Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Asset register
1 - We as an organisation have a LinkedIn account, which have a number of contacts on so would we need to put this on the register?
Answer: If your organization uses this account to help support the business you should include it as an asset, because it contains information that should be properly protected (the business contacts). To help you define this need you can ask yourself "what if I do not have access to information from this account any more?"
2 - What about our email folders and actual emails, do they have to be recorded on the register?
Answer: Also yes if these emails contain information the business needs to be performed and the loss of these will affect the organization capacity to do business. But you do not need to refer to the e-mail folders and e-mails themselves in the register. You can included only the relevant e-mail account (e.g., CEO email account) or e-mail service (if you are using a cloud service like Gmail).
3 - Some of the girls in the office record information on Notebooks and store them in locked draws when they are not in use, again would these need to be recorded on the register?
Answer: Again you have to think about what would happen to the business if the information on these notebooks was lost (in case of a robbery or damage of the notebooks, at least you would have a financial loss regarding the equipment). If the impact is relevant to the organization it should be considered in the asset register.
This article will provide you further explanation about asset registry:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding asset registry:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Integrating ISO 27001 and ISO 9001
(In our organization, we were able to certify ISO 9001, and we are considering achieving a certification in 27001. From your experience, you believe that the implementation of 27001 could have a shorter time curve in relation to the 9001 already fulfilling some requirements of the rule? Could you give us some tips to facilitate the implementation of 27001?)
Answer: Certainly yes. As you said ISO 9001 implementation already covers many requirements from ISO 27001, which can help speed up the process. For detailed information about implementing integrated systems I suggest you these material:
- How to implement integrated management systems https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Competencies for ISO 27001 implementation and management
Answer: ISO 27001 requires that people with roles and responsibilities regarding information security have competency on the activities to be performed, in terms of education, experience or skills. So, you do not have to have certain certificates if you can show your competence by other means like the registry of the time you've been performing these activities.
Regarding the participation of the consultant, this is not mandatory, and if you are confident that you can handle some activities by yourself you do not need to use a consultant for them (instead of a full time work, you can use him only as a mentor to guide or review your work). For cases like this we also suggest people to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
This toolkit is made for companies that implement the standard for the first time and consider they do not need a consultant for the whole project. You only have to scroll down the scree a little to access the free demo tab.
This articles will provide you further explanation about competencies and implementation process:
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
- 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
2 - If it is necessary to have the certificate for the part of the first revision and the preparation which one would you recommend?
Answer: Regarding certification, I suggest you to consider ISO 27001 Lead Auditor, because this one will give you an insight on how the mind of a certification auditor works, and with that you can better manage your system. Another interesting training is the ISO 27001 Lead Implementer, but this one does not provide an international recognized certification as the Lead Auditor, but it can help you with insights in the implementation process. For more information see:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
3 - Does the company that has ISO 27001 certification must have defined ISO or CISO function? Does that position require certain mandatory certificate?
Answer:By the standard there is no mandatory requirement to designate a CISO function, but in operational terms it is a good idea to consider one. Again, there is no need for a certificate if you can show some other form of evidence that this person has the required competence (e.g., a registry of the years working in this function)
This article will provide you further explanation about CISO:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
These materials will also help you regarding ISO 27001 competencies:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Clause 5 and ISO 9001 Documentation Toolkit
Answer:
There are reference to clause 5 of the standard in the Quality Manual and there is a Quality Policy as a document explicitly required by the standard. The rest of the requirements from clause 5 do not require any documented information and therefore they are not documented within the toolkit.
For more information on requirements of the clause 5, see: How to comply with new leadership requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/ -
ISO 27001 and EU GDPR
Can you please help me to outline this process.
Answer: For information about ISO 27001 and EU GDPR I suggest you these materials:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
ISO 27002 compatibility
Answer: In fact the questions is in the other way around, is IBM QRadar SIEM (a technical implementation) compatible with ISO 27002 (a guidance of best practices)?
According to manufacturer information (https://www.ibm.com/us-en/marketplace/ibm-qradar-siem) IBM QRadar SIEM:
-Provides real-time visibility to the entire IT infrastructure to threat detection and prioritization
- Reduces and prioritizes alerts to focus security analyst investigations on an actionable list of suspected, high probability incidents
- Enables more effective threat management while producing detailed data access and user activity reports
- Produces detailed data access and user activity reports to help manage compliance
- Offers multi-tenancy and a master console to help managed service providers provide security intelligence solutions in a cost-effective manner
These features do help comply with controls of ISO 27002 like 12.4 Logging and monitoring, 12.6 Technical vul nerability management, 16.1 Management of information security incidents and improvements, but for a precise answer information about specific parameters of this tool and ISO 27002 controls applied should be analysed.
- Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/ -
Structuring work instructions
Answer:
The standard does not prescribe how the work instruction should be structured neither it prohibits to use different structure for different work instructions or even procedures. Instead of focusing on the form, the standard allows organizations to use any style or format that they find the most appropriate and effective.
For more information, see: 7 steps in writing QMS policies and procedures for ISO 9001 https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/ -
Risks with IATF 16949 implementation
Answer:
IATF 16949 implementation project suffers from the same risks as any other project, it can stretch for too long, it can go over budget and so on. Such risks can be mitigated by being identified at the beginning on the project and by taking appropriate actions.
As far as risk assessment requirements goes, there are no significant changes between the old and new version of the standard. FMEA is still a must and as far as risks and opportunities are concerned, there are no extension of requirements that ISO 9001:2015 has. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Evaluation of outsource partners
Answer:
The company needs to evaluate all its external providers of processes, products and services and it can be done in different ways. Due to difference of nature of relationships with customers and suppliers, the company will have to use different methods. Survey wouldn't be appropriate methodology but rather the company should define crtiria that are important for it and evaluate the suppliers against those criteria. Criteria can be quality of products and services, price, packaging, etc.
For more information, see: Purchasing in QMS – The Process & the Information Needed to Make it Work https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/