Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 20000 and ISO 27001 integration


    Answer: Being ISO management standards, ISO 20000 and ISO 27001 have many similarities that become easier to integrate them (and this similarities will become clearer after the release of the new version of ISO 20000, that may be in the next two years - currently the revision is half way across the process - https://www.iso.org/standard/70636.html).

    Considering the current standard, I advise you to start with the documenting the common procedures and records (e.g., internal audit and management review), considering the requirements of both standards, and after that go for the specificities of each standard.

    These articles will provide you further explanation about integrating management systems:
    - How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/

    - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

    These materials will also help you regarding integrating management systems:
    - How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/
    - ISO 27001 vs. ISO 20000 matrix https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
    - Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/

  • Failed change


    Answer:
    Change ticket should have final result. That could be that change was e.g. rejected, or implemented. In line with that, if change has failed - keep the next attempt in the same ticket. Next attempt belongs to the same change, anyway.
    And, don't forget to use number of failed changes as one of the KPI's of the change management process.
    To learn more about measuring efficiency of the change management process, read the article:
    "How to measure Change Management efficiency according to ITIL" https://advisera.com/20000academy/blog/2016/10/11/how-to-measure-change-management-efficiency-according-to-itil/

  • Advisera services


    Answer: We can offer you many lines of assistance with the planning regarding ISO 27001:
    - Through our Learning Center (https://advisera.com/27001academy/what-is-iso-27001) and Free download Area (https://advisera.com/27001academy/free-downloads) you can access for free our articles, white papers and webinars which cover many topics related to planning
    - Through our Expert Advice Community you can ask specific questions to our experts and get an answer in one business day
    - Buy buying one of our Implementation Toolkits (https://advisera.com/27001academy/pricing), besides the templates, you can schedule meetings with one of our experts to talk about difficulties or doubts you are facing, as well as submit documents for review (the numb er of meetings and documents for review will vary according to the toolkit you buy)
    - You can attend our online courses (https://advisera.com/training/) to obtain knowledge about specific topics like internal audit.

  • Professional certifications

    Each one of these certifications has a different target group and purpose, so there is no specific order to pursue them (there is no need to pursue all of them at all):
    - CISA (Certified Information Systems Auditor) aims for those who audit, control, monitor and assess an organization’s information technology and business systems.
    - CISM (Certified Information Security Manager) is suitable for individuals who design, build and manage enterprise information security programs (e.g., information security managers)
    - CRISC (Certified in Risk and Information Systems Control) is for IT professionals that seek a career as liaison between IT risk management and enterprise risk management.
    - CGEIT (Certified in the Governance of Enterprise IT) is the best option for professionals who work on enterprise IT governance.

    For more information, please consult this link: https://www.isaca.org/CERTIFICATION/Pages/default.aspx

  • Sales audit


    Answer: The following are general steps you should go through for an internal audit, with comments regarding specificities about sales process:
    - Know the processes: perform a documentation review of the ISMS and sales processes so you can become acquainted with them and identify earlier if there are non conformities or opportunities for improvement in the documentation regarding the standard
    - Prepare a checklist: while performing the documentation review, create a list of things you should look for during the process audit. For example, if the documentation mention a certain policy or record, create items in your checklist to look for that record and to ask the people about their understanding about the mentioned policy. Another critical source is the Statement of Applicability (SoA) and the Risk Treatment Plan. You should look for them to identify which risks and controls are implemen ted for the sales procedure, and use this information to verify if the controls are implemented properly.
    - Take notes (a lot of them): do not trust only your memory (you certainly will forget something), so take notes of people you talk to, records you saw and situations you observed. All this will help you write you audit report.
    - Write non-conformities that will help: once identified, you should make sure a non conformity is written in a way people from sales department can understand them, or else they will become only another source of problems. So be sure your non conformity statement includes the situation that was observed, the reference to the procedure, standard clause or any other requirement that was not fulfilled, and the evidence you used to confirm the non conformity (e.g., the absence of a record, a review minute, etc.).

    Regarding specifically the sales department, you should consider the security of customer's information and the fulfilment of contractual clauses.

    This article will provide you further explanation about internal audit:
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    These materials will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Control table and risk assessment and treatment


    Answer: I'm assuming that for control table you are referring to a data structure that directs a program flow according to the values and relations it contains. Considering that, in a risk assessment you should identify risks that could compromise the information in the control table, which could lead the program to flow in an unexpected or unauthorized manner. Examples are unverified changes, malicious codes, etc.

    In the risk treatment you should consider options to minimize such risks, like including data input and data output validation, adoption of a formal change process, etc.

    This article will provide you further explanation about risk assessment and treatment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding risk assessment and treatment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com /books/iso-27001-risk-management-in-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • ISO 17021 Control of Documented Information

    Even though the CB is not ISO 9001 certified, are there any similar requirements under ISO 17021:2015 or any other standard that CBs should comply with?

    Answer:

    Standard ISO IEC 17021-1 Conformity assessment -- Requirements for bodies providing audit and certification of management systems -- Part 1: Requirements defines requirements for document and record control for certification bodies. These requirements look more like ISO 9001:2008 requirements for document and record control than the requirements of ISO 9001:2015. Requirements of clause 7.5.2 a) form ISO 9001:2015 have analogue requirements in clause 10.2.3 e) of ISO 17021-1 that says that documents should be "legible and readily identifi able", and this practically means that the same requirements for identification of documents exist in both ISO 9001 and ISO 17021-1.

  • Objectivity vs Impartiality


    Answer:

    Objectivity is sticking to the facts, being guided by the evidence and considering an event will be closer to the truth the more supporting evidence it has. This is important when gathering evidences during the audit.

    Meanwhile, impartiality is not taking sides, to give up making value judgments and treat as equivalent different versions of an event, believing the truth is in the middle. This is important when making decisions based on the evidence you've acquired during the audit. For example, if you are conducting the audit and making the report or conclusions based on evidence in a way that purposely benefits or mitigates responsibility of certain people for certain audit findings (e.g. nonconformities).

    For more information, see: ISO 9001 internal auditor training: Is it for me? https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/

  • ISO27002 Clause 12.1.1

    Or does the topic mean something else of documents for IT positions?

    Answer: The control A.12.1.1 (Documented operating procedures) is related to documentation of operational activities like computer start-up and close-down, backup, equipment maintenance, media handling, etc.

    To identify which documents are related to an IT System's Engineer role you should document, you need to verify in the IT System's Engineer job description which activities he performs are related to information processing and communication facilities and, considering the results of risk assessment, legal requirements, decisions of top management and operational needs, which procedures should be documented.

    Some examples of documents related to this controls are "Backup policy", "IT operational procedures", "Network management", and "Systems monitoring".

    These articles will provide you further explanat ion about writing policies and procedures:
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
    - How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

    These materials will also help you regarding writing policies and procedures:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 875-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +