Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Implementation alternatives


    Answer: The first thing you should consider is the duration of your ISO 27001 implementation project and the deadline for EU GDPR compliance. If your project can be concluded before the deadline maybe it is better to start with ISO 27001 because, as you said, it can deliver an environment which satisfies GDPR and other requirements your organization may have for the ISMS.

    If your project cannot be finished before the deadline, you should consider if a reduction in the certification scope, e.g. to cover only the part of the original scope that would be related to EU GDPR, can allow you to meet the deadline, and if post poning the implementation of the remaining scope is acceptable (since the management part of the system will be already implemented you will have less activities to perform).

    If none of these alternatives are acceptable, then you should consider going first for EU GDPR compliance, and after that make arrangements in the ISO 27001 implementation project to include those controls in the system.

    This articles will provide you further explanation about ISO 27001 projects:
    - ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
    - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

    These materials will also help you regarding ISO 27001 projects:
    - Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
    - Seven key problems to avoid in ISO 27001 implementation [free webinar] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/

  • Temporary change process controls


    Answer:

    The organization needs to identify, document and maintain the alternate methods for process control and get approval from the customer for these controls. The list of alternate process control methods should be referenced in a control plan.

    The standard requires documenting procedure for managing the use of alternate controls and this can be part of your production procedure, and standard work instructions are required for each alternate control.

  • ISO 31000 and ISO 27001


    Answer: Yes, but as means to provide a common basis to align the information security risk management with other types of risk management in a company (e.g., quality risks, environmental risks, etc.). ISO 31000 by itself is not enough to comply with ISO 27001 because risk management requirements in ISO 27001 are much more detailed than in ISO 31000.

    This article will provide you further explanation about Risk Management:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

    These materials will also help you regarding Risk Management:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Business Continuity Lifecycle document


    Answer: According ISO 22301, there is no requirement demanding such specific document, so unless defined by your organization, a law or another legal requirement, like a contract, you do not need to have it in your management system.

    The business continuity life cycle is covered from standard's clauses 8.2 to 8.5, so, considering the list of documents that comes with your toolkit, you can share the following documents (of course the auditor can ask about the records related to these documents too):

    Business Impact Analysis Methodology
    Business Continuity Strategy
    Business Continuity Plan
    Incident Response Plan
    Disaster Recovery Plan
    Exercising and Testing Plan
    BCMS Maintenance and Review Plan

    This article will provide you further explanation about Mandatory documen ts for ISO 22301:
    - Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/

  • Becoming an auditor


    Answer: Yes, your previous experience will count in your formation as an auditor. Your competencies in IT will help you understand the auditee scenario, define what you should look for as evidence and define proper non conformities statements and recommendations for improvement.

    To start you journey to become an information security auditor you should attend an ISO 27001 lead auditor course, so you can understand the concepts of ISO 27001 management system and the processes and techniques involved in an audit. After being approved in the course you need to accumulate audit hours, first as an observer, and after that as an audit team member, so you can gain understanding and experience in practical audits. After sufficient auditing hours, and good evaluations from your team lea der, you can achieve the status of auditor and after that lead auditor.

    This article will provide you further explanation about becoming an auditor:
    - How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

    These materials will also help you regarding auditing:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/

  • Compliance list

    Many thanks.

  • Information security implementation


    Answer: Considering the situation you presented, it seems you need a quick action to fix some issues as soon as possible and a longer term plan to maintain the results. Also considering you mentioned a limited staff, maybe hiring a cyber expert for the quick action would be the best option, even considering the higher costs of a consultant, because in this case delaying the fixes let you vulnerable for much more time. And you could ask the consultant to use as reference the practices of cyber essentials.

    For the longer term plan, the implementati on of ISO 27001 can help you manage the implemented security, and for that you have three implementation alternatives: hiring a consultant (maybe the same you hired for the quick fix), implementing on your own, or implementing on your own with expert support. Each alternatives have their pros and cons, and I suggest you to take a look at this white paper to identify which alternative is best for you: Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

    Regardless the way you choose, when ISO 27001 is implemented properly, you won't focus too much on documentation - rather, you'll focus on changing the way your employees are using the technology, and therefore decrease the number of security incidents. Here's an article that will help you: ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/

    This article will provide you further explanation about information security implementation:
    - 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/

    These materials will also help you regarding information security implementation:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Formulating questions during internal audit

    It means to audit your company against ISO 9001:2015 requirements to determine to what level your company is compliant with the standard.

  • Providing evidence for clauses without mandatory documents


    Answer:

    The fact that there are no mandatory documents doesn't mean that documenting them is forbidden. Actually, some requirements are much easier to meet f there is some records of the actions taken. In case when there are no records or documents, the auditor will have to put additional effort to determine whether the requirements are met and it is usually done through interviews and observing activities.

    When it comes to internal and external issues, the auditor will have to speak with the top management and other relevant roles to determine whether the organization have considered and defined context of the organization.

    In case of interested parties and their needs and expectations, it is really hard to meet the requirements without any reco rd although there are no requirements for documenting this clause.For example, there must be contracts where needs and expectations of interested parties (e.g. customers, subcontractors, etc) are stated, or laws and regulations relevant to the organization business.

    For risks and opportunities, if they are not documented, there must be some written trace of the actions taken, so it is up to the auditor to find them.

    For more information, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

  • Auditores internos

    Debes asegurarte de que los auditores internos están cualificados y tienen la experiencia necesaria para llevar a cabo el trabajo adecuadamente. Es muy importante que los auditores internos ganen las competencias necesarias para llevar a cabo una buena auditoria interna para que tanto los resultados como las acciones correctivas encontradas ayuden a mejorar el SGC, y por supuesto para pasar con éxito la auditoria de certificación.
    Si tus auditores internos no poseen estas competencias relacionadas con la nueva versión del estándar, entonces deberían de adquirirlas.

    Es posible tomar este curso de auditor interno en ISO 14001:2015 a través de nuestra we, para más información vea: https://advisera.com/es/formacion/curso-de-auditor-interno-iso-14001/
Page 890-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +