Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • SoA and outsourced IT


    Answer: You should include the controls in the SoA. Even if they are implemented by your IT service provider, including them in the SoA is a good idea because this way your organization will have a clear overview about who will implement which control, making easier the job to keep track of all controls, who is responsible and what is their status.

    The proper way to do that is to state the control as applicable and indicate which third party will implement the control and what will be the legal basis for it (e.g., implemented by third-party according service agreement).

    You should also note that by doing this way you have to ensure to state the control A.15.1.2 (Addressing security within supplier agreements) as applicable and retain as evidence the service agreement with the security clauses your provider must comply with. These security clauses basically refer to the controls your organization states as applicable in your SoA and that you want the provider to apply.

    These articles will provide you further explanation about controls in outsourced IT:
    - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
    - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

    These materials will also help you regarding controls in outsourced IT:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  • Defining scope


    Could you please give an advice about how to tackle this problem??

    Answer: For such small number of employees, the most efficient way is to include all organization in the scope, because the effort to manage the interfaces and interdependencies with the areas outside the scope will be greater than consider all the areas of the organization. Customers and logistic partners are considered as interested parties that should be considered in the definition of the scope, not included in the scope itself.

    This articles will provide you further explanation about defining scope:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
    - How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

    This material will also help you regarding defining scope:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Risk assessment methodology


    Answer:

    The standard does not requires organizations to adopt risk assessment methodology, so there are no requirements on how the organization will define its criteria for probability, consequence or any other element of risk. The organization itself can define the criteria for probability and consequence if it decides to apply them at all since they are not required. All the organization needs to do is to identify risks and opportunities and take actions to address them, how it will be done is not defined by the standard and the organization has full liberty to do it as it finds the most suitable.

    As far as the certification auditor is concerned, he or she can only audit the QMS (Quality Management System) against the requirements of the standard and cannot interfere or require c hanges in the methodology that the organization adopted.

    For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
  • Audit resources and BCM material


    En general es un buen material. la expectativa que no se realmente si sea demasado pedir, es tener un caso practico desarrollado, un modelo basado en un estudio o aplicacion real de auditoria.
    Soy uno de los profesionales que tengo certificacion en iso27001, y mi dia adia no me ha permitido ejercer una auditoria y me da susto equivocarme, es como tener un taller de ejercicios para llevarlos a la practica.
    Aprovecho este oportunidad tambien para comentar la necesidad que tengo de un plan de continuidad del negocio para un servicio de outsourcing en recursos TI. Tema que lo expuesto por sus esquemas de contacto.

    (Overall a good material. The expectation that is not really if it is too much to ask, is to have a practical case developed, a model based on a study or real application of audit.
    I am one of the professionals that I have certification in iso27001, and my day to day has not allowed me to exercise an audit and I get scared to err, it is like having an exercise workshop to take them to the practice.
    I take this opportunity al so to comment on my need for a business continuity plan for an outsourcing service in IT resources. Subject that exposed by their contact schemes)

    Answer: For practical examples of how to perform an internal audit I suggest you to attend our free ISO 27001:2013 Internal Auditor Course at this link: https://advisera.com/training/iso-27001-internal-auditor-course/

    Additionally our knowledge base has very interesting articles that can help you, like:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
    - Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

    Regarding business continuity plan, I suggest you to take a look at the free demo of our Business continuity plan at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/

    This template can help you to define precisely how an organization will manage incidents in the case of a disaster or other disruption of business, and how it will recover its critical activities within set deadlines.

    This article will provide you further explanation about business continuity planning:
    - How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

    These materials will also help you regarding Business Continuity Planning:

    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Writing a business continuity plan according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
  • CMMi toolkit


    Answer: We work with ISO management standards related documents, so unfortunately we do not have a CMMI Toolkit in our products portfolio.

    2- Do you have any or recommend any CMMI toolkit providers?

    Answer: Unfortunately I do not have much knowledge in this specific market to provide a recommendation, but you can take a look at this link at Carnegie Mellon University (the institutions that developed CMMI): https://seir.sei.cmu.edu/toolkit/PurposesofthisToolkitDocument.html
  • Why is top management important for QMS


    Answer:

    The top management involvement in the QMS is essential for effectiveness of the QMS. Provision of resources, defining Quality Policy and objectives, assigning roles and responsibilities are some of the responsibilities of the top management and cannot be done by someone else. Involvement of the top management is necessary for planning, check and act phase of the PDCA cycle and without them, these phases cannot be properly conducted and the QMS will only be formally implemented and fail to provide any benefit to the organization. For more information, see: To what extent should top management be involved in your QMS? https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/

    The best way to convince the top management to participate in QMS is to present them with benefits that ISO 9001 b rings to the company and explain them that QMS wont work without their active participation. For more information, see: How to get Management Buy-in for ISO 9001 https://advisera.com/9001academy/blog/2014/09/02/get-management-buy-iso-9001/
  • Top management role in QMS


    Answer:

    The top management pays a key role in QMS (Quality Management System), when it comes to planning and maintaining the system. Entire clause 5 is dedicated to the obligations of the top management, such as providing resources, assigning responsibilities, taking accountability for the QMS effectiveness, etc.

    Other clauses as well require involvement of the top management, such as for determining context of the organization, addressing risks and opportunities and, finally, management review. Check phase of the PDCA cycle that is prescribed by the standard includes management review where the effectiveness of the QMS is to be considered and actions for QMS improvement to be proposed. This is impossible to perform without the top management as they are the ones to determine what actions will be taken and to provide resources for these actions and t he entire QMS.

    For more information, see: To what extent should top management be involved in your QMS? https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/
  • Knowing ISO 27001

    Considering also the specification you provided:

    >"In their first response to the forum they suggested:
    >This article will provide further explanations on the integration of management systems:
    > - How to implement integrated management systems / ... / -
    >But I can not open this article. On the other hand in the suggestion they gave I did not realize if the idea of ​​the study is to analyze which organizations is it possible to integrate the 27001?

    >My specific question was to ask for help in the sense that with your broad vision to see a topic that I could take advantage of to do a study and thus be able to make my thesis, here what I wanted to take advantage of is a theme that helps make you see The added value that is the implementation of this regulation 27001 since here in Portugal are very few organizations that have implemented. This article / study is to serve as ramp for which companies have given in bulk."

    First of all. I'm sorry about the problem with the link. Here is the correct link:
    - How to implement integrated management systems https://advisera.com/ 7001academy/blog/2015/10/05/how-to-implement-integrated-management-systems/

    About your question: the point is not to analyse in which organizations it is possible to integrate the 27001 (the standard is designed to be applicable to organizations of any kind or size), but why, so you can evidence the added value ISO 27001 implementation can bring to an organization (what I think is your main interest in your thesis).

    Why would an organization implement an standard if it is not mandatory? The general benefits are:
    - Obtain a competitive edge
    - Improve internal organization
    - Reduce losses due to incidents
    - Assure compliance with legal requirements

    Considering each of these benefits, you could develop a thesis identifying specific points related to a specific organization or industry.

    For more information about ISO 27001 benefits, please see: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
  • Auditoria de Certificación

    El manual de funciones estipula las cualificaciones y perfiles de los cargos. Cualquier persona en la organización que esté relacionada con la realización de un producto debe de poseer un perfil del cargo, éste incluye la lista de las responsabilidades y autoridades para cada uno de los cargos. Por lo tanto, la descripción documentada de un puesto o perfil de cargo, debería de contener: título, subordinación, cualificaciones externas requeridas, cualificaciones internas requeridas, lista de responsabilidades y lista de autoridades. Sin embargo, es importante tener en cuenta que la norma ISO 9001:2015 no exige documentación sobre el perfil de los cargos
  • Communication template in ISO 22301 Toolkit


    Answer: Communication is a activity that is performed by many processes in business continuity, with different purposes, so we do not have a centralized communication plan to not overhead people responsible for communication with activities that may not be part of their attributions.

    Instead of that, you will find communication plan elements spread in many documents in the toolkit:
    - Appendix 1 – Incident Response Plan
    - Appendix 2 – Incident Log
    - Appendix 5 – Key Contacts

    In the root folder of the toolkit you bought you can find the List of Documents file that will show you which clause of the standard is covered by each document of the toolkit.
Page 889-vs-13485 of 1130 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +