Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Toolkit content

    - A.5 Information security policies
    - A.18 Compliance

    I do not see an assessment tool for ISO27K. Is there any reason for this omission? Are not included as part of the toolkit?

    Answer:

    1) The controls from section A.5 Information security policies are covered in many policies provided in the toolkit (e.g., Information security policy, Access control policy, Acceptable use policy, Backup policy, etc.).
    2) The controls from section A.18 Compliance are covered in the following documents: Procedure for Identification of Requirements, and List of Legal, Regulatory, Contractual and Other Requirements - you'll find them in folder 02 "Procedure for identification of requirements"
    3) ISO 27001 does not require the usage of a tool for doing the risk assessment, so we are offering the Excel sheets for performing this task - in our experience, this is much easier for smaller companies for which our toolkit is designed. You'll find those sheets in the folder 0 5 "Risk assessment and risk treatment methodology"

    By the way, you can find the information about which controls and requirements are covered by each document in the file List of documents that you'll find in the root folder of the toolkit.

  • Nonconformities and corrective actions


    In my previous employment and experience, we usually initiate only a CAR for audit findings. To me, it seems like redundancy.

    Do you see a reason for initiating a NCR? Is it a requirement?

    Answer:

    Results of the certification audit can be minor and major nonconformities and recommendations. In case of nonconformities, you will need to document them as per clause 10.2.2 regardless of who identified the nonconformity. Then you evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, and that is corrective action.

    This might seem as a redundancy but, it provides traceability and also enables the organ ization to file more information on the nonconformity, then the ones stated in certification audit report.

    For more information, see: How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/

  • Information security career


    Answer: With the increase in the number of incidents involving information leakage, impacting both final users and big organizations, and in the number and rigidity of legislation, the need for information security professionals is also increasing, both on technical and management aspects. I suggest you to look at this report for an overview: The State of Cyber Security Professional Careers https://www.esg-global.com/hubfs/issa/ESG-ISSA-Research-Report-State-of-Cybersecurity-Professional-Careers-Oct-2016.pdf

    Concerning learning, there is no such thing as "right path", it is more like the path most adequate for you. ISO management systems themselves recognize this (in terms of competencies, they consider as sources either education, training or experience). So, you can go for formal academic knowledge, attending information related courses and training, or develop your skills through daily activities. Here in Advisera you can find articles, white papers a nd online courses that can give you a start point.

    Take a look at these links to access our knowledge base, white papers and courses:
    - https://advisera.com/27001academy/knowledgebase/
    - https://advisera.com/27001academy/free-downloads/
    - https://advisera.com/training/

    These articles will provide you further explanation about information security profession:
    - What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
    - CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
    - How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/

  • Information security policies


    Answer: Yes, but not in the way your are thinking. The toolkit has several commonly used policies covering different aspects of information security, like Access control policy, Acceptable use policy, Back policy, etc. You can consult the "List of Documents" file that comes with your toolkit to find them. Once you have identified the policies you need you can decide if you will use them as separated documents, or merging them in a single "Information security police", as it seems as your idea.

    This article will provide you further explanation about implementing policies:
    - One Information Se curity Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

  • Documenting process to motivate employees


    Answer:

    This clause is addition to the awareness requirements of ISO 9001:2015 and besides quality objectives achievement, it mentioned continual improvement and promoting technical innovations. You can document this as a part o your procedure for competence and awareness or you can have a separate procedure that will describe how your company will achieve this.

  • Planning the QMS and clause 6.1.1


    Answer:

    The planning is very important part of the QMS (Quality Management System) and PDCA cycle. Planning should be conducted on regular basis if there are no changes to the QMS or at any time when some changes are made to the QMS. For example, during the management review you can make plans for necessary resources for processes, training needs, etc and identification of risks and opportunities is also a part of the planning phase.

    For more information, see: Plan-Do-Check-Act in the ISO 9001 Standard https://advisera.com/9001academy/knowledgebase/plan-do-check-act-in-the-iso-9001-standard/

  • Updating ISO 9001 and ISO 13485


    Answer:

    Bot ISO 9001 and ISO 13485 have new versions, so if you implemented old versions of these standards, you need to make transition to the new versions in order to maintain the certificates. The deadline for the transition is September 2018.

    If you have only ISO 9001:2008, then you only need to make transition to ISO 9001:2015. Here is one interesting article that can help you: Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/ Good thing with having ISO 9001:2008 implemented is that ISO 13485:2016 is based on ISO 9001:2008 and you can keep all the documents and make addition to become compliant with ISO 13485:2016, for more information, see Inf ographic: What’s new in the 2016 revision of ISO 13485 https://advisera.com/13485academy/blog/2016/12/06/infographic-whats-new-in-the-2016-revision-of-iso-13485/

  • Competence definition in IATF 16949


    Answer:

    Competence is defined as "the demonstrated ability to apply knowledge and skills". This means that the person is competent when it is able to perform a task successfully. Competencies refer to skills or knowledge that lead to superior performance. Measurable skills, abilities and personality traits that identify successful employees against defined roles within an organisation.

    Skills define specific learned activities, and they range widely in terms of complexity. (“Mopping the floor” and “performing brain surgery” can both be classified as skills.) Knowing which skills a person possesses helps us determine whether their training and experience has prepared them for a specific type of workplace activity. In other words, skills give us the “what.” They tell us what types of abilities a person needs to perform a specific activity or job.

    But skills don’t give us the “how.” How does an individual perform a job successfully? How do they behave in the workplace environment to achieve the desired result? Competencies provide that missing piece of the puzzle by translating skills into on-the-job behaviors that demonstrate the ability to perform the job requirements competently.

  • Security on social networks


    (How to protect and prevent leakage of information through social networks?)

    Answer: First thing, you should consider organizational policies to define how control the access to information in a general manner, this way limiting access to sensitive information, and to guide your employees about the use of social networks, so they can know which kind of information can be posted or not, and which security measure they should take regarding user accounts (e.g., use of passwords, sharing access, etc.). These can be independent policies or part of another one, like an acceptable use policy. See a free demo of our access control policy and acceptable use policy at these links: https://advisera.com/27001academy/documentation/access-control-policy/ and https://advisera.com/27001academy/documentation/it-security-policy/

    After that you have to perform training and awareness activities to formally present the policies to the employees and ensure all of them know how to proce ed.

    The final step is periodically monitor posted information on social networks so you can evaluate if your controls are working properly, and with that information prepare action plans to make required adjustments.

    This article will provide you further explanation about developing polices and user awareness:
    - Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
    - 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
    - How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/documentation/it-security-policy/

    These materials will also help you regarding polices and user awareness:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Documentación opcional

    La lista de documentos obligatorios corresponde a documentos como los objetivos de calidad, la política de calidad, el alcance del SGC y otros. Mientras que los documentos opcionales corresponden principalmente a los procedimientos, ya que no son obligatorios según ISO 9001:2015.

    Por otro lado debe saber que en la norma no encontrará el término de documento ni registro obligatorios, sino que se habla de información documentada que debe ser mantenida (documentos) y que debe ser retenida (registros)

    Para más información sobre documentación obligatoria y opcional puede ver los siguientes materiales:

    - Lista de documentos obligatorios requeridos por la ISO 9001:2015: https://advisera.com/9001academy/es/knowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/

    - Curso gratuito de Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

     
Page 892-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +