Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Implementation steps


    Answer: For ISO 27001 implementation, after the risk treatment plan you should consider:

    - Definition on how to measure the effectiveness of controls
    - Implement the controls & mandatory procedures (not only documentation, but also technical and physical controls)
    - Implement training and awareness programs
    - Operate and monitor the system
    - Perform internal audit and management review
    - Implement corrective and preventive actions as needed

    This article will provide you further explanation about implementation steps:
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    These materials will also help you regarding implementation steps:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Training Effectiveness

    Hi Juanito,

    The training evaluation is when the organization evaluates quality of the training and whether the training covered all that the company expected from it. Criteria for evaluation of the training can be knowledge of the trainer, his ability to transfer the knowledge, etc.

    The training effectiveness is when the organization is evaluating whether the trainees got the sufficient knowledge during the training. For example, if the training was on how to operate some machine, have the trainees learned to operate the machine. This can be done through test and questionnaires that trainees take after the training.

    For more information, see: How to measure training effectiveness according to ISO 9001 https://advisera.com/9001academy/blog/2016/03/29/how-to-measure-training-effectiveness-according-to-iso-9001/

  • Critical incident responsibility

    as an incident manager what should we do?

    Answer:
    It''s always hard when many different parties are included in such incident resolution.
    First of all, don't include (in any incident/problem resolution) people that are not necessary. Otherwise, it's very likely to get in such situation.
    Secondly, incident categorization can help to point out to the right supporting group. (to learn more, read the article "All about Incident Classification" https://advisera.com/20000academy/knowledgebase/incident-classification/)
    RACI matrix for also good to have (A stand for accountable - apply it to the service, technology, activity, topic...) (read the article "ITIL / ISO 20000 RACI matrix – How to use it to clarify responsibilities" https://advisera.com/20000academy/blog/2016/01/12/itil-iso-20000-raci-matrix-how-to-use-it-to-clarify-responsibilities/
    And, last but not least, this is also a kind of test for managerial capabilities (to get along between several teams.

  • Will AS9102 change with AS9100 Rev D?


    Answer:

    Although we do not have details into what will happen with AS9102, the changes to AS9100 in Rev D do not affect the requirements for First Article Inspection and the process for FAI in AS9102 would still be applicable to the updated AS9100 standard.

    Additionally, AS9102 is only a recommended way to perform FAI, and the standard is not even referenced in clause 8.5.1.3.Unless it is a requirement by customers that this standard is followed it is a decision of the company how they will perform FAI.

  • Cláusula 8.5.4


    Mi respuesta:

    Se trata de un requerimiento para asegurar que el suministro de servicios está protegido, es decir, que lo que se supone que tiene que hacerse, se haga. Además la norma menciona que la preservación puede incluir la identificación, manipulación. control de la contaminación, embalaje, almacenamiento, transmisión/transporte, y protección.

    Si la disposición de datos o información por medios electrónicos es parte del resultado de un proceso de la organización (por ejemplo, la transmisión de un producto), se debería de llevar a cabo un enfoque basado en riesgos para asegurarse frente tanto a la pérdida de datos como cuestiones de información durante su transmisión. Esto podría incluir por ejemplo, consideraciones de información de portales y datos/información de una página web, así como documentos adjuntos incluidos en un email de comunicación .

    P ara organizaciones de producción o procesamiento, también se recomienda un enfoque basado en riesgos y una mediación proporcional en forma de procesos, procedimientos y controles apropiados, a la hora de considerar cuestiones de preservación potenciales en todos las fases de procesamiento. Por ejemplo, desde la recepción, procesado, almacenamiento y entrega.

    Para más información, vea: https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/

  • Cláusula 4


    Mi respuesta:

    Para cumplir con esta cláusula, es necesario centrarse sólo en aquellas cuestiones que puedan afectar a la satisfacción del cliente y a entrega de un producto y/o servicio de calidad.
    La mejor manera de obtener información para cuestiones internas y externas es organizando una sesión de tormenta de ideas con el personal relevante de la compañía, incluyendo los responsables de cada uno de los procesos y la alta dirección. Además la empresa puede llevar a cabo un análisis de las cuestiones externas utilizando PEST (político, económico, social y tecnológico) y un análisis de las cuestiones internas mediante DOFA (debilidades, oportunidades, fortalezas y amenazas).

    Para más información, vea el artículo de "Cómo identificar el contexto de la organización en ISO 9001:2015": https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/

  • Information security in policy elaboration


    (Good morning, that I must take into account to elaborate a policy of scholarships and half scholarships. In a Christian school.)

    Answer: ISO 27001 helps protect the confidentiality, integrity and availability of information by applying a risk management process. In case of policies elaboration some information risks involved may be:
    - Lack of compliance with laws and regulations applicable to the product or service being offered
    - Not considering all information needed for business processes

    Considering that, to elaborate a policy for scholarships you should take into account any laws and regulations that can be applicable, the business risks involved, the integration with other policies and processes of your organization, and its writing (so as to make it clear and easy to understand).

    This article will provide you further explanation about writing policies:
    - Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//

  • ISO management standards differences


    (Good afternoon, I would like to know what is the difference between different ISOS, at least I see 27001 and 9001, what is the difference between these? I am looking to certify myself in these rules and I want to understand a little more about them to pay for an introductory course. Thank you)

    Answer: The main difference between ISO management standards relays on the planning and operation requirements, which cover different purposes according to the standard. For example, ISO 27001 focus on information security risk, ISO 9001 aims for product/service design and development, and ISO 14001 covers environment aspects and impacts.

    This articles will provide you further explanation about ISO standards:
    - What is ISO 27001 https://advisera.com/27001academy/what-is -iso-27001/
    - What is ISO 9001 https://advisera.com/9001academy/what-is-iso-9001/

    Regarding introductory courses, I suggest you to take a look at our free courses:
    - ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/

  • Application of controls A.10.1.1 and A.10.1.2


    Answer: If your organization makes use of digital certificates, both controls A.10.1.1 (Policy on the use of cryptographic controls) and A.10.1.2 (Key management) should be stated as applicable.

    The reason for application of A.10.1.1 is because you should have clear rules about when, how, and by whom these certificates should be used, and how they should be managed.

    As for A.10.1.2, the adoption of practices for protection of cryptographic keys should be included as a clause in the service agreement with the provider, so you can ensure they will provide at least the same level of protection as if your organization was managing the keys itself.

    Please note that when stating a control as applicable, you could use as justification results of risk assessment, top management decision, or compliance with a legal or cont ractual requirement.

    This articles will provide you further explanation about providers and cryptographic controls:
    - How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
    - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

    This material will also help you regarding about providers and cryptographic controls:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Page 884-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +