Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Having only one quality objective


    Answer:

    The standard doesn't prescribe ho many objectives organization needs to have so your QMS with only one objective will be compliant with the standard even without justification for having only one objective in the manual. Certification auditor will probably frown upon this approach but he cannot report this as a nonconformity, as long as you comply with requirements of the standard related to the objectives. For more information, see: How to Write Good Quality Objectives https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

  • Risk assessment flowchart


    Answer: At this moment we do not have this kind of flowchart for sale. This flowchart was created as a free material to help security practitioners understand and show the asset-threat-vulnerability risk assessment and treatment approach.

    For help you modelling other assets, I suggest you take a look at the free demo of our Risk Assessment Toolkit at https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    This toolkit has all the documents you will need to identify the information for modelling a similar flowchart. Another source is the book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • IT audit


    Answer: First of all you must define an audit methodology, and after that identify the audit scope (e.g., process, assets, locations, etc.) and which references you'll be using to perform the audit (e.g., ITIL, ISO 27001, etc.). With these information you can built a proper audit plan.

    I suggest you to take a look at this free online course to get a better view of the audit process: ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

    2. Can I use the knowledge of ISO 27001 to conduct one?

    Answer: Yes. Many of the ISO 27001 requirements and controls are perfectly applicable to audit IT environments.

    3. Must the company be certified?

    Answer: This will depend upon the requirements of the audit client (the person or organization that demands the audit). You should verify this with the organization.

    4. Which certification body do we use in case the client wan ts to be certified?

    Answer: This is a decision of the organization that wants to be certified, because there are many variable to be considered that will impact not only operations but future strategic decisions.

    This article will provide you further explanation about certification bodies:
    - How to choose a certification body https://advisera.com/27001academy/knowledgebase/how-to-choose-a-certification-body

    These materials will also help you regarding IT audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Stage 1 of the certification audit


    Answer:

    During the stage 1 of the certification audit the auditor will examine your documentation and this will help him to develop the stage 2 of the certification audit which is also called a main audit. The stage 1 audit can be done on location of your company or the auditor can conduct it in his office, this stage in the audit is performed both during certification an surveillance audit.

    The main purpose of the stage 1 audit is to show whether your documentation is compliant with the standard and what areas of your QMS require special attention during the main audit. After the stage 1 audit you will receive a report and you will have to resolve nonconformities (if they exist) prior to the main audit.

    For more information, see: How to prepare your company for the ISO 9001 certification audit https://advisera.com/9001academy/blog/2016/05/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/

  • Document Controller and Management Representative


    Answer:

    Document controller can be a management representative. The standard does not prescribe required qualifications of the MR, but it is reasonable to expect that the MR is familiar with requirements of the standard. The MR responsibilities include coordinating the QMS, defining internal audit program, reporting to the top management, etc.

    For more information about responsibilities of the MR, see: Additional Responsibilities of Quality Management Representatives https://advisera.com/9001academy/blog/2014/05/27/additional-responsibilities-quality-management-representatives/

  • Datacenter audit


    I would assume that as an audit company, you would have done a lot of work certifying data centers. Hence there will be materials or journals around check list or things to look out for in ensuring that a data center is fit for purpose. I am currently reading Dejan’s book on cyber security. Hope this is a useful hint into what I am hoping get from you?

    Answer: We are a company focused on providing ISO standards related resources so organizations can be compliant with those standards and seek out certification if they desire, but we do no not provide audit services.

    Regarding material for audit or review of data center environment, I suggest you take a look at the free demo of our Internal Audit Checklist at https://advisera.com/27001academy/documentation/internal-audit-checklist/

    This checklist can provide you information on what to conside r for a data center according ISO 27001.

    As an external resource I suggest you to consult the standard TIA 942, revision A (2014), that specifies the minimum requirements for telecommunications infrastructure of data centers and computer rooms. For additional information you can take a look at https://en.wikipedia.org/wiki/TIA-942

    The link to buy this document is https://global.ihs.com/doc_detail.cfm?&csf=TIA&item_s_key=00414811&item_key_date=860905&input_doc_number=TIA%2D942&input_doc_title= />
    This article will provide you further explanation about ISO 27001 and datacenters:
    - ISO 27001 Case study for data centers: An interview with Goran Djoreski     https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/

  • Risk assessment questionnaire


    Answer: No. Although many questions are common, each questionnaire should also contain questions regarding the specific business process under assessment, and elaborating a single questionnaire to try to cover all possible questions is unpractical. When you do an interview you adjust your questions "on the fly", depending on the interviewee answers and your own perception. Questionnaires are useful when you need to gather specific information. When you do not have a focus to work on it is better to use interviews.

    Our ISO 27001 toolkits work with the asset-threath-vulnerability approach, using a risk assess ment sheet which needs to be filled out, together with a video tutorial which explains how this is done, so in this case the use of a questionnaire is not really applicable with risk assessment. You can take a look at the free demo of the our Risk Assessment Table at this link https://advisera.com/27001academy/documentation/risk-assessment-table/

    This article will provide you further explanation about risk assessment methods based on interviews, checklists and other tools:
    - ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/

    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Scope definition


    Answer: Yes, you may have problems with this approach. Information needs change more dynamically than other common aspects used for scope definition (business units, processes and business locations), and you may ending up with more administrative effort to manage this kind of scope.

    Besides that, you also may have processes working with both information that are inside and outside the scope, and this requires more effort than simply considering all the information included in the scope.

    These materials will also help you regarding scope definition:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Example of assets


    Answer: For a manufacture company, information assets you may consider would be product specifications, production lines configuration parameters, production reports, clients list, production plans, etc. The main idea is that you think about which kind of information can have an impact on your production if it was disclosed, changed without authorization or lost.

    This article will provide you further explanation about how you can identify information assets:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding identification of information assets:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure -simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Segregation of responsibilities


    Answer: When there is a single person responsible for both, networks and applications, there is an increased risk that a malicious or unintentional misconfiguration leaves information exposed to unauthorized people.

    For example, application servers sharing the same network with workstations makes infrastructure administration easier, but increases the risks of unauthorized access. Another example is an administrator that opens a service port in a server, and by configuring a network path, uses it for remotely access a server, when organizational policy prohibits that.

    By segregating network and applications responsibilities it is more difficult for a single person to make such a mistake or intentional violation of access rights.

    These articles will provide you further explanation about job segregation:
    - Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera .com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
    - Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/

    These materials will also help you regarding job segregation:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Page 922-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +