Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Activities after the implementation
Answer:
Documenting the EMS is only one of the steps in the implementation or transition. The documents cannot be created without process based approach. For example, when you conduct identification and evaluation of environmental aspects, you need to examine all processes and activities to determine where the significant environmental aspects emerge and to define operational controls that will be applied in appropriate activities and processes to decrease or prevent the impact on the environment.
Once the documents are developed, they need to be applied in the organization. For example, document management must be conducted according to the procedure for document management, operational controls that are defined and documented need to be applied, etc. For more information, see: 5 tips to maintain your ISO 14001-based EMS after certification https://advisera.com/14001academy/blog/2016/01/11/5-tips-to-maintain-your-iso-14001-based-ems-after-certification/ -
Main objective of the EMS
Answer:
The main objectives of the environmental management system are to prevent pollution, meet compliance obligations and enhance conditions of the environment.
A systematic approach to environmental management can provide the organization with information to build success over the long term and create options for contributing to sustainable development by:
- protecting the environment by preventing or mitigating adverse environmental impacts;
- mitigating the potential adverse effect of environmental conditions on the organization;
- assisting the organization in the fulfilment of compliance obligations;
- enhancing environmental performance;
- controlling or influencing the way the organization’s products and services are designed,
manufactured, distributed, consumed and disposed by using a life cycle perspective that can
prevent environmental impacts from being unintentionally shifted elsewhere within the life cycle;
- achieving financial and operational benefits that can result from implementing environmentally
sound alternatives that strengthen the organization’s market position;
- communicating environmental information to relevant interested parties.
For more information about ISO 14001, see: ISO 14001: What is it, how does it work and why use it? https://advisera.com/14001academy/what-is-iso-14001/ -
Competence evidences for ISO 27001
Question: Does this mean the competency only needs to be assessed of
Those who put together and manage the ISMS ? I.e. Me as head of Infosec and those who write or approve any policy? Or do we need to assess the competency of anyone who has to follow the policy?
Answer: You need to assess the competency of anyone who has an impact in the performance of the ISMS, i.e. those who put together and manage the ISMS and also of those who have to follow the policies. -
Information security profile
Answer: Yes, in the context of the Implementation process diagram, the security profile is exactly the Statement of Applicability, which shows what controls are applicable or not and why.
These materials will also help you regarding information security profile:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Statement of applicability
Answer:
No, ITIL does not have something like statement of applicability. -
Starting ISO 9001 implementation
Answer:
First, you need to get familiar with requirements of the standard and than to do a GAP analysis to determine to what extent your company is already compliant with the standard. Here you can find our free GAP analysis tool https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
Once you determine what the gaps are and what needs to be done, you can develop project plan for the implementation where you will define activities to be done, documents to be developed, resources responsibilities and deadlines. Here you can download our free https://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word
Finally, you can start implementing the standard, and here you can fine more iformation about the implementation steps: Checklist of ISO 9001 implementation & certificati on steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/ -
Quality Assurance and Quality Policy
Any advise is greatly appreciated.
Answer:
Quality Policy is a general document that defines what the organization aims to accomplish with its Quality Management System (QMS) and it should not contain any precise details about how some activities or processes are done. It should contain statements that provide framework for setting quality objectives, commitment to satisfy applicable requirements and commitment to continual improvement of the QMS.
Quality Assurance system will be incorporated in the policy if the policy states for example that the company strives toward providing high quality products and enhancing customer satisfaction. This statement is a framework for establishing quality assurance process that will enable company to accomplish its mission.
For more information about the policy, see: How to Write a Good Quality Policy https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/ -
ISO 27001 and ISO 9001 implementation
(I will initiate an ISO 9001: 2015 course for the implementation of certification for my company. I am also interested in knowing how to implement ISO 27001. My question is. What do you recommend me to do for these implementations? First the ISO 9001 or obtain the 2 certifications simultaneously?)
Answer: ISO 27001 and ISO 9001 have a lot of requirements in common, so it is perfectly possible to go for the two certifications simultaneously, and in fact this can bring many benefits, like decreased costs in implementation and with internal audits, but first you have to consider your organization's situation in terms of available resources, knowledge and personnel.
This article will provide you further explanation about integrated implementat io n:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
These materials will also help you regarding integrated implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Information security policy communication
Answer: In terms of communication, the standard only requires that the information security policy must be communicated within the organization, and that it is available to interested parties, as appropriate. So, the organization is free to decide how to do this, and having a signed copy posted in the office is only one alternative. The organization can define the policy shall be available on the organization's web site, on banners in the corridors, to be communicated periodically in email newsletters, or that is available on the internal Document Management System. There is no mandatory way an organization should follow.
These materials will also help you regarding Information security policy communication:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Co urse https://advisera.com/training/iso-27001-foundations-course/
Regarding Document Management System, I suggest you to see Conformio, our ISO online tool, so you can see an example on how to make the Information Security Policy available, as well as to konw other resources that can help you implement and manage an ISO 27001 ISMS. The link to Conformio is https://advisera.com/conformio/ -
Risk assessment
Answer: Regardless of the target of the assessment, proper risk assessment methods have these things in common:
- they define the elements that will be under risk and need assessment (in the case of ISO 27001, these elements are information confidentiality, integrity and/or availability)
- they define how to identify risk owners (those who are responsible for risk treatment)
- they define clear criteria for risk assessment (normally by assessing the consequences and likelihood of the risk)
- they define how the risk is calculated
- they define criteria for accepting risks
So, any method you choose that have these five characteristics will fit your needs. For information about risk assessment methodologies, please see this article: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
The most common method is the qualitative assessment, and for that you can see an example in this article:
How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Another method that you can consider is the quantitative assessment, and for that you can see more information in this article: Qualitative vs. quantitative risk assessments in information security: Differences and similarities https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/
2 - What are the attributes of selection of risk assessment tools and what are the best risk assessment techniques needed in such critical infrastructure especially in mitigating against an insider threat because insider threat is one of the biggest problems faced with nuclear industry today?
Answer: For attributes to select a risk assessment tool you can consider orientations of ISO 31010, the ISO standard about risk assessment techniques. This standard defines 4 requirements to evaluate a tool:
- Resources required to perform the assessment in terms of time to perform, expert knowledge, data gathering and cost
- Complexity of the problem or situation to be assessed, as well as the specific methods required to be used
- The level of uncertainty that can be accepted
- If the method can offer a quantitative result
In this article you can also find additional information about selecting tools: When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/
For other tools, I suggest you to take a look at ISO 31010 (Risk management — Risk assessment techniques) at this link: https://www.iso.org/obp/ui/#iso:std:iec:31010:ed-1:v1:en
In the second part of this question, I assume you want recommendations about risk treatment techniques. Generally speaking you can consider physical and logical segregation controls, user management practices, and physical and logical monitoring to deter, prevent and detect attempts from insiders. See this article for more information: How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
3 - Where can I get your presentation on statement of applicability and risk treatment?
Answer: You can see a free demo of this documents at these links:
- Statement of Applicability https://advisera.com/27001academy/documentation/statement-of-applicability/
- Risk Treatment Plan https://advisera.com/27001academy/documentation/risk-treatment-plan/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/