Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Ciclo PDCA y Productividad
Mi respuesta:
El nombre de PDCA viene de las palabras en inglés "Planificar, Hacer, Revisar, Actuar". Esta metodología describe cuatro fases que necesitan ser llevadas a cabo de manera sistemática para poder lograr una mejora continua y por lo tanto, una mayor productividad en la empresa. Cuando se alcanza la fase final ("Actuar") se regresará a la primera fase ("Planificar") y de nuevo se repetirá el ciclo, de esta forma las actividades serán reevaluadas periódicamente.
Además, como el primer paso en el ciclo PDCA es Planificar, habrá que realizarse un diagnóstico inicial, en el cual se determinen las actividades en la organización que necesitan hacerse para cumplir con los requerimientos de la norma ISO 9001:2015. Todo ello conducirá a una mayor productividad, trabajando de una manera más eficaz ya que todos los procesos estarán alineados y serán comprendidos por el personal de la organización.
Para más información, vea "Planificar-hacer-revisar-actuar en el estánd ar ISO 9001": https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/planificar-hacer-revisar-actuar-en-el-estandar-iso-9001/ -
ISMS implementation
Answer: The best way to establish a ISMS is by considering an enterprise as a project, and by adopting a well proved framework, as ISO 27001. These articles will provide you further explanation about ISMS implementation: - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ - ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/ - Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/ These materials will also help you regarding ISMS implementation: - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ - Free webinar – Seven key problems to avoid in ISO 27001 implementation https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/ -
Internal auditor training
Is that fine for a company that none of staff contain a standard internal auditor training qualification but an intensive training certification?
Thank you for your reply.
Answer:
Both ISO 9001 and ISO 14001 do not require internal auditors to have accredited certificates for internal auditors, so the company can send its auditors to any training that it finds appropriate. For more information, see: ISO 9001 internal auditor training: Is it for me? https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/ -
IRCA auditor
Just as a background: We (our team of 3) have just finished the ISO 27001 (ISMS), 5 days training course and also we have cleared the written examination.
However, as the trainer explained to us on the final day, that for us to be IRCA certified Lead Auditors, we need to pay a certain royalty fee to IRCA, also, we need to gain some experience as observers/auditors in a certain time frame. So, could you please explain the process further?
Answer: IRCA's fees vary from country to country. To have precise information regarding you country you can find it here: https://www.quality.org/content/irca-fees
Regarding audit experience, you must have at least 20 days of auditing, including at least 15 on site (this generally covers 3 or four certifications audit). For more information, see: https://www.quality.org/article/auditor -
Organizational context
Please specify on which type of context organisation has its own controls and on which not?
Answer: For different contexts you can consider banks, hospitals and internet providers. All of them have specific business requirements to drive information security. Banks need to protect account holders financial data, hospitals need to protect patient's health data, and internet providers must protect users data flow. All of them must protect confidentiality, integrity and availability, but for different information, and in different degrees, so they will require different controls set and security levels.
For example, the acceptable delay in providing information for a internet user can be completely different from a hospital patient, leading to a different set of controls.
Regarding responsibility for controls, organizations that run its own IT infrastructure owns much more controls than those which outsource them, for example, by adopting a Software as a Service Solution.
These articles will provide you further explanation about Organizational context:
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding Organizational context:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Non Disclosure Agreement
Answer: Most frequently, the duration used for NDAs is 2, 3, and 5 years, but you can define a different period based on a risk assessment (a NDA can even last forever), and you do not have to define one single period for all your information. But you have to notice that the longer is the period, the greater is the cost involved.
This article will provide you further explanation about handling classified information:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
These materials will al so help you regarding handling classified information:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Cryptography verification
Answer: Cryptographic controls can be tested during information system development or operation. During development, you can ensure testing by applying controls from section A.14 (14.2.8 - System security testing and 14.2.9 - System acceptance testing), and for regular testing in operation, controls A.14.2.3 - Technical review of applications after operating platform changes and A.18.2.3 - Technical compliance review are good choices.
This article will provide you further explanation about security testing:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
These materials will also help you regarding security tes ting:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
BCP content
Disaster declaration procedure: this content focuses on criteria to be evaluated so a disaster situation can be identified and properly communicated.
Emergency notification procedure: this content focuses on the means and activities required to alert people about an emergency situation. This content differs from disaster declaration because it considers faster and local responses (e.g., a building evacuation), while disaster declaration involves incidents of greater scale.
Incident response procedure: this content focuses on how to react initially to an incident in order to reduce the damage
Recovery procedure: this material focuses on activities required to bring back operations back to agreed service levels, regardless if it is on original site or not.
2 - What other procedure are contained in the BCM plan other than the above?
Answer: You can also find as BCP content:
a - the communication plan, covering activities to ens ure information flow for organization's employees, and emergency services, as well as which information should be communicated to the media.
b - specific procedures for critical assets, like servers, information systems and key personnel.
3 - Should the BCM plan be one big book containing the above or should each be written separately?
Answer: Since BCPs cover multiple issues, in operational terms you should keep multiples BCPs, each one of them as small as possible, with only the necessary information for each team that will use them(e.g., systems recovery team, facilities disaster recovery team, emergency teams, etc.). In management terms, you can also keep one or two copies with all the BCPs, so you can use it to keep track of all plans, which will make their review easier.
This article will provide you further explanation about documenting a BCP:
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
- How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
These materials will also help you regarding :
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
ISO 27000 series quotations in academic work
(I am doing a TCC (Course Completion Work) on Information Security Policy in the course of Information Systems and would like to know if I can quote texts from the ISOs of the 27000 family as direct and indirect quotations in the TCC, even without actually buying any standard.)
Answer: Para ter acesso ao conteúdo das normas você não precisa necessariamente comprá-las. Você pode acessá-las através de uma biblioteca ou outra fonte autorizada (ex.: norma adquirida pela empresa onde você trabalha).
Caso você tenha tido acesso ao conteúdo das normas de forma autorizada você pode fazer uso de citações diretas. Caso contrário, você deve fazer uso somente de citações indiretas, referenciando a autores que você leu de forma autorizada que incluem estas normas em suas próprias bibliografias.
(To access the content of the standards you do not necessarily have to buy them. You can access them through a library or other authorized source (eg, standard acquired by the company where you work).
If you have had access to the content of the standards in an authorized manner you can make use of direct quotes. Otherwise, you should only use indirect quotes, referencing authors that you read in an authorized manner that included these standards in their own bibliography.) -
ISO 9001 nonconformities during IATF 16949 internal audit
Thank you in advance and wish you a nice day,
Answer:
IATF 16949 includes all requirements of ISO 9001:2015, so if you find nonconformity regarding ISO 9001 requirements, that nonconformity can be raised during IATF 16949 internal audit.