1 - We as an organisation have a LinkedIn account, which have a number of contacts on so would we need to put this on the register?
Answer: If your organization uses this account to help support the business you should include it as an asset, because it contains information that should be properly protected (the business contacts). To help you define this need you can ask yourself "what if I do not have access to information from this account any more?"
2 - What about our email folders and actual emails, do they have to be recorded on the register?
Answer: Also yes if these emails contain information the business needs to be performed and the loss of these will affect the organization capacity to do business. But you do not need to refer to the e-mail folders and e-mails themselves in the register. You can included only the relevant e-mail account (e.g., CEO email account) or e-mail service (if you are using a cloud service like Gmail).
3 - Some of the girls in the office record information on Notebooks and store them in locked draws when they are not in use, again would these need to be recorded on the register?
Answer: Again you have to think about what would happen to the business if the information on these notebooks was lost (in case of a robbery or damage of the notebooks, at least you would have a financial loss regarding the equipment). If the impact is relevant to the organization it should be considered in the asset register.
(In our organization, we were able to certify ISO 9001, and we are considering achieving a certification in 27001. From your experience, you believe that the implementation of 27001 could have a shorter time curve in relation to the 9001 already fulfilling some requirements of the rule? Could you give us some tips to facilitate the implementation of 27001?)
Competencies for ISO 27001 implementation and management
Answer: ISO 27001 requires that people with roles and responsibilities regarding information security have competency on the activities to be performed, in terms of education, experience or skills. So, you do not have to have certain certificates if you can show your competence by other means like the registry of the time you've been performing these activities.
Regarding the participation of the consultant, this is not mandatory, and if you are confident that you can handle some activities by yourself you do not need to use a consultant for them (instead of a full time work, you can use him only as a mentor to guide or review your work). For cases like this we also suggest people to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
This toolkit is made for companies that implement the standard for the first time and consider they do not need a consultant for the whole project. You only have to scroll down the scree a little to access the free demo tab.
3 - Does the company that has ISO 27001 certification must have defined ISO or CISO function? Does that position require certain mandatory certificate?
Answer:By the standard there is no mandatory requirement to designate a CISO function, but in operational terms it is a good idea to consider one. Again, there is no need for a certificate if you can show some other form of evidence that this person has the required competence (e.g., a registry of the years working in this function)
There are reference to clause 5 of the standard in the Quality Manual and there is a Quality Policy as a document explicitly required by the standard. The rest of the requirements from clause 5 do not require any documented information and therefore they are not documented within the toolkit.
Answer: In fact the questions is in the other way around, is IBM QRadar SIEM (a technical implementation) compatible with ISO 27002 (a guidance of best practices)?
-Provides real-time visibility to the entire IT infrastructure to threat detection and prioritization
- Reduces and prioritizes alerts to focus security analyst investigations on an actionable list of suspected, high probability incidents
- Enables more effective threat management while producing detailed data access and user activity reports
- Produces detailed data access and user activity reports to help manage compliance
- Offers multi-tenancy and a master console to help managed service providers provide security intelligence solutions in a cost-effective manner
The standard does not prescribe how the work instruction should be structured neither it prohibits to use different structure for different work instructions or even procedures. Instead of focusing on the form, the standard allows organizations to use any style or format that they find the most appropriate and effective.
IATF 16949 implementation project suffers from the same risks as any other project, it can stretch for too long, it can go over budget and so on. Such risks can be mitigated by being identified at the beginning on the project and by taking appropriate actions.
As far as risk assessment requirements goes, there are no significant changes between the old and new version of the standard. FMEA is still a must and as far as risks and opportunities are concerned, there are no extension of requirements that ISO 9001:2015 has. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Evaluation of outsource partners
Answer:
The company needs to evaluate all its external providers of processes, products and services and it can be done in different ways. Due to difference of nature of relationships with customers and suppliers, the company will have to use different methods. Survey wouldn't be appropriate methodology but rather the company should define crtiria that are important for it and evaluate the suppliers against those criteria. Criteria can be quality of products and services, price, packaging, etc.