Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions on internal audit
There is no requirement to establish entire procedure, it enough to establish criteria for selecting the internal auditors and criteria is knowledge of the standard and auditing techniques.
Is this only the responsibility of management Representative to select the internal auditors or management decision ?
The standard does not specify who should be appointing internal auditors, it can be the management representative or somebody else, whatever the organization finds the most appropriate.
How it should be impartial selection?
Of course, you cannot ensure 100% impartiality, but what the organization should avoid is situation where internal auditor is auditing his own work.
What if Internal audit delays due to work again and again, will it be count as a non conformity or not?
No, you can always reschedule the internal audit, bu it is important to perform it. If internal audit program is not followed, it can be considered as nonconformity. For more information, see: What is the ISO 9001 audit program, and how does it work? https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
These materials will also help you regarding internal audit:
- Book ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ " -
Embedded software
Answer:
Embedded software is computer software, written to control machines or devices that are not typically thought of as computers. It is typically specialized for the particular hardware that it runs on and has time and memory constraints.
The clause refers to organizations that are developing the software, not to the ones that are only using or embedding the software into its products, so you can consider this clause as inapplicable to your organization. -
Risk assessment and information classification
Answer: Information classification is a security control you implement after the risk assessment, so you do not classify information and performs risks assessment, but by means of the risk assessment you identify the need to classify information, generally because you have types of information that requires different types of securitycontrols.
This article will help you with document classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
These materials will also help you regarding document classification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
BCM presentation
The meeting audience are CEO, shareholders of the bank and MD’s across 36 countries.
Answer: Unfortunately we do not have an specific business continuity management presentation to offer you, but I suggest you to take a look at these two free ISO 27001 presentations:
- Project proposal for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-implementation-powerpoint
- Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
Their structure can be adapted to ISO 22301 information and can be used to present the concept to your management.
These materials will provide you further explanation about ISO 22301 to help build your presentation:
- What is ISO 22301? https://advisera.com/27001academy/knowledgebase/what-is-iso-22301/
- ISO 22301: An overview of the BCM impl ementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/ -
Standards and Frameworks Integration
Answer: Yes. Since 2012 all released ISO management systems have the same structure, which makes integration easier. Regarding other frameworks, they have many similarities with ISO standards, being only a question of mapping the correlations between them.
These articles will provide you further explanation about integrating standards and frameworks:
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
- ISO 27001 vs. ITIL: Similarities and differences https://advisera.com/27001academy/blog/2016/03/07/iso-27001-vs-itil-similarities-and-differences/
- How to implement integrated management systems https://advisera.com/27001academy/blog/2015/10/05/how-to-implement-integrated-management-systems/
These materials will also help you regarding integrating standards and frameworks:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/ -
Residual risk
Many thanks for your advice. -
Toolkit content - business continuity
(in which document of the ISO 27001 package can I locate the information security guidelines in the business continuity? (ISO 27002: 2013 Chapter 17))
Answer: The templates which cover the information security aspects in business continuity are located on folder 08 Annex A, sub folder A.17 Business Continuity.
In the List of documents file that comes with your toolkit you have information about which template covers which standard's clause and where they are located. -
Becoming environmental auditor
Answer:
The main question is whether you want to become internal environmental auditor or external environmental auditor. If you want to be come internal auditor, you need to have competences that include knowing the standard and the auditing techniques, this can be achieved by attending internal auditor course and they are usually not very demanding. Here you can take a look at our free ISO 14001:2015 Internal Auditor Course https://advisera.com/training/iso-14001-internal-auditor-course/
If you want to become lead auditor, the person who will conduct audits for the third party (i.e. certification body) you need to get Lead Auditor certificate and also to meet other requirements of the organization that hires you, such as proper education, experience, etc.
This article is written for ISO 9001, but it can be useful for you: Benefits and potential problems in becoming an ISO 9001 Lead Auditor https://advisera.com/9001academy/blog/2020/04/10/how-to-become-an-iso-9001-lead-auditor/
Also, you can take a look at this book: ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Scope definition
1 - Can we scope the ISO certification to one (1) business unit only or do we have to implement processes, procedures and measures throughout the whole organization?
Answer: Yes, you can define the scope of ISO certification to a single business unit.
2 - Can we scope the Information Assets on which we want to apply the processes, procedures and measures to comply to ISO?
Answer: If I understood your question correctly, you are asking if you can include in the ISMS scope specific information assets. Considering that, the answer is yes, besides specific departments and processes that will be part of the scope you also can state specific assets as part of your ISMS scope.
3 - Do you only give advice through the consultancy hours and e-mails on the compiling of the document, or also on questions regarding the implementing of ISO?
Answer: We can also provide answers about your doubts regarding the implementation of ISO 27001 as well as other ISO standards related to our other Academies (e.g. 9001Academy and 14001Academy). You can post questions on our Expert Advise Community, or as comments in our articles any time and as many times you want and we will provide answer as soon as possible (within a business day).
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Residual Risk
After conducting initial risk assessment and deciding on the pre-treatment scores, does a control have to be in place for a period of time before it can be measured in order to establish the post-treatment score and therefore the residual risk? Otherwise, what is the process for going from risk assessment to risk treatment in a single paperwork exercise? It seems quite arbitrary to look at a risk and score it pre and post treatment in the same risk assessment session; or is this the nature of