Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Document classification
Answer:
Based on the details, I assume you are implementing Information Security process and related controls.
I would suggest that you make agreement on company level what document confidentiality levels you will use. In such way you will avoid having (e.g. for same kind of document) different confidentiality levels. -
Training on non conformities
(Hi, good afternoon, the 4 books I buy are very helpful. But I lack more training in raising NO CONFORMITIES. How can you help me on that?)
Answer: To raise a non conformity you need to identify three conditions:
1 - the situation itself that demonstrates the non conformity
2 - the requirement being followed (e.g., procedure, policy, or standard clauses)
3 - an evidence (e.g., lack of record)
These are the main guidelines for auditors.
This articles will provide you further explanation about non conformities and corrective actions, and audit:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
-ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-fo r-my-career/
To learn about audit techniques I suggest you to take a look at our ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
Personal certification maintenance
Answer: Yes, you can use the hours of attended Advisera online courses to claim PDUs for your PMP certification. You only have to ensure you keep an evidence of attending the course, to present in case PMI request it, as part of its random audit process. This evidence may be the confirmation of your enrol to the course or the course certificate (I suggest you to verify on PMI PDU program which one is better). -
Understanding clause 9.3.2
I need your expertise in understanding clause 9.3.2c (3) and 9.3.2c (5) of the ISO 9001:2015 standards.
Appreciate if you could provide examples to satisfy this requirements.
Thank you in advance.
Answer:
The clause 9.3.2c) (3) requires organization to gather information on trends in the process performance and conformance of products and services which means that the organization needs to determine the key process indicators and measure them to gather information on the process performance and as an input for product conformance the company can use registry of nonconformities to see how many products o services where nonconforming to the requirements. For more information, see: How to define Key Performance Indicators for a QMS based on ISO 9001 https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
The clause 9.3.2c) (5) requires organization to gather information on trends in monitoring and measuring results. The organization needs to define what needs t o be monitored and measured and how frequently, for example, the organization can measure customer satisfaction twice a year and present the top management with information whether the customer satisfaction increased or not. For more information, see: Analysis of measuring and monitoring requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/ -
Becoming an ISO 22301 Lead Auditor
Answer: If you are aiming for an accredited certificate (which is internationally recognized and part of the process to become an auditor for a certification body), to my knowledge there are no ISO 22301 Lead Auditor courses offered online at the moment in the market.
These material will provide you further explanation about Becoming an ISO Lead Auditor:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
These materials are focused on ISO 27001, but the logic is the same for ISO 22301. -
Risk Assessment
Now that the Asset Register is complete, including all assets; Soft, computer, accessories, server, information and infrastructure, is it best to risk assess each item on the register to understand the threats and vulnerabilities?
Answer: Yes, you should have to assess the risks for all assets on asset register. The understanding of ISO 27001 control A.8.1.1 - Inventory of assets is that all assets in the inventory (asset register) are considered relevant in the life cycle of the information, so if you do not assess the risk for one asset you have on the register, you either have a non conformity issue, or that asset should not be in the register at all. But you should note that you also have to add to the register your employees, and suppliers (because of competencies and resources provided) - you need to perform risk assessment on them, too.
These articles will provide you further explanation about Risk Assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assess ment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding Risk Assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Framework for IT audit.
I need to ask you Which framework should we use to do an IT Audit, I know that there are different methodology like (COBIT, ISO27001, NIST).
Answer: This answer will depend upon the purpose of your audit:
- If your purpose is to verify IT governance practices, you should use COBIT as main reference.
- If your purpose is to verify IT information security management practices, you should use ISO 27001 as main reference.
- If your purpose is to verify IT practices related to computer security, you should use NIST SP-800 series as main reference.
In case your audit covers a mix of these purposes, you should make a combination of these standards.
These articles will provide you further explanation about IT frameworks and audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
These materials will also help you regarding IT frameworks and audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Competitor as an interested party
Answer:
Competitor can't be considered as an interested party because his interests are colliding with the interests of the organization. For example, Competitors are interested in gaining bigger part of the market so they would like the organization to provide low quality products by higher price and this is definitely not the kind of need and expectation you want to meet.
For more information about identification of interested parties, see: How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/ -
ISMS challenges
Answer: In terms of challenges, you can mention production losses due to information security related incidents, fees and legal actions for non compliance with legal requirements, internal confusion regarding who must do what and when, and the difficulties on maintenance of a good public image. An ISMS can help handle all these items. For example, by implementing proper security controls you can minimize the occurrence and/or impact of incidents, and by establishing policies and procedures you can define clear responsibilities and actions to be performed in relevant situations.
For detailed examples I suggest you these materials:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Free webinar - ISO 27001 benefits: How to obtain management support https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
- How a change in thinking can stop 59% of security incidents https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/
- What is cybersecurity and how can ISO 27001 help? https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/
- Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/ -
Compliance with EU GDPR
Or if you can help me with sample DLP framework defining exactly what it should contain or relevant references/links?
Answer: Unfortunately we do not have such specific material, but for determination of rights of employees I suggest you to take a look at these material:
ISO 27018 guidelines: This standard aims to protect Personally Identifiable Information from customers that makes use of cloud services, considering the point of view from both customers providers. You can check the orientations for customers to have an idea on what consider for your employees. For detailed information see: ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
CISPE Code of conduct: Cloud Infrastructure Service Providers in Europe (CISPE) is a coalition of technology companies focused on provisioning of cloud computing infrastructure services, and this code is an effort to help customers and providers comply with EU GDPR. You can find more information here: Data Privacy Protection, ISO 27001 and CISPE Code of Conduct https://advisera.com/27001academy/blog/2016/10/31/data-privacy-protection-iso-27001-and-cispe-code-of-conduct/
For additional information about ISO 27001 and EU GDPR I suggest you these materials:
- What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/27001academy/blog/2016/10/03/what-is-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help