Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Operational change


    1 - Please help me with the documents that I have to complete ( change control, inventory, backup policy,… what else?)

    Answer: For a change, common documents and records you should consider to develop are:
    - change plan: so you can have a general overview of all actions required for the change
    - risk assessment and treatment plan: so you can map all unacceptable risks and the measures you need to implement to minimize risks during the change
    - backup plan: so you can ensure no information is lost during the change process
    - Validation plan: so you can verify if all changes are achieved
    - roll back plan: so you can return to previous state if the change does not work
    - equipment and system configuration parameters and installation instructions: so you can know exactly what to do to install and configure assets properly
    - inventory of assets: so you can keep control of all assets in your environment

    For other documents, you should consider the results of your risk assessment.

    Considering business continuity, you also must consider performing a business impact analysis, so you can identify tolerable availabilities that can help you plan you change activities.

    2 - I do have to run Risk Assessment Treatment?

    Answer: Yes, you have to perform a risk assessment and treatment to help you identify the main risks related to this change and plan controls to reduce risks to acceptable levels.

    3 - I do have to call the inspector of ISO27701 to check me? If yes, what is the perfect time to do it? After the completion of this project?

    Answer: No. To perform the change there is no need to call an ISO 27001 auditor, but you should at least communicate your certification body about that, because depending on size of this change regarding your ISMS scope some modifications on your next audit of your certification cycle may have to be done.

    4 - Finally, what else I do have to do?

    Answer: after the change you have to perform a new risk assessment to update you risks scenario and ensure this change is considered in the next management review so its results can be evaluated.

    This article will provide you further explanation about Operational change:
    - How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

    These materials will also help you regarding Operational change:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Gap analysis and checklists


    Answer: To help you in your gap analysis I suggest you to take a look at the free demo of our Internal Audit Checklist at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/

    This checklist will provide you questions to help you assess the level of compliance of you polices and controls regarding the management system and security controls. You only have to scroll down the screen a little to find the free demo tab.

    Another tool I can suggest to you is our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

    It is similar to the checklist, but it also provide you recommendations on how to overcome your gaps.

    2 - In addition, do we have some sort of available checklist to share on physical and environmental controls specifically for:
    Data centers
    Disaster recovery site
    Network operation center
    Product support
    Business application and system support?

    Answer: Unfortunately we do not have such specific checklist, but this article can help you built them to comply with your specific needs:
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

  • ISO 27001 and EU GDPR


    Answer: You can use ISO 27001 together with ISO 27018, an specific standard for protection of Personally Identifiable Information (PII) to cover most of the requirements of EU GDPR.

    These articles will provide you further explanation about ISO 27001 and EU GDPR:
    - ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
    - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

    These materials will also help you regarding ISO 27001 implementation:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://training.adv isera.com/course/iso-27001-foundations-course/
    - What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help

  • Enterprise risks


    Answer: ISO 27001 was designed to cover risks related to information security from operational to enterprise levels, but enterprise risks cover much more than information security, so you should consider to complement it with some other frameworks, like COSO, which provides recommendations for managing enterprise risks, like economical, social, and others.

    2. Do we have high level classification of enterprise risk?

    Answer: General classification for risks like low, medium and high are used when we talk about enterprise risks, so we can compare risk from different types, like technological, economical, strategic, etc.

    These articles will provide you further explanation about enterprise risks and monitoring:
    - How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
    - Aligning information security with the strategic direction of a company according to ISO 27001 https://adviser a.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
    - How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

  • SOA


    Answer: You assumption is right concerning controls that are to be implemented, or aren't to be, considering the results of risk assessment. But you also have to remember that you may have some controls already implemented before the ISMS implementation practice, either because you adopted them as a market practice, or a contract or legal requirement required you to do so. So, some controls can already be stated as implemented during the implementation of the risk treatment plan.

    This article will provide you further explanation about SOA:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    Thes e materials will also help you regarding SOA:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Evaluation of suppliers


    Answer:

    The standard requires organization to determine criteria for evaluation, selection and monitoring of external providers i.e. suppliers, so you as a company can decide what kind of criteria and method to use to evaluate the suppliers. If you find your existing suppliers questionnaires redundant, you can exclude them from your supplier evaluation activities.

    For more information, see: How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/

  • Documentation requirements for production process


    Answer:

    I assume by "iso" you mean ISO 9001:2015. When it comes to explicit requirements for documentation in the production process, ISO 9001:2015 requires following:
    - The characteristics of the products to be produced, the services to be provided, or the activities to be performed (clause 8.5.1)
    - Records about customer property (clause 8.5.3)
    - Production/service provision change control records (clause 8.5.6)

    But, you may also decide to document production procedure, work instructions, etc. For more information about mandatory documents, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

  • Example of statutory and regulatory requirements for products


    Answer:

    Most of the products are not regulated in terms of quality, but for some of them , there are requiremnets for raw materials, packaging, users manuals, etc. For example, plastics used for producing toys for children must comply with regulations regarding the content of the plasctics, concentration of some chemicals withing the plastics, etc.

    For more information, see: How to include statutory and regulatory requirements in your QMS https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/

  • Documentatio audit

    Is that the documents of the SMI are treated according to the requirements of the three ISO standards written separately or integrated?

    Answer:

    QMS documentation comprises of alldocuments and records required by the standard itself and the documents for which the company determined to be necessary to maintain effective QMS (Quality Management System). All documents that are part of your QMS will be audited and the same document and record control rules should be applied unless the procedure for document and record control states otherwise.

    For more information, see: How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/

  • Retention of tooling records


    For example a part is manufactured continuously and the expected product life is 10 years. does that mean 10+1 year records of tools needs to be maintained?

    Answer:

    The records for the tools need to be maintained during the active time of production which means that to be kept as long as the product is being produced plus one calendar year, not product lifetime plus one calendar year. Considering the changes in products this time probably wouldn't take 10 years, but you also need to consider customer and legal requiremnets when it comes to retention of this type of documents.
Page 900-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +