Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Templates for human resources security


    Answer: In the list of documents file that comes with the toolkit you bought you can identify which clauses from ISO 27001 are covered by each template. In there you will find out that:
    - Control A.7.1.1 (Screening) is covered by template "Supplier Security Policy" for external personnel
    - Control A.7.1.2 (Terms and conditions of employment) is covered by templates "Confidentiality Statement", "Statement of Acceptance of ISMS Documents", applicable to both internal and external personnel, "Supplier Security Policy", and "Security Clauses for Suppliers and Partners", these last two applicable for external personnel
    - Control A.7.2.2 (Information security awareness, education and training) is covered by template"Supplier Security Policy" for external personnel, and template "Training and awareness plan" for internal personnel
    - Control A.7.2.3 (Disciplinar y process) is covered by template "Incident Management Procedure"

    All these templates are found on:
    - folder 09 Training and Awareness Plan (Training and awareness plan)
    - folder 08 Annex A, sub-folder A.7 Human resource security (Confidentiality Statement and Statement of Acceptance of ISMS Documents)
    - folder 08 Annex A, A.15 Supplier relationships (Supplier Security Policy and Security Clauses for Suppliers and Partners)

    Regarding control A.7.2.1 (Management responsibility), responsibilities are defined in each template when required (these responsibilities definition are identified by the expression [job title] you have to fulfil in the templates).
    Regarding the control 7.3.1 (Termination or change of employment responsibilities), the compliance with this control is covered through the description in Statement of Applicability (e.g., by the applicability of the access control policy).

    But if you have this specific need, or other doubts you want to solve, you can schedule a meeting with one of our experts (this meeting is also included in the toolkit you bought), so he can help you with this issue. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/

  • Fast implementation project


    Answer: First of all, you have to identify if it is possible to implement and certificate the management system in such short period. Some organizations may already have another systems implemented, or culture that can make the implementation easier, or the certification scope is small, but for others you will have to start from scratch. And in all these cases you have to count with management support in terms of money and human resources.
    What I can say to you is that if you have to start from scratch it will be very unlikely to accomplish implementation and certification in such a small period, most because the quantity of documents to be developed and the time needed to perform all activities that are prescribed by the documentation.

    To have an idea about how much time you would need, I suggestion to take a look at our ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

    Regarding time allocation, if you identify the three month period (tweelve weeks) is enough for the implementation, this is a good estimation of phases duration:

    Weeks 1-2: Project planning and elaboration of basic management system documentation (e.g., ISMS scope, information security policy, procedure for documentation control, procedure for internal audit, procedure for risk assessment and treatment, etc.)
    Week 2-3: Carrying out the risk assessment and risk treatment plan elaboration
    Week 4-5: Information security policies and procedures elaboration
    Weeks 5-8 : Implementation, operation and evaluation of policies and procedures (at this point some corrective actions may be required)
    Week 9: Internal audit and management review
    Week 10-12: Treatment of internal audit nonconformities and management review decisions

    Since this is a short period, the selection of the certification body should be performed in parallel to these activities, starting at the beginning of the project.

    This article will provide you further explanation about ISO 27001 implementation:
    - How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/

    These materials will also help you regarding about ISO 27001 implementation:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Developing Environmental Policy


    Answer:

    The ISO 14001 environmental policy outlines the overall intentions and direction of how the company will relate to its effect on the environment. This statement needs to come from top management, since it is a primary directive for how every individual in the company will perform their job in relation to environmental impact. This is where you display what commitments your company will make to controlling and improving the environmental impact that you make.

    In order to be compliant with the standard, the policy must be appropriate to the context of the organization, to provide framework for setting the environmental objectives, include commitment to protect the environment, fulfill legal and other requirements and continual improvement.

    For more information, see: How to write an ISO 14001 environmental policy https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-write-an-iso-14001-environmental-policy/

    These materials will also help you regarding environmental policy:
    - Bo ok Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
    - Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
    - Conformio (online tool for ISO 14001) https://advisera.com/conformio/

  • Quality Manual for IATF 16949


    Answer:

    Requirements for Quality Manual can be found in clause 7.5.1.1. In order to be compliant with IATF 16949, the manual must include the following:
    - scope of QMS (Quality Management System) and justification for exclusions,
    - documented procedures or reference to them,
    - organization's processes and interaction between them
    - a document or matrix that shows where within the QMS the customer-specific requirements have been met.

    This is the minimum information the Quality Manual needs to contain, if you want to find out more about the manual, see: How to write the IATF 16949 Quality Manual https://advisera.com/16949academy/blog/2017/05/31/how-to-write-the-iatf-16949-quality-manual/

  • Documented process vs procedure and product safety


    Answer:

    Documented process is just another way to require documented procedure. It only allows you to document the process in any way you find the most suitable and that is through flowchart, quality plan or any other way, but the essence is the same.

    Clause 4.4.1.2 titled Product Safety requires a documented process (procedure) for the management of product safety. This clause defines 13 normative elements that must be included in the documented product safety process. These 13 requirements include identification of product safety characteristics, inclusion of safety characteristics with approvals in design and process FMEA’s, control of safety characteristics at the point of manufacturer with documentation in control plans with specific reaction plans, and defined responsibilities for product safety management including the definition of an escalation process and flow of information, inc luding top management, and customer notification. Additionally, those personnel involved in product safety related processes will have specific training.

  • Audit observation


    (Hello Dejan, I have a doubt, in recent audit we were made the observation that we have to document a data encryption policy, which is described according to the type of information, status (in transit, storage, moving) and according to their type of storage (servers, computer equipment, etc.), if they require the applications of cryptographic controls, and reviewing the document of the policy of the use of cryptographic controls nothing comes of it, thanks for your support.)

    Answer: By the description you gave to us, the informatio n required by the audit can be found in the template "Information Classification policy", which is referenced in the "Policy on the Use of Cryptographic Controls" (on section 3.1). Both documents are part of the ES ISO 27001 Documentation Toolkit you bought. You can find these templates in the following folders:
    - Information Classification policy : folder 08 Annex A, sub-folder A.8 Asset management
    - Policy on the Use of Cryptographic Controls : 08 Annex A, sub-folder A.10 Cryptography

    In the Information Classification policy template, the information about type of information, status and type of storage can be found in the table on section 3.4 - Handling classified information. E.g.: "the document must be stored in encrypted form", and "when files are exchanged..., they must be encrypted"

  • Thunderstroke?!?

    Yes, a thunderstroke is only another way by which a lightning is know.

  • Including business process description and scoping in the ISO project

    Any major ISO management standard (ISO 27001, ISO 9001, ISO 14001, etc.) requires to document the scope of the implementation; also ISO standards require you to document particular processes that are relevant - for example, ISO 27001 requires incident management to be documented. Therefore, you should define the scope and describe the relevant processes as part of your ISO implementation. These articles will help you: - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ - List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/blog/2015/10/20/list-of-mandatory-documents-required-by-iso-90012015/ - List of mandatory documents required by ISO 14001:2015 https://advisera.com/14001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-140012015/ - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ This book will also help you regarding writing the documentation: - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Filling SOA for ISO 27001, 27017 and 27018


    Answer: Together with the toolkits you bought you also have access to a video tutorial that can help you fill the Statement of Applicability. The procedure is the same for considering the specific controls of ISO 27017 and ISO 27018.

    You can find these tutorials in Conformio, it the menu "Repository", in folder "Video tutorials" - see what you need to click here: https://www.screencast.com/t/T5rLxMgc3UJz - these tutorials are quite useful because they will show you how to fill out the real data in the documents, what elements of the documents are mandatory and which are not, etc.

  • Certification requirements


    (What do I need so that my company can be ISO certified?)

    Answer: For earning an ISO management system certification, your organization must define, implement, operate, control and improve a management system that is compliant with the requirements of the desired standard, and go through a certification process under an accredited certification body.

    These articles will provide you further explanation about certification process:
    - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
    - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

    These materials will also help you regarding certification process:
    - ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Page 858-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +