Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Competencies for ISO 27001 implementation and management
Answer: ISO 27001 requires that people with roles and responsibilities regarding information security have competency on the activities to be performed, in terms of education, experience or skills. So, you do not have to have certain certificates if you can show your competence by other means like the registry of the time you've been performing these activities.
Regarding the participation of the consultant, this is not mandatory, and if you are confident that you can handle some activities by yourself you do not need to use a consultant for them (instead of a full time work, you can use him only as a mentor to guide or review your work). For cases like this we also suggest people to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
This toolkit is made for companies that implement the standard for the first time and consider they do not need a consultant for the whole project. You only have to scroll down the scree a little to access the free demo tab.
This articles will provide you further explanation about competencies and implementation process:
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
- 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
2 - If it is necessary to have the certificate for the part of the first revision and the preparation which one would you recommend?
Answer: Regarding certification, I suggest you to consider ISO 27001 Lead Auditor, because this one will give you an insight on how the mind of a certification auditor works, and with that you can better manage your system. Another interesting training is the ISO 27001 Lead Implementer, but this one does not provide an international recognized certification as the Lead Auditor, but it can help you with insights in the implementation process. For more information see:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
3 - Does the company that has ISO 27001 certification must have defined ISO or CISO function? Does that position require certain mandatory certificate?
Answer:By the standard there is no mandatory requirement to designate a CISO function, but in operational terms it is a good idea to consider one. Again, there is no need for a certificate if you can show some other form of evidence that this person has the required competence (e.g., a registry of the years working in this function)
This article will provide you further explanation about CISO:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
These materials will also help you regarding ISO 27001 competencies:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Clause 5 and ISO 9001 Documentation Toolkit
Answer:
There are reference to clause 5 of the standard in the Quality Manual and there is a Quality Policy as a document explicitly required by the standard. The rest of the requirements from clause 5 do not require any documented information and therefore they are not documented within the toolkit.
For more information on requirements of the clause 5, see: How to comply with new leadership requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/ -
ISO 27001 and EU GDPR
Can you please help me to outline this process.
Answer: For information about ISO 27001 and EU GDPR I suggest you these materials:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
ISO 27002 compatibility
Answer: In fact the questions is in the other way around, is IBM QRadar SIEM (a technical implementation) compatible with ISO 27002 (a guidance of best practices)?
According to manufacturer information (https://www.ibm.com/us-en/marketplace/ibm-qradar-siem) IBM QRadar SIEM:
-Provides real-time visibility to the entire IT infrastructure to threat detection and prioritization
- Reduces and prioritizes alerts to focus security analyst investigations on an actionable list of suspected, high probability incidents
- Enables more effective threat management while producing detailed data access and user activity reports
- Produces detailed data access and user activity reports to help manage compliance
- Offers multi-tenancy and a master console to help managed service providers provide security intelligence solutions in a cost-effective manner
These features do help comply with controls of ISO 27002 like 12.4 Logging and monitoring, 12.6 Technical vul nerability management, 16.1 Management of information security incidents and improvements, but for a precise answer information about specific parameters of this tool and ISO 27002 controls applied should be analysed.
- Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/ -
Structuring work instructions
Answer:
The standard does not prescribe how the work instruction should be structured neither it prohibits to use different structure for different work instructions or even procedures. Instead of focusing on the form, the standard allows organizations to use any style or format that they find the most appropriate and effective.
For more information, see: 7 steps in writing QMS policies and procedures for ISO 9001 https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/ -
Risks with IATF 16949 implementation
Answer:
IATF 16949 implementation project suffers from the same risks as any other project, it can stretch for too long, it can go over budget and so on. Such risks can be mitigated by being identified at the beginning on the project and by taking appropriate actions.
As far as risk assessment requirements goes, there are no significant changes between the old and new version of the standard. FMEA is still a must and as far as risks and opportunities are concerned, there are no extension of requirements that ISO 9001:2015 has. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Evaluation of outsource partners
Answer:
The company needs to evaluate all its external providers of processes, products and services and it can be done in different ways. Due to difference of nature of relationships with customers and suppliers, the company will have to use different methods. Survey wouldn't be appropriate methodology but rather the company should define crtiria that are important for it and evaluate the suppliers against those criteria. Criteria can be quality of products and services, price, packaging, etc.
For more information, see: Purchasing in QMS – The Process & the Information Needed to Make it Work https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/ -
No training records
Answer:
In theory, the organization doesn't have to have any training records. For example, if it has only low skilled workers that do not need any training, then the company can have a certificate without any training record. The standard requires organization to retain appropriate documented information as evidence of competence. This means that the company needs to have at least some evidence of employee's competence such as college degrees, high school diplomas, licences, etc. but they do not have to have training records if they determined that no training is needed. There is no requirement for employees to attend training on the polic y or the standard itself, but if they attended any training, there should be a record about it.
For more information, see: How to ensure competence and awareness in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/ -
Risk acceptance criteria
Please let me know if this is sufficient for the ISO 27001 audit.
Answer: Yes. If your risk evaluation, considering your acceptance criteria, has defined that only 5 risks are considered unacceptable, you can have treatment plans only for these 5 risks.
This article will provide you further explanation about Risk acceptance criteria:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
In the video tutorials that came with your toolkit, you have access to a video about Risk Assessment Methodology that can provide you more information about risk acceptance criteria.