Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Becoming a consultant


    Answer: Yes, it is possible to get a job as an ISO 27001 consultant without a certificate, because in most countries there are no formal qualifications required to become a consultant, but you should note that, besides experience some certifications can really improve your chances to get a job.

    This article will provide you further explanation about becoming a consultant:
    - How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/

    This material will also help you regarding becoming a consultant:
    - Webinar: How to become an ISO 27001 / BS 25999-2 consultant https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/

  • Annex A Controls


    Answer: ISO standard's content is defined by technical committees that can be different for each standard. For example, for ISO 27001 the technical committee is the ISO/IEC joint technical committee JTC 1, while for ISO 22301 the technical committee is the ISO/TC 292 Security and resilience. These committees work with different contexts and point of views that may result in situations like this one you mentioned, where the ISO 27001 committee decided this standard should have a set of controls attached while the ISO 22301 committee did not see reason for such details to be attached (in fact, guidance for ISO 22301 is available on ISO 22313 - https://www.iso.org/standard/50050.html).

  • Audit of outsourced service


    Answer: For auditing an outsourced service like Office 365 you should use as reference the terms of service for the provision of the service. In this term of service you should look for clauses referring to how the access control to the service (in this case, the email service) will be implemented and how the provider will demonstrate to the customer that the control is implemented and working properly.

    From this point you can ask for evidences of how the access control is implemented and how it is being verified and evaluated either by the provider (e.g., by means of an internal or external audit of the provider's premises) and by the organization (e.g., through a review of audit reports sent by the provider to the person responsible by the service in your organization.

    You should also note that your company still needs to audit its own process for access control and assess whether the activities are compliant with your organziation's own Access control policy.

    This article will provide you further explanation about access control policy:
    - How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

    This article will provide you further explanation about internal audit:
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    This material will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Standard change


    Answer:
    There are (many) different kinds of changes which are considered as standard change. Usually, each one of them has separate procedure how to fulfill them. In order to have efficient Standard Change Management process in place, you need to have following:
    1. clearly defined procedure - usually defined by Change Manager or someone from Technical Management. This also includes triggers i.e. how to initiate that procedure (and who is allowed to do that)
    2. Responsibilities - i.e. who is doing what
    3. clearly communicated procedure to all relevant/involved parties

    Following article can help you with this issue:
    "Tips and tricks for using the ITIL standard change mechanism" https://advisera.com/20000academy/blog/2017/06/27/tips-and-tricks-for-using-the-itil-standard-change-mechanism/

  • Clause 4 in ISO 9001:2015 and AS9100 Rev D


    Answer:
    Much of clause 4 is new to ISO 9001 and was not present in the ISO 9001:2008 version. in particular:
    4.1 is about understanding the organisation and its context. This requires you to determine what internal and external issues affect your QMS and is new.
    4.2 is about understanding the needs and expectations of interested parties. This requires you to identify the parties interested in your QMS and what their needs and expectations are, and is also new.
    4.3 is about the scope of the QMS and while this is not new it does require you to consider the scope with the knowledge from 4.1 & 4.2; so a review of the scope is a good idea.
    4.4 is about understanding the processes in the QMS. This is very similar to the previous version with the addition of a few things such as addressing the risks and opportunities for the processes.

    While 4.1 & 4.2 do not require you to keep documented i nformation it is a good idea to keep your listing of issues, interested parties and their needs so that you can review it for updates as time goes on. A procedure on how you accomplish this might also be needed so that everyone understands how you intend to perform these review.

  • ISO 27001 personal certifications - where to start?


    Answer: There are several different ISO 27001 personal certifications available, and you have to choose what is the most appropriate for you:
    - ISO 27001 Foundations Course - this is where you learn the basics of the standard, probably the best way to start as a beginner
    - ISO 27001 Internal Auditor Course - this is for becoming the internal auditor
    - ISO 27001 Lead Auditor Course - this is for becoming the certification auditor
    - ISO 27001 Lead Implementer Course - this is for becoming a consultant or an implementer in your own company.

    These materials will help you:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - Free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
    - What does ISO 27001 Lead Auditor training look like? http: //advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    - What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/

  • Positive significant aspects

    Recycling is the operational control for significant environmental aspect, e.g. plastics, metal, paper waste. Therefore the recycling itself cannot be considered as a positive or any kind of environmental aspect, since it is a operational control over some environmental aspect.

    For more information, see: 4 steps in identification and evaluation of environmental aspects https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/

  • CAB and ECAB members


    Answer:
    Generally, you can do that, but practically - it's not approach I'd advise. Namely, ECAB needs rush action, quick decision and does not have time to wait for (usually - regular) meeting, long discussions (which usually happens when you have too big group of people), brainstorming, testing result analysis...etc.
    Most of the activities are, in some form, typical for CAB (Change Advisory Board - i.e. authorizing body for normal changes). ECAB needs different approach so therefore I think you need different approach.

    These articles can help you:
    "How to manage Emergency Changes as part of ITIL Change Management" https://advisera.com/20000academy/blog/2016/01/19/how-to-manage-emergency-changes-as-part-of-itil-change-management/
    "Change Advisory Board in ITIL – advise, approve or what?" https://advisera.com/20000academy/knowledgebase/change-advisory-board-itil-advise-approve/

  • Residual Risk and UAT


    Answer: The residual risk does not change from the original identified risk if an organization decides not to mitigate, avoid or transfer the risk (this option is called "retain the risk"). Depending upon the organization's context, there can be many risks relate to not performing an User Acceptance Testing, like:
    - Functionality does not work or does not fulfil user's requirements in live environment.
    - User's requirements are fulfilled but the output is not what is expected (information integrity problem) (may mean improper specification definition)

    For both, the major impact is that the system probably will not be accepted by the client.

    This article will provide you further explanation about risk treatment options:
    - 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

    This article will provide you further explanation about system testing:
    - How to set secu rity requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/

  • ISO 27001 Internal Auditor recertification


    Answer: You only have to seek for recertification regarding an ISO 27001 Internal Auditor course when a new version of the standard is released, because in that case you need to update your knowledge about the standard.
Page 876-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +