Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Information Security Risk Metrics
Answer: There is no specific answer for this question, because each organization has an unique context (e.g., competitors, customers, legal requirements, risk appetite, etc.) that will define its security objectives, and after them, which risks should be monitored through indicators. For example, for an Internet-based business, a security objective may be system's uptime, and a risk indicator could be the number of discovered zero-day vulnerabilities that can result in infrastructure downtime.
These articles will provide you further explanation about control objectives and key indicators:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
These materials will also help you regarding control objectives an d key indicators:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Versión vs. Revisión y Control de la Documentación
Mi respuesta:
Generalmente Versión es una variación de un documento previo u original: normalmente un cambio mayor. Revisión es utilizado para pequeños cambios.
Un cambio en el nivel de revisión de un procedimiento lleva consigo un cambio menos, por ejemplo un cambio en el título de alguien (gerente de rrhh a director de personal si la organización tiene la misma persona llevando a cabo la misma función en el procedimiento).
El cambios en el nivel de versión se produce si la función pasa a un departamento completamente diferente donde el énfasis puede ser distinto.
Para el control de la versión, es necesario asegurarse de que existe un nivel de revisión (número o letra) para cada documento. . Cada vez que el documento se revise tiene que avanzar en la letra o número en una unidad.
Sin embargo, depende del sistema que se implemente y siempre y cuando se emplee de manera consistente y todo el mundo en la organización entienda el sistema.
2) llevamos la documentación en copia magnética. Me llamó la atención que el auditor de la certificadora cuestionara que la documentación llevara el nombre de la persona del cargo que aprueba y revisa. Permite que se valide el estilo de quien lo validó en caso que cambie el individuo. Que sólo debía llevar el cargo. Posteriormente a raíz de un reclamo, pedí el procedimiento de reclamo a la empresa certificadora. Y ...sorpresa... copia digital con el nombre del individuo que aprobaba, quien revisaba y quien elaboraba.... Finalmente en una copia digital ¿va o no va el nombre del individuo?
Mi respuesta:
Los documentos y registros deben de contener títulos, número de documento o algo que indique su identidad. Siempre y cuando pueda diferenciarse entre la distinta información documentada, y que se sepa qué documento o registro identifica qué cuestión, entonces se cumple con este requisito
.
Estos materiales además le ayudarán con respecto a la norma ISO 9001:
- Libro "Gestión de Documentación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/
- Formación gratuita en línea "Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio (herramienta en línea para ISO 9001): https://advisera.com/conformio/ -
Filling documentation
We're advised to finish security audit until this Oct 1st, otherwise it will become more difficult (new items will be added).
1 - Do you think we can finish the documentation in a week?
Answer: No, it is not possible to finish the whole documentation for ISO 27001 in a week because: (1) you will have to write at least a dozen documents (for a smaller company), up to ca 50 documents for a mid-sized company, (2) each document needs to be agreed, reviewed and approved by a couple of people, and most importantly (3) it will take a while before your employees start changing their activities according these new rules.
Here are a couple of materials that will help you:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- ISO 27001 / ISO 22301 Implementation Duration Calculator htt p://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
- ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
- How long does it take to implement ISO 27001 https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/
2 - What is the most time consuming part while doing security audit?
Answer: The most time consuming part is the audit of implemented practices, because you have to walk around the company and talk to employees, check the computers and other equipment, observe physical security, among other things. To help you go through this as quickly as possible, it is crucial to have a checklist of things you have to check.
These articles will provide you further explanation about performing an audit:
- 7 ways to improve the internal audits of your ISO 27001 ISMS https://advisera.com/27001academy/blog/2017/08/28/7-ways-to-improve-the-internal-audits-of-your-iso-27001-isms/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding documentation and auditing:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Documenting competence and awareness in ISO 9001
Dear Alessandro,
Please find the answers bellow:
1. Every record should have proper identification, description, format and media. I think your system satisfies these requirements.
2. The standard doesn't define who should approve the documents, so you can put the department head if it is the most suitable person.
You can keep records on any media you like, I'm also more leaning towards electronic than paper documents.
Here is one article that can be interesting to you: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
These materials will also help you regarding document and record control:
- Book Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Conflicting management systems
Can there be a single choice between ISO22301 and 27001 for technology companies? Or which one takes the priority and should be implemented first?
Answer: The choice between ISO 22301 or ISO 27001, or which one to implement first will depend on organization's context and its objectives, so there is no definitive answer for this question.
If your scope is just supporting your business processes, you might get more by focusing on implementing ISO 22301.
If your scope handles just digital products, and information technology processes are the core of your organization, the implementing of ISO 27001 would be a better choice.
Regarding the concepts conflicts, the first thing would be for the spons ors to try to reach an agreement about a common version that would satisfy both sets of requirements. If this is not possible, then the situation should be taken to top management for evaluation what should be the best decision (e.g., to decide for a single concept to be used or accept the additional administrative effort that such difference will bring). But considering the current versions of ISO management standards releases after 2012, the integration of concepts shouldn't be hard to achieve.
This article will provide you further explanation about ISO 22301 and ISO 27001 implementation:
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
These materials will also help you regarding ISO 22301 and ISO 27001 implementation:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 and PCI DSS
Answer: ISO 27000 certification is not equal to PCI, so being ISO 27001 compliant does not make your organization automatically compliant with PCI DSS, although ISO 27001 practices can contribute to achieve PCI compliance. That said, your organization will have to go through all the steps required to PCI certification, but your ISO 27001 certified ISMS will for sure reduce the required effort.
These articles will provide you further explanation about ISO 27001 and PCI DSS:
- PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences https://advisera.com/27001academy/knowledgebase/pci-dss/
- PCI-DSS vs. ISO 27001 Part 2 – Implementation and Ce rtification https://advisera.com/27001academy/knowledgebase/pci-dss/ -
Writing Quality Manual
Answer:
The standard does not require the manual, but if you decide to write it, you can write it in any way that you find the most suitable to your company. Writing the manual that follows clauses of the standard is one of the most common approaches. For more information, see: Writing a short Quality Manual https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/
Here you can download free preview of our Quality Manual /https://advisera.com/9001academy/documentation/quality-manual/ and our ISO 9001 Documentation Toolkit https://advisera.com/9001academy/iso-9001-documentation-toolkit/
These materials will also help you regarding the manual and documentation:
- Book Managing ISO Documentation: A Plain English Guide /books/managin g-iso-documentation-plain-english-guide/
- Free online training ISO 9001:2015 Foun dations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Writing Environmental Manual for ISO 14001:2015
Please could you send me a drift of quality manual and a sample of procedures ..many thanks to you.
Answer:
The standard does not require the manual, but if you decide to write it, you can write it in any way that you find the most suitable to your company. Writing the manual that follows clauses of the standard is one of the most common approaches. For more information, see: What is an environmental management system manual? https://advisera.com/14001academy/knowledgebase/what-is-an-environmental-management-system-manual/
Here you can download free preview of our Environmental Manual https://advisera.com/14001academy/documentation/environmental-manual/ and our ISO 14001 Documentation Toolkit https://advisera.com/14001academy/iso-14001-documentation-toolkit/
These materials will also help you regarding the manual and documentation:
- Book Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-foundations-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ -
Several questions on ISO 9001 transition
1. We are in middle of some changes in company personnel distribution and work organization. This is effecting the quality procedures and documentation which is not being done the way our quality policy requires. The next external audit is in a few months. The question is: Can the external audit be prolonged for a few months so we have time to change the quality procedures to meet our new work organization policy?
Yes, you can prolong the certification audit, but you need to contact the certification body and talk with them. Keep in mind that there is possibility that you wont be having certificate until the certification audit is conducted.
2. Based on the first question. Will the external audit require the documentation that hasn't been done correctly as an result of the new work organization or the audit will accept the new documentation?
The auditors will examine only the documents that are part of your Quality Management System at the moment of the certification audit, they wont examine the documents that are still not a part of your QMS documentation.
3. What is the required number of internal audit's in a company of 275 workers, or is this number in hands of the company quality manager?
The standard does not define number of internal audits that needs to be conducted, but the usual practice is to cover entire scope of the QMS within one year period. How many audits will be needed depends on the capacity of the company, if you have several auditors you can cover entire scope of the QMS in one day and if you have only one auditor you will need several days or several internal audits.
4. What are the requirements to become company's quality manager? Does ISO 9001 define this?
The standard doesn't define required competency for quality manager, but usually it includes knowledge about the standard and processes within the organization. For more information, see: What is the job of the Quality Manager according to ISO 9001? https://advisera.com/9001academy/blog/2016/08/23/what-is-the-job-of-the-quality-manager-according-to-iso9001/
5. What are the requirements to be an internal audit in the company?
The standard doesn't define competency for internal auditor, but it is usually required from the auditor to be familiar with the standard and auditing techniques. For more information, see: ISO 9001 internal auditor training: Is it for me? https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
6. What if we don't pass the external audit because of faulty documentation? What are the consequences, and what is the procedure to get back on track with quality certification?
In case when your documentation is not compliant with the standard, the certification audit will issue you nonconformities and will define some deadline for your organization to remove these nonconformities. Once the nonconformities are removed, the certification body will issue your organization the certificate. For more information, see: How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
These materials will also help you regarding internal audit:
- Book Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- Free online training ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/