Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Política de calidad, objetivos e indicadores
Creo que con un ejemplo completo de todo el proceso de política, objetivos e indicadores sera un poco as fácil para nosotros definir estos temas.
Mi respuesta:
Como la política de calidad está centrada en los requisitos del cliente, entonces los objetivos de calidad deben basarse en cumplir con la satisfacción del cliente.
Un ejemplo podría ser el siguiente:
Si el propósito establecido en la política de calidad es"Entregar X producto a los consumidores cuando sea requerido, sin defectos y justo a tiempo"; entonces el objetivo el primer año podría ser: "Mejorar los tiempos de entrega en un 90% el próximo año", y el segundo año "Reducir los errores de entrega en un 3%".
El indicador de calidad para el primer objetivo podría ser: "Productividad de entrega", definida como "km realizados/número de entregas", y la frecuencia podría establecerse como "Mensual".
Para más información sobre objetivos, vea "Cómo escribir buenos objetivos de calidad" : https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-escribir-buenos-objetivos-de-calidad/
Para más información sobre indicadores, vea "Define Key Performance Indicators for a QMS based on ISO 9001"(en Inglés) : https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/# -
Maturity in ISO evaluation
When it comes to a system, if the system is already been used for example in 5 years and it has already a lot of records, it means that the system can adopt to any updates and changes if necessary to handle more records for another years of service. Am i right? Hnmmm.. or wrong.
Answer: I'm assuming in your example you meant "adapt" instead of "adopt".
Considering that, and the information in the article you've mentioned, a mature ISO system is one that can continuously improve, by means of corrective actions or by taking advantage of opportunities, and provide information to both evidence such improvements and support top management decision making in business issues (e.g. through results of key performance indicators).
These articles will provide you further explanation about continual improvement:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
- Ke y performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/ -
Transition vs. 1st stage vs. Recertification Audit
Answer:
There is no such thing as transition audit, the audit performed to the system that went through transition and update to the new version of the standard is simply certification audit and has no difference than other certification audits. I assume that certification body is using the term transition audit to make it more clear to the clients, but there is nothing special regarding this audit.
1st stage audit is part of certification or recertification audit and it's purpose is to determine whether the documentation is compliant with requirements of the standard and to provide input for the 2nd stage audit which is also called the main audit when the auditors check compliance of the entire QMS to requirements of the standard.
Recertification audit is the same as certification audit, the only difference is that certification audit is conducted for the first time in the organization and the certification body and auditors are just getting famil iar with the company and QMS, while recertification audit is conducted after the certificate has expired and the entire certification cycle starts from beginning.
For more information, see: First-, Second- & Third-Party Audits, what are the differences? https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/ -
ISMS policy and ISMS framework ( global document)
1 - Can you please explain the contents that are needed to be included in these documents???
Answer: To be compliant with ISO 27001, an ISMS policy must define the purpose, direction, principles and basic rules for information security management.
To see an example of the content of an ISO 27001 ISMS policy I suggest you to take a look at the free demo of our Information Security Policy at this link: https://advisera.com/27001academy/documentation/information-security-policy/
For more information about ISMS policy, I also suggest you these materials:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
ISMS Framework usually stands for set of policies and procedures that need to be written to manage security in your company - for examples, see our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
2 - Are ISMS objectives defined first or RA/RT is performed first??
Answer: The top-level information security objectives are defined before the RA/RT, because they need to reflect the external and internal issues that are relevant and can prevent the ISMS to achieve the expected results.
3 - Can organisations have ISMS policy defined before setting ISMS objectives? Because ISMS objectives are included in Policy, I believe policy is defined post objectives and these objectives are defined post RA/RT…
Answer: You can define information security objectives before or after you publish your top-level ISMS policy - both approaches are allowed since the objectives can be documented in a separate document. -
Incorporating ISO clauses in an internal audit
First thing is that if you have to verify compliance with ISO 27001 you need to have the standard with you. As best as a course can be, it cannot replace the letter of the standard during an audit.
Considering that, if your audit scope is primarily development team and their general knowledge around the existing policies, then you should focus on clauses 7.2 (competence) and 7.3 (awareness), to verify if the development team has the necessary knowledge, skills or experience to perform their activities and if they are aware about the importance of being compliant with the policies and controls and what is the impact of non compliance.
And even though you do not need to check the overall effectiveness of the whole ISMS, you have to check if the ISMS cycle has been completed in the development process, so you have to go through all clauses from sections 4 to 10, only focusing on the development process (e.g., you have to check the risk assessment of the development process, verify if the existent competence is capable to handle the risks identified as unacceptable, verify if the training activities performed were effective and verify the effectiveness of any non conformity or corrective action taken in the process).
This article will provide you further explanation about how approach a process in an audit:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
Although the article covers certification audit, the same concepts can be applied for internal audit. -
Do we need to implement all the controls from SoA for the certification?
Answer: You can leave some of the controls for the implementation for after the certification under the following conditions:
1) That you have implemented before the certification the controls that mitigate the biggest risks - in other words, you can leave only less important controls for after the certification.
2) That you have specified the deadlines for the controls that you will be implementing after the certification in your Risk Treatment Plan - of course, those deadlines must be after the certification date.
3) That your risk owners or top management accept all the risks for which controls have not been implemented before the certification.
This means that the most important controls must have "implemented" status at the certification, while the less important controls can have status "planned" or "partially i mplemented" at the moment of the certification.
See also these articles:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- Risk Treatment Plan and risk treatment process – What’s the difference? Risk Treatment Plan and risk treatment process – What’s the difference?
These materials will also help you regarding Statement of Applicability and the risk management process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
How is the ISO 27001 Internal Auditor Course structured
Answer: For this specific topic you should watch module 6 from the ISO 27001 Internal Auditor Course, which covers a general explanation of Annex A and goes through all Annex sections, from A.5 to A.18. -
ISO 27001 Gap Analysis Tool
Answer: Yes, our ISO 27001 Gap Analysis Tool (https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/) covers all 14 sections of ISO 27001 Annex A.
On each section you will find objective questions that will help you verify if you can consider a control as implemented or what you still need to consider for implementation.
This article will provide you further explanation about gap analysis:
- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/ -
Information as an asset
Answer: ISO 27005 (Information security risk management) considers two types of assets:
- Primary assets: business process and activities, and information itself
- Support and infrastructure assets: hardware, software and other elements on which primary assets rely on
Considering this, you should treat both, customer information and the database storing the customer information as the assets. This makes sense because the same information can exist in many different formats (e.g., in paper reports and in people's minds), that will require completely different practices to be implemented to ensure information protection.
This article will provide you further explanation about information assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding information assets:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Vulnerabilities identification
Answer: In fact, the best approach is to consider every information source you can access (Nessus's reports, manual reviews, market trends, etc.), because each one of them better fits for different situations. For example, Nessus is perfect to find vulnerabilities that are known and which evaluation procedures can be automated, but it is not good for scenario and context evaluation, something we humans still are best doing it. Market trends can help you figure out vulnerabilities that in principle may be out of your day to day activities.