Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Security on social networks
(How to protect and prevent leakage of information through social networks?)
Answer: First thing, you should consider organizational policies to define how control the access to information in a general manner, this way limiting access to sensitive information, and to guide your employees about the use of social networks, so they can know which kind of information can be posted or not, and which security measure they should take regarding user accounts (e.g., use of passwords, sharing access, etc.). These can be independent policies or part of another one, like an acceptable use policy. See a free demo of our access control policy and acceptable use policy at these links: https://advisera.com/27001academy/documentation/access-control-policy/ and https://advisera.com/27001academy/documentation/it-security-policy/
After that you have to perform training and awareness activities to formally present the policies to the employees and ensure all of them know how to proce ed.
The final step is periodically monitor posted information on social networks so you can evaluate if your controls are working properly, and with that information prepare action plans to make required adjustments.
This article will provide you further explanation about developing polices and user awareness:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/documentation/it-security-policy/
These materials will also help you regarding polices and user awareness:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Documentación opcional
La lista de documentos obligatorios corresponde a documentos como los objetivos de calidad, la política de calidad, el alcance del SGC y otros. Mientras que los documentos opcionales corresponden principalmente a los procedimientos, ya que no son obligatorios según ISO 9001:2015.
Por otro lado debe saber que en la norma no encontrará el término de documento ni registro obligatorios, sino que se habla de información documentada que debe ser mantenida (documentos) y que debe ser retenida (registros)
Para más información sobre documentación obligatoria y opcional puede ver los siguientes materiales:
- Lista de documentos obligatorios requeridos por la ISO 9001:2015: https://advisera.com/9001academy/es/knowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
- Curso gratuito de Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
-
Assigning roles and responsibilities in EMS
Top management must assign responsibilities and relevant roles for the EMS development, reporting, and maintenance so that it meets the intended goals.
Do you have a guidance toolkit please?
Answer:
We do not have separate toolkit for assigning roles and responsibilities withing EMS (Environmental Management System) and you do not need one. You simply need to define through your procedures and working instructions who is responsible for what, or you can have separate document where you will define all roles and responsibilities within the EMS.
For more information, see: What are the key roles and responsibilities in the EMS?
https://advisera.com/14001academy/blog/2016/11/21/what-are-the-key-roles-and-responsibilities-in-the-ems/ -
Example of Quality Policy and SPC
Answer:
Requirements for quality policy in IATF 16949 are same as in ISO 9001:2015. The policy must be appropriate to the purpose and context of the organization and to support its strategic direction, to provide framework for setting the quality objectives, includes commitment to satisfy applicable legal requirements and include commitment to improve quality management system.
At the moment, we do not have available Quality Policy for IATF 16949, but as I mentioned before, requirements are the same as for ISO 9001, so you can download free preview of our ISO 9001 Quality Policy to get an idea on how to develop it https://advisera.com/9001academy/documentation/quality-policy/ In addition, you can take a look at this article: How to Write a Good Quality Policy https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
As far as implementing SPC (Statistical Process Control) online, you will need some software solution -
Support material for online courses
Answer: Yes, it is possible to become certified with only the information provided in the course, but you should consider buying the ISO books as sources of explanations and examples that can make it easier to understand the standard, and it is always good to have this kind of information at hand for a quick consultation.
You can find our available books at this link: https://advisera.com/books/ -
Disposal of asbestos sheets
Answer:
Asbestos cement sheeting is commonly found as grey corrugated or flat sheets. It is thin and brittle and produces a clean edge when broken. It contains a small amount of asbestos encapsulated within cement, which, in good condition, does not normally present a risk to health. Please remember that any work on asbestos sheet may generate airborne asbestos fibers.
Asbestos should be disposed at organization authorized for handling asbestos, such as waste recycling centers. Before bringing asbestos to the waste recycling centre, take these actions to to ensure your asbestos will be accepted:
- all pieces of asbestos should be double wrapped in heavy duty plastic, this does not include plastic such as bin liners or carrier bags
- the double wrapped plastic does not need to be clear, but you should ensure that nothing is protruding from inside the plastic as this will not be accepted
- you should soak large pieces before breaking it down to bring on to site - this stops fibers escaping
For more information on handling and disposal of asbestos, see: Guideline for Construction/Asbestos Waste Management https://advisera.com/14001academy/documentation/guideline-for-constructionasbestos-waste-management/ -
Alternative controls and control plan
how can I handle the alternate process control method? within the "normal" control plan? or make another control plan?
If I use the normal control plan, have a mark an any way the alternate controls?
Answer:
The organization needs to identify, document and maintain the alternate methods for process control and get approval from the customer for these controls. The list of alternate process control methods should be referenced in a control plan, so you do not have to create another control plan, just include in existing one references to the alternate controls.
Since alternate controls are used incidentally and not on the regular basis (the standard requires organization to return to the standard process as soon as possible), the alternate controls should be distinguished in some way from the regular controls in the control plan. -
Documenting Design History File
If all our records are electronic (e.g. JIRA, confluence, office365) do we need to maintain a design history file (DHF)? Or can we just provide all the documents or an index of those documents?
Answer:
Design and Development File and Design History File are basically the same documents. The ISO 13485 standard requires organization to maintain this file for each medical device type or device family. It must include either records or references to them to demonstrate conformity to the requirements for design and development and records for design and development changes.
You don't have to have separate record for it, you can create database or index to all of those documents. -
Scope and asset definition
1. May we/should we exclude third-party cloud providers (document management, e-mail, and time and billing)? [Note: Most have their own ISO 27001 certifications—may we or should we reference these in our documentation, or would that only confuse things?]
Answer: By the scenario you described, you do not need to include the third-party cloud providers in your scope. The main point to consider here is how much direct control your firm has over the applications and databases hosted on the outsourced IT services. If you can manage the applications (e.g., create and manage user accounts, change configurations, etc.), you should include the applications in your scope. If all t his management work is performed by the provider you have to include only the databases in your ISMS scope (e.g., email database, documentation database, time and billing database).
2. Should we include our IT service provider? If so, how deeply must we delve into their systems? [They provide similar services to many companies, and have visibility into our system for maintenance and troubleshooting.]
Answer: As explained in the first answer, you do not have to include your IT service provider in the scope.
This article will provide you further explanation about Scope definition:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
3 - A related question pertains to the distinction between a company and its software. For example, Microsoft as a company may be subject to threats such as breach of contractual relations or equipment failure. At the same time, its software (in this case Office 365) may have its own threats and vulnerabilities, such as application errors, inadequate patching, etc. Should these be combined in the risk assessment table as a single reference to Microsoft with all related threats and vulnerabilities, or should it be broken out as third-party provider and software? (Assuming, of course, that they are included at all consistent with our questions above.)
Answer: Considering your example, if your relationship with Microsoft is limited to the use of Office 365, then the "Office 365" is the asset to be assessed, and all identified risks should be associated to it. However, if besides Office 365 you also use other Microsoft products or services (e.g., onedrive, skype, windows, etc.) then an additional asset, called for example as "Software Provider - Microsoft", also should be considered for assessment, because now you also have to consider risks in terms of all Microsoft products and services you use, not only the risk for specific ones, and this can be better handled if they are concentrated in a single asset. -
Security in web applications
Thank you for you replay ,
is 27001 combined with 27002 a good idea to secure a web application also? , because i mean there is some points in 27001 that we dont need probably or if i want to write a security policy for a web application , because i didn't get a lot of information about 15408 and how it works
What do u think about PCI ? im just trying to get the best norm and explain why thanks for u help