04/15/monitoring-measurement-basis-evidence-based-decisions/
* How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/
* How to define Key Performance Indicators for a QMS based on ISO 9001- https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
* free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
* book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
CAB and ITIL implementation
Answer:
Yes, roll-out should involve CAB definition and implementation.
Here is the article about CAB that can help you: "Change Advisory Board in ITIL – advise, approve or what?" https://advisera.com/20000academy/knowledgebase/change-advisory-board-itil-advise-approve/
Process for project roll-out is shown in this diagram "ITIL Implementation diagram" https://info.advisera.com/20000academy/free-download/itil-implementation-diagram -
Applicability of control A.14.1.3
Answer: Financial information is only one kind of information that may require the application of control A.14.1.3 (Protecting application services transactions). Other examples of information that may require protection in application service transactions are health information and information the organization classified as sensitive.
So, even if your organization don't have online financial transaction you may have other types of sensitive information processed by your web applications that may require the application of control A.14.1.3. You should consult your inventory of assets, the information classification policy and which information are processed on your web applications to verify if control A.14.1.3 is applicable.
This article will provide you further explanation about securing applications:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/ -
Asset owner and risk owner
(What is the difference between the asset owner and the risk owner?)
Answer: The asset owner is the person responsible for protecting and managing an asset in your company, while the risk owner is a person designated to solve a risk. Although these are different roles, they can be performed by the same person in a small organizations, but you should note that designating these roles to the same person becomes increasingly complex as the quantity of assets and risks under his responsibility increases.
This article will provide you further explanation about asset owner and risk owner:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
These materials will also help you regarding asset owner and risk owner:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Information labelling
Answer: This statement is only a recommendation. ISO 27001 control A.8.2.2 (Labeling of information) does not define any form of labeling, only that a labeling procedure must be defined and implemented (if the control is considered applicable). How to label information is an organization's decision. In cases where the implementation of labeling is not feasible, or it will require much effort or resources, an organization can define that labeling will not be applicable.
This article will provide you further explanation about informat ion handling:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Cyber Security Policy
Answer: To ensure a better alignment between Information security and cyber security practices it is better to consider the Cyber Security Policy as a section of your Information Security Policy. Regarding which points you should consider, a good reference is the ISO 27032 standard, which provides guidelines for cyber security. In terms of policies you should consider the following topics:
- Guidelines to be followed when you are an information providing organization and when you are an information receiving organization
- Classification and categorization of information
- Information minimization
- Limited audience
- Coordination protocol
These articles will provide you further explanation about cyber security and ISO 27001:
- What is cybersecurity and how can ISO 27001 help? https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/
- ISO 27001 vs. ISO 27032 cybersecurity standard https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/
These materials will also help you regarding cyber security and ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- 9 Steps to Cybersecurity: The Manager’s Information Security Strategy Manual https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Scope definition
Answer: In principle any process and/or organizational unit can be excluded from the ISMS scope, but sometimes the effort to implement such segregation is not worthy (e.g., the organization is too small or the process/organizational unit has many relations with elements included in the scope), so your organization should evaluate this situation first before deciding to include or not the purchasing in the scope.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://adv isera.com/books/secure-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
GDPR implementation process in a non-EU country
Answer: Your company needs to be compliant with the GDPR only if it collects personal data from citizens of European Union; if you do not collect such information, then you do not have to be compliant. This principle is valid no matter whether your company is based in EU or outside of it.
You can see the process in this EU GDPR Implementation Diagram: https://advisera.com/eugdpracademy/free-downloads/
Also, the whole process is described in details in the GDPR Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/