Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment and information classification
Answer: Information classification is a security control you implement after the risk assessment, so you do not classify information and performs risks assessment, but by means of the risk assessment you identify the need to classify information, generally because you have types of information that requires different types of securitycontrols.
This article will help you with document classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
These materials will also help you regarding document classification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
BCM presentation
The meeting audience are CEO, shareholders of the bank and MD’s across 36 countries.
Answer: Unfortunately we do not have an specific business continuity management presentation to offer you, but I suggest you to take a look at these two free ISO 27001 presentations:
- Project proposal for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-implementation-powerpoint
- Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
Their structure can be adapted to ISO 22301 information and can be used to present the concept to your management.
These materials will provide you further explanation about ISO 22301 to help build your presentation:
- What is ISO 22301? https://advisera.com/27001academy/knowledgebase/what-is-iso-22301/
- ISO 22301: An overview of the BCM impl ementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/ -
Standards and Frameworks Integration
Answer: Yes. Since 2012 all released ISO management systems have the same structure, which makes integration easier. Regarding other frameworks, they have many similarities with ISO standards, being only a question of mapping the correlations between them.
These articles will provide you further explanation about integrating standards and frameworks:
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
- ISO 27001 vs. ITIL: Similarities and differences https://advisera.com/27001academy/blog/2016/03/07/iso-27001-vs-itil-similarities-and-differences/
- How to implement integrated management systems https://advisera.com/27001academy/blog/2015/10/05/how-to-implement-integrated-management-systems/
These materials will also help you regarding integrating standards and frameworks:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/ -
Residual risk
Many thanks for your advice. -
Toolkit content - business continuity
(in which document of the ISO 27001 package can I locate the information security guidelines in the business continuity? (ISO 27002: 2013 Chapter 17))
Answer: The templates which cover the information security aspects in business continuity are located on folder 08 Annex A, sub folder A.17 Business Continuity.
In the List of documents file that comes with your toolkit you have information about which template covers which standard's clause and where they are located. -
Becoming environmental auditor
Answer:
The main question is whether you want to become internal environmental auditor or external environmental auditor. If you want to be come internal auditor, you need to have competences that include knowing the standard and the auditing techniques, this can be achieved by attending internal auditor course and they are usually not very demanding. Here you can take a look at our free ISO 14001:2015 Internal Auditor Course https://advisera.com/training/iso-14001-internal-auditor-course/
If you want to become lead auditor, the person who will conduct audits for the third party (i.e. certification body) you need to get Lead Auditor certificate and also to meet other requirements of the organization that hires you, such as proper education, experience, etc.
This article is written for ISO 9001, but it can be useful for you: Benefits and potential problems in becoming an ISO 9001 Lead Auditor https://advisera.com/9001academy/blog/2020/04/10/how-to-become-an-iso-9001-lead-auditor/
Also, you can take a look at this book: ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Scope definition
1 - Can we scope the ISO certification to one (1) business unit only or do we have to implement processes, procedures and measures throughout the whole organization?
Answer: Yes, you can define the scope of ISO certification to a single business unit.
2 - Can we scope the Information Assets on which we want to apply the processes, procedures and measures to comply to ISO?
Answer: If I understood your question correctly, you are asking if you can include in the ISMS scope specific information assets. Considering that, the answer is yes, besides specific departments and processes that will be part of the scope you also can state specific assets as part of your ISMS scope.
3 - Do you only give advice through the consultancy hours and e-mails on the compiling of the document, or also on questions regarding the implementing of ISO?
Answer: We can also provide answers about your doubts regarding the implementation of ISO 27001 as well as other ISO standards related to our other Academies (e.g. 9001Academy and 14001Academy). You can post questions on our Expert Advise Community, or as comments in our articles any time and as many times you want and we will provide answer as soon as possible (within a business day).
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Residual Risk
After conducting initial risk assessment and deciding on the pre-treatment scores, does a control have to be in place for a period of time before it can be measured in order to establish the post-treatment score and therefore the residual risk? Otherwise, what is the process for going from risk assessment to risk treatment in a single paperwork exercise? It seems quite arbitrary to look at a risk and score it pre and post treatment in the same risk assessment session; or is this the nature of -
Sistema Integrado de Gestión
He recibido esta pregunta: La empresa donde estoy tiene que re-certificar a mediados de mayo de 2018, la ISO 9001 y 14001 : 2015. Si para la auditoria presento un sistema de gestión integrado, o sea armo una suerte de manual de calidad y gestión ambiental, por mas que para esta norma no es requisito. En ese manual colocaría todos los requisitos de las dos que son comunes a ambas y los voy desarrollando y en donde aplique, voy a colocar un link a procedimientos o instructivos de trabajo que venia utilizando, para no olvidarme de ningún requisito y que estén todos. Yo a mi SG lo tengo en una intranet en formato wiki o sea el lenguaje de programación es de la wikipedia. Te parece practico? Me gustaría tu opinión .Desde ya muchas gracias y saludos Mi respuesta: La redacción de un manual no se trata como bien dice de un documento obligatorio, sino de una buena práctica. Este manual necesitará describir el Sistema Integrado de Gestión, los procesos y sus interrelaciones, así como la documentación relacionada con el sistema. Tenga en cuenta que el propósito de un SIG es optimizar aún más los procesos y evitar la duplicación. Sin embargo, aunque se trate de un sistema integrado no significa que haya que poner menos atención en la auditoria de los sistemas individuales. El sistema debe de cumplir con los requerimientos de cada una las normas, con el fin de mantener un alto grado de credibilidad y efectividad. Con respecto a la segunda pregunta, no existe una regla específica para la documentación, siempre y cuando pueda ser diferenciada la distinta información documentada, sabiendo qué documento o registro aborda qué cuestión en particular entonces cumple los requisitos de la norma. Para más información puede ver los siguientes artículos: - "Cómo integrar ISO 14001 e ISO 9001" (en inglés): https://advisera.com/14001academy/blog/og/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/# - "Integrando ISO 9001 e ISO 14001"(en inglés)://advisera.com/9001academy/blog/2013/11/19/integrating-iso-9001-iso-14001/?icn=free-blog-9001&ici=top-integrating-iso-9001-and-iso-14001-txt Estos materiales también le ayudarán con respecto a la integración de los sistemas de gestión: - Libro "Gestión de documentación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/ - Capacitación gratuita en línea: Curso de fundamentos ISO 14001 https://advisera.com/es/formacion/curso-fundamentos-iso-14001/ - Conformio (herramienta en línea para ISO 9001 e ISO 14001): https://advisera.com/conformio/ -
ITIL/ISO 20000 education
Answer:
It's hard to tell, that depends on many parameters, like context of your working environment/needs, why do you need that, what do you want to achieve, personal preferences, availability of training organization, professional path/ambitions, etc.
General, ITIL training encompasses more than ISO 20000, so it's also useful if you implement ISO 20000. On the other side, ISO 20000 training is ISO related, so you can use some logic for other standards as well.
Read the articles, to gain more information:
"ITIL Certification Path – list of all available ITIL trainings, exams and certificates" https://advisera.com/20000academy/knowledgebase/itil-certification-path-list-of-all-available-itil-trainings/
"How personal certificates can help your company’s IT Service Management" https://advisera.com/20000academy/blog/2017/04/18/how-personal-certificates-can-help-your-companys-it-service-management/
"New ITIL Practitioner Guidance book – what does this mean for your certification and implementation?" https://advisera.com/20000academy/blog/2016/08/30/new-itil-practitioner-guidance-book-what-does-this-mean-for-your-certification-and-implementation/
"Process to obtain ISO/IEC 20000 certification: Companies and individuals" https://advisera.com/20000academy/knowledgebase/iso-20000-certification-the-process-of-obtaining-a-certifica/