Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Standards for preparedness against disasters


    Answer: ISO 22301 is a standard that focuses on continuing business operations after any kind of disruptive incident, including also natural disasters. So, it can perfectly cover natural disasters as well. For specific details regarding preparedness of and personnel and of business continuity and disaster recovery plans, I suggest you take a look at the following standards that also make part of ISO 223001 series:

    - ISO 22313:2012 Societal security — Business continuity management systems — Guidance https://www.iso.org/obp/ui/#iso:std:iso:22313:ed-1:v1:en. It presents recommendations on how to implement the requirements of ISO 22301, including preparedness.
    - ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational continuity management https://www.iso.org/standard/50295.html
    - ISO 22398:2013 Societal security — Guidelines for exercises https://www.iso.org/obp/ui/#iso:std:iso:22398:ed-1:v1:en

    These materials will also help you regarding preparedness for natural disaster:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • ISO 27001 main deliverables


    Answer: In terms of certification process, the main deliverables for ISO 27001 implementation can be seen in 4 groups: 1) mandatory documents and records; 2) non-mandatory documents; 3) physical and technical implemented controls; and 4) certification body documents.

    This article will provide you further explanation about ISO 27001 main deliverables related to certification process:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - ISO 27001 Certification: What’s next after receiving the audit report? https://advisera.com/27001academy/blog/2015/05/18/iso-27001-certification-whats-next-after-receiving-the-audit-report/

    In terms of benefits, a well implemented ISO 27001 ISMS can deliver enhanced competitiveness, reduction of operational costs, improved internal organization, and easiness to maintain conf ormity with legal requirements.

    This article will provide you further explanation about ISO 27001 benefits:
    - Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

    These materials will also help you regarding ISO 27001 main deliverables:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Customer complaints in insurance company


    Answer:

    The best way to approach this problem is to start recording the complaints and try to resolve them by corrective actions. In this way you will be able to determine the cause of the complaint and what deficiencies in the processes lead to the complaint. You can also try to link the complaints with relevant process that caused the complaint and record it in the list of complaints. In this way you will have a general overview of the complaints and causal processes, so you will know where to look for improvements.

    Repeated complaints are possible but the company needs to determine whether they are reasonable or not. If they are, it is a symptom of the problem within one or more processes in the company. The best way to prove that the complaints are repeating is to record the complaints in list of complaints, this record should provide you with sufficient level of information to enable you to proceed with resolving the complaints. For more information, see: Effective complaints management in a QMS https://advisera.com/9001academy/blog/2014/09/16/effective-complaints-management-qms/

  • Interested parties and leadersip


    Answer:

    In order to identify relevant interested parties you need to consider all institutions, organizations and people that affect your EMS (Environmental Management System) or can be affected by it. There are internal and external interested parties. Interested parties include employees, top and mid management while external interested parties include customers, suppliers, regulatory bodies and local community. The organization must, not only identify interested parties but also to decide what interested parties are relevant to the organization and determine their needs and expectations towards company's EMS. For more information, see: How to determine interested parties according to ISO 14001:2015 https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/

    The standard requires from top management to define Environmental Policy and environmental objectives, to assign roles and responsibilities within EMS and to provide r esources for functioning of the EMS. Most of those requirements are meet by actions rather than by documents and procedures and they are also audited accordingly. All these requirements are placed in clause 5 Leadership and basically, the top management must only define the policy and that is the only requirement beside the objectives that must be documented. For more information about the leadership, see: How to demonstrate leadership according to ISO 14001:2015 https://advisera.com/14001academy/blog/2015/10/05/how-to-demonstrate-leadership-according-to-iso-140012015/

  • Managing records kept

    Hi Jack,

    Yes, several procedures can reference to the same record. You don't have to list the record in every procedure, but in the body of the procedure you need to make reference to the record.

  • Compliance with ISO 27001


    Answer: For the identification of the mandatory documentation needed for compliance with ISO 27001 I suggest you to take a look at this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    Regarding the identification of documentation importance, I suggest you to take a look at this article:8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

    Regarding the actions to be taken to ensure an ISMS compliance is ready for certification, I suggest you to see this article: ISO 27001 implementatio n checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    2 - Also, during the assessment, there might be chances that some of the solutions i.e. Access Control, Incident management, completely does not exist. In that case what would be action item, because due to the budget constraint, some of the solution deployment may not be feasible this year? Is there any alternative available to make us complaint without putting actual solution in place.

    Answer: In some cases, it is possible to implement a control at some later time - however you need to fulfill the following: (1) there is no major risk with pending treatment, (2) the Risk Treatment Plan clearly defined that the control will be implemented at a later date, and (3) risk owners have accepted the risks related to control that will be implemented later.

    These materials will also help you regarding compliance with ISO 27001:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Risk assessment methodology and assets inventory


    Answer: The most common methodology you will find is the identification of assets, threats and vulnerabilities, most because it was defined by the old 2005 revision of ISO 27001, and although it is not mandatory any more we consider it very useful in many scenarios.

    This article will provide you further explanation about risk assessment methodology:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
    - How to write ISO 27 001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

    2- Otra pregunta que tengo acerca de estos 16 puntos es ¿porque no esta el inventario de activos de informacion? (Another question I have about these 16 points is why is there not the inventory of information assets?)

    Answer: Listing all the assets is a mandatory task in the risk assessment methodology referred in the article you mentioned, so the inventory of assets is included in the risk assessment step.

    This article will provide you further explanation about assets inventory:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    These materials will also help you regarding risk assessment methodology and assets inventory:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Risk assessment methodology


    Answer: Defining a methodology means to define the rules which will guide you through risk assessment, exactly to answer questions like the ones you asked (others may be how calculate a risk, how decide whether accept a risk or not, etc.), so all people in your organization will have the same criteria for assessing the risks, ensuring comparable and repeatable results. And besides making your risk assessment easier to handle, in terms of the standard, it is required that you first establish your methodology.

    As for qualitative and quantitative approach, you can apply both according your requirements, but in most of the cases for small and medium-sized business, the qualitative approach will be sufficient (quantitative assessment requires a complex mathematical approach justified only for few high impacting ris ks).

    2 - Further, do have any practical guide on risk assessment , for example identify one assets and identify related risks , threat and vulnerabilities in detail with practical approach.

    Answer: In the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment. Additionally, in the book Secure and Simple that you bought, you will find in sections 7.3 to 7.5 detailed information and examples of risk identification, and on appendix M you will find a useful catalogue of threats and vulnerabilities to help you build your risk assessment.

  • Management support and approval for an ISMS

    Hi, an answer to this question was posted under the title "Compliance List"

  • Processes vs. Procedures

    Do you have some type of template to help make the process easier to document?
    Were really under the gun because we missed this when we were first looking into the transition from 2004 to 2015 and now we have to submit all paperwork to our auditor by 3-13-17.

    Answer:

    The process represent set of interrelated or interacting activities which transforms inputs into outputs. The key for a process is that it takes an input, performs some activities using that input, and then creates an output. On the other hand procedure is a “specified way to carry out an activity or a process.” So, when you have a process that needs to occur in one specific way, and you have specified how it is to happen, you have a procedure.

    It is important to note that not every process needs to have a procedure. For instance, if you have a process that you only buy product from an approved supplier, but you do not have a defined way to add a supplier to that list, then you have a process but not a procedure to go with it.

    We do have process procedures for ISO 14001:2015, they are part of our documentation toolkit, but they can also be purchased separate. Here you can download free preview of the toolkit https://advisera.com/14001academy/iso-14001-documentation-toolkit/
Page 938-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +