Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27002 and application of control A.9.4.4

    Thanks a lot. Your response has been very helpful.

  • Internal team for penetration and vulnerability tests


    Answer: Yes, the penetration testing and vulnerability tests can be performed by internal employees. Regarding ISO 27001, there is no mandatory requirement demanding that these tests must be performed by a third party. What happens is that you should ensure that these tests are performed by people not directly involved with the process, so you can ensure impartiality since, like internal audits, no one should audit their own work.

    This article will provide you further explanation about penetration and vulnerability tests:
    - How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/

    These materials will also help you regarding penetration and vulnerability tests:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • GPDR training


    Answer: Unfortunately we do not provide specific training regarding GDPR, but considering our knowledge base I can suggest you these materials:
    - What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help
    - What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/27001academy/blog/2016/10/03/what-is-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
    - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
    - EU GDPR controller vs. processor – What are the differences? https://advisera.com/27001academy/blog/2017/01/30/eu-gdpr-controller-vs-processor-what-are-the-differences/
    - IS O 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

  • Defining scope and repercussions

    We are thinking about certifying our core process – sighttest provided by our stores. Our company has a franchise-structure. Thus each store is its own company. We also have a country support office providing all support processes (eg product, finance, marketing, etc) to our stores. My question is if we can certify the core business provided by the store only, or if we need to include all subprocesses also (of course, it's something we would like to add at least in a second stage). If we then get the ISO 9001:2015 certification, will it then be one per store?
    Many thanks for your reply,

    Answer:

    You can limit the scope of your QMS on only one store only and core processes but in that case, the certificate will apply to this store only since it is assigned to the scope of the QMS. Since every store is a separate legal entity, it is better to certify them all separately, it can cost more in total but it will allow you to go step by step and to create multiple simple systems instead of one complex QMS.

    Also, you wont be needing t he consultant help in every store because you can copy the QMS to the similar stores and processes and basically, the only expense will be the certification.

  • Metodologías aplicación cláusula 4

    De la misma manera busco metodologías que ayuden a cumplir con el apartado 4.4 de la norma que hace referencia a la gestión de calidad y sus procesos, por ejemplo una metodología que encontré aquí es el mapeo de procesos.

    Mi respuesta:

    Antes de determinar el alcance de la organización es necesario abordar las cláusulas 4.1 y 4.2. Por lo tanto, podría seguir estos pasos:

    - Para las cuestiones internas y externas se puede usar un análisis DOFA.
    - Para determinar las partes interesadas se puede utilizar un análisis PEST.
    - Definir cuáles son los productos y servicios de la organización. Por ejemplo, mediante un mapa de procesos.
    - Determinar las exclusiones.
    - Escribir el alcance: incluyendo las distintas localizaciones de la organización, productos y servicios que han sido identificados, procesos dentro del SGC, exclusiones y su justificación.
    - Mantener el alcance co mo una información documentada.
    - Revisar periódicamente el alcance

    Para más información vea "Cómo definir el alcance del SGC de acuerdo a la ISO 9001:2015" : https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-definir-el-alcance-del-sgc-de-acuerdo-a-la-iso-90012015/

    Además del mapa de procesos, en referencia a la cláusula 4.4, se podría usar un diagrama de tortuga. Este esquema contiene todos los elementos de un proceso y adopta la forma de una tortuga con:

    - Un cuerpo o caparazón: donde se escribe el nombre del proceso.
    - Una cabeza: que representa las entradas del proceso.
    - Una cola: que serían los resultados o salidas del proceso.
    - Cuatro patas: que son las preguntas que serán contestadas por la organización - con qué, con quién, cómo, y cuántos.

  • Auditor de certificación

    Academy: ISO 90001, ISO 14001, ISO 27001.

    Mi respuesta:

    No existen unos requisitos específicos para llegar a ser auditor, aunque los organismos de certificación tienen que demostrar que sus auditores son competentes. Esto es una tarea difícil de alcanzar y por ello los organizamos de certificación han establecido una serie de métodos y documentación para poder cumplirlo.

    El esquema más ampliamente extendido es el esquema de calificación, que requiere aprobar una clase de auditor jefe de 5 días (con 2 horas de examen), demostrar con un curriculum vitae que se tiene una experiencia de unos 4 años, una experiencia más específica de unos 2 años (por ejemplo, en el sector de la calidad o medio ambiente que se va a auditar) y luego participar en auditorias para demostrar esa experiencia.

    Para más información, vea: https://advisera.com/9001academy/blog/2020/04/10/how-to-become-an-iso-9001-lead-auditor/#

  • Does each clause in section 8 of AS9100D require a PEAR? i.e. 8.1.1 and 8.1.2?

    If by PEAR you mean Process Effectiveness Assessment Report then this is not a requirement of AS9100. Unless your customers require that you provide this sort of information it is up to you to decide what you must do for the requirements in Clause 8 of AS9100 Rev D.
    Specifically, for Clause 8.1.1 & 8.1.2, these are defined in the standard as planned, implemented and controlled processes, and there is no requirement within AS9100 Rev D that documented information of the process is needed. In cases where there is not a requirement for documented information of the procedure it is up to the company to decide the necessity of documenting the procedure needed to address the clause requirements.

  • What is the difference between AS9100 and AS9120

    The difference in the standards is the type of organization the Quality Management System requirements are intended for:
    AS9100 – Requirements for Aviation, Space and Defense Organizations
    AS9110 – Aerospace – Requirements for Maintenance Organizations
    AS9120 – Aerospace Requirements for Stockist Distributors
    So, from your comments it sounds like you are a distributor who is registered to AS9120 currently but is wondering about your repair facilities. If this is a repair and overhaul function, as opposed to a repair when there is defect function, then this would fall under AS9110 as it is a maintenance organisation. AS9100 is intended for organisation which produce new parts as opposed to those who do either repair and overhaul or distribution.
    I hope this answers your questions, please let me know if there is anything further you need.

  • ISO personal certifications and Content for employees


    Answer: There is one kind of certification issued to persons similar to COBIT Assessor: the ISO 20000 Lead Auditor certification. This certification recognizes its holder has demonstrated competence to audit a management system with ISO 20000 standard, which defines requirements for the management of IT services.

    2. I work in HR and we are looking at ISO 27001, what is the requirement with regards to Staff Manual? We have ISMS policies in place but I wonder if there is anything required that needs to be included in the Staff Manual?

    Answer: ISO 27001 has no specific requirements demanding a Staff Manual, but you should ensure it reflects the results of risk assessment and treatment, i.e., risks and controls that employees can directly interact with. Examples of content, as you pointed out, are the implemented security policies, but you can also include examples of risks and how manage them (e.g. how identify and handle social engineerig attacks). Additionally you can als o communicate the employees' responsibilities regarding information protection, the impacts of non conformities, and the importance to achieve the defined information security objectives. By using the Staff Manual this way you can cover requirements related to leadership commitment (clause 5.1) and communication (clause 7.4).

    This article will provide you further explanation about what you should consider as content for a Staff Manual:
    - Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/

  • Ensuring compliance of information security in projects


    Answer: Information security management requires a lot of analysis and evaluation work to be done, and today most of these activities cannot be simply automated, because some decisions require a human feeling and perception of business environment that a machine can proper evaluate. However, when we talk about measurement and monitoring you can make use of automated tools to:
    - collect data, or remember a person that data should be gathered;
    - compare data gathered with risk level limits to warn about risks that require further analysis
    - organize and present data for decision making.

    Considering this, you can make use of automated tools to cover part the monitoring and measurement of risk management functions, if you can ensure the compliance automated solution can provide control and evidence you would require if the control was done manually. One w ay to provide this assurance is by defining your requirements for this automated solution at the beginning of the development or acquisition process, so you can test them during the development / acquisition process.

    This article will provide you further explanation about requirements in development life cycle and use of tools:
    - How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
    - When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/
Page 896-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +