Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
What to do about assets and risks that change after risk assessment
Thank you so much. I thought that was the right thing to do. -
Controls implementation, SoA and audit
Answer: The auditor can accept certain controls stated in the SoA to be implemented after the certification if: (1) all the major risks are resolved before the certification, (2) in the Risk Treatment Plan it is clearly defined that those controls will be implemented at a later date, and (3) the risk owners have accepted the risks related to controls that will be implemented later.
These materials will also help you regarding Risk Assessment and Treatment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
How master ISO 27001
Answer: I can suggest you the following path:
- Our free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ where you can get the basics of the standard.
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- The standard itself https://www.iso.org/iso/catalogue_detail?csnumber=54534
I suggested this course of action because you start your learning at no cost with the free training , expend less than the cost of the standard with the book, which is written having beginners in mind, and finishes with the standard itself when you already have learned enough to make a better use of its requirements and recommendations. -
Risk process outputs sample
Answer: Unfortunately we do not have a specific sample for banks, but in this following material you can find a series of vulnerabilities and threats you can identify as applicable to you scenario:
Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
In the video tutorial that came with your toolkit you can see examples of how to fill out all the data for Risk assessment and Risk treatment, and adapt those examples with the relevant vulnerabilities and threats you found the the catalogue. -
Qualification of Quality Management Representative
Does he/she need to be certified or not?
Answer:
In the 2015 version of the standard there is no longer a requirement for management representative, but even with the 2008 version of the standard there were no explicit requirements for the MR (management representative) qualification. Considering the roles and responsibilities that the MR, it is expected MR to be familiar with the requirements of the standard and the processes within the company, but there is no requirement for being certified although it can be upper hand for the candidate for MR.
For more information, see: Choosing the best person for the job of quality management representative https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/ -
ISO 27001 certification
Answer: First, thanks for buying our book. In it you will find very precise steps about where to start from and what to do, regarding either the ISO 27001 implementation project, choosing the certification body, and the certification process.
2 - Does it worth it to certificate my processes (hardware) ?
Answer: ISO 27001 certification considers a scope defined in terms of information, processes or organizational units, so you cannot certify hardware, but it will hardly be out of any type of scope you decide to define.
3 - How much may it cost?
Answer: You can also find details about costs of implementation in the book, but I also suggest you take a look at this white paper: How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project . It can help you identify the conditions in you organization and define a preliminary budget.
4 - What do you suggest to certify at first (server, processes, site)?
Answer: For small organizations (i.e., up to 100 e mployees), the best course of action is to consider certification of the whole company (site). For those that are bigger, certificating one department, or one location, to start from and after that increase the size of the scope as needed is a better option.
This material will also help you regarding ISO 27001 certification:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
Do changes in top management require changes in the documentation?
Answer:
The documentation should reflect the current situation in the company, and the documents to be changes should be the ones directly related to the top management, e.g. Quality Policy. However, if the process procedures, policies, etc remain the same as they were before the change, there is no need to change them just to replace the name of the person who authorized them. The most important thing for each document is whether the approved version is on the place of application, not who approved the document.
For the documents you decide to change, you need to apply your procedure for document control. I assume that you procedure requires you to record the change in section "change of document", here you need to write what has changed and who made the change and when. Again, dependin g on the rules prescribed by your procedure for document control you need to perform withdrawal of obsoleted documents, the standard doesn't define how to do it so all you need to do is to follow your procedure.
For more information, see: How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/ -
Determining interested parties
Answer:
The standard requires organization to determine interested parties and their needs and expectations relevant to the Quality Management System and to monitor information about these interested parties and their requirements. If you meet these requirements you are compliant with the standard, it is up to the company to decide to group the interested parties based on either their requirements, functions, importance or any other criteria that the company determines, there is no requirement to name the parties individually.
For more information about interested parties, see: How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/ -
Achieving quality objectives
All these elements, if we talk about the objectives, are product of practice and it is a proven method for establishing and achieving the objectives. The information needed for evidence based decision making are required by the standard and again the standard is made according to best practices that ensure quality of the products and services and customer satisfaction.