Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 certification


    Answer: First, thanks for buying our book. In it you will find very precise steps about where to start from and what to do, regarding either the ISO 27001 implementation project, choosing the certification body, and the certification process.

    2 - Does it worth it to certificate my processes (hardware) ?

    Answer: ISO 27001 certification considers a scope defined in terms of information, processes or organizational units, so you cannot certify hardware, but it will hardly be out of any type of scope you decide to define.

    3 - How much may it cost?

    Answer: You can also find details about costs of implementation in the book, but I also suggest you take a look at this white paper: How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project . It can help you identify the conditions in you organization and define a preliminary budget.

    4 - What do you suggest to certify at first (server, processes, site)?

    Answer: For small organizations (i.e., up to 100 e mployees), the best course of action is to consider certification of the whole company (site). For those that are bigger, certificating one department, or one location, to start from and after that increase the size of the scope as needed is a better option.

    This material will also help you regarding ISO 27001 certification:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

  • Do changes in top management require changes in the documentation?


    Answer:

    The documentation should reflect the current situation in the company, and the documents to be changes should be the ones directly related to the top management, e.g. Quality Policy. However, if the process procedures, policies, etc remain the same as they were before the change, there is no need to change them just to replace the name of the person who authorized them. The most important thing for each document is whether the approved version is on the place of application, not who approved the document.

    For the documents you decide to change, you need to apply your procedure for document control. I assume that you procedure requires you to record the change in section "change of document", here you need to write what has changed and who made the change and when. Again, dependin g on the rules prescribed by your procedure for document control you need to perform withdrawal of obsoleted documents, the standard doesn't define how to do it so all you need to do is to follow your procedure.

    For more information, see: How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/

  • Determining interested parties


    Answer:

    The standard requires organization to determine interested parties and their needs and expectations relevant to the Quality Management System and to monitor information about these interested parties and their requirements. If you meet these requirements you are compliant with the standard, it is up to the company to decide to group the interested parties based on either their requirements, functions, importance or any other criteria that the company determines, there is no requirement to name the parties individually.

    For more information about interested parties, see: How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/

  • Achieving quality objectives

    All these elements, if we talk about the objectives, are product of practice and it is a proven method for establishing and achieving the objectives. The information needed for evidence based decision making are required by the standard and again the standard is made according to best practices that ensure quality of the products and services and customer satisfaction.

  • Internal Audit Checklist


    Answer: You can write one or more of the following types of evidences to support the decision that the audited area is compliant or not with the requirement covered by the question:

    - Presence or absence of records, procedures, policies, or any other documentation defined by the ISMS;
    - Auditor's observation of a compliant or non compliant situation; or
    - Declaration by a person with authority to do so (e.g., a manager or process owner).

    For example, for the question "Is the risk treatment process documented, including the risk treatment options?" if the audited area is compliant, you should write in the evidence column the identification of the procedure used by the audited area.

    2- Do you have list on that evidence?

    Answer: To answer this question, you must first understand that some questions are pretty straightforward, requiring only the existence of a specific doc ument or record (like my previous example), but others require more analysis to ensure conformity. For example, simply having a documented scope cannot answer the question "Are the general ISMS objectives compatible with the strategic direction?". For verifying compliance you should understand the process that lead to that scope and see how strategic direction influenced its creation. In fact, most part of an internal audit that adds value to the business is not about documentation, but about whether the processes and activities are capable to consistently meet the requirements.

    That said, for a list of documents and records, you can consult this article to see not only mandatory documents (that for sure you can relate to the questions on the checklist), but also the most commonly used documents for ISO 27001 implementation (that may or may not cover the questions on the checklist, depending upon the context of the organization and audited area):

    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    Regarding other evidences that would require more preparation to analyse and evaluate, I suggest you take a look at these materials, so you can know how to prepare yourself properly:

    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

    Also, in the video tutorials that came with your toolkit, you can see examples of the mentioned types of evidences you can use to write your audit checklist.

  • Security in SDLC


    Answer: The whole section A.14 from ISO 27001 Annex A can provide you support for security testing to be included in you SDLC:
    - From control A.14.2.1 (Secure development policy) you can get support to establish high level rules for security testing (e.g., the need to perform security testing).
    - From control A.14.1.1 (Information security requirements analysis and specification) you can get support to establish security requirements for your systems (e.g., system should fail securely in case of error).
    - From control A.14.2.8 (System security testing) you can get support to establish how to perform security testing (e.g., white/black box testing).

    And finally, from the control A.14.3.1 (Protection of test data) you can establish directives to protect testing data, so the tests conditions can emulate the real environment as best as possible without putting t he real data at risk.

    These articles will provide you further explanation about Security in SDLC:
    - How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
    - How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
    - What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/

    These materials will also help you regarding Security in SDLC:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ISO 27001 implementation project


    Answer: Sure. In our free download area you can have access to the following material:

    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
    - Diagram of ISO 27001:2013 Implementation (https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process) to help you get a view of the implementation process as a whole.
    - Project plan for ISO 27001 / ISO 22301 implementation (https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation) to help you document the project information

    These materials will also help you regarding ISO 27001 implementation project:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    To help you organize and manage your project, I suggest you take a look at our online ISO tool, Conformio (https://advisera.com/conformio/). When you open a free account you can get access to the most detailed list of steps in ISO 27001 implementation.

  • Risk Assessment and Treatment


    Answer: First of all, not all identified risks must be treated, only those considered unacceptable according your established criteria and security levels.

    Considering this, a company can implement certain controls after the certification if: (1) all the major risks are resolved before the certification, (2) in the Risk Treatment Plan it is clearly defined that those controls will be implemented at a later date, and (3) the risk owners have accepted the risks related to controls that will be implemented later.

    2 - Also, do you do ISO certification inspections?

    Answer: Unfortunately, we do not provide certification services because this would be a conflict of interest. We provide you help with the implementation of a standard with our documentation toolkits, online courses, books and other online tools. This article will help you: How to choose a certificat ion body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

    This article will provide you further explanation about Risk Assessment and Treatment:
    - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

    These materials will also help you regarding Risk Assessment and Treatment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ISO 17020 and ISO 9001


    Answer:

    ISO 9001 and ISO 17020 have little in common since they cover completely different areas. ISO 17020 is contains requirements for the competence of bodies performing inspection and for the impartiality and consistency of their inspection activities while ISO 9001 specifies requirements for a quality management system. ISO 9001 can be used by organization to meet requirements in 8.2 to 8.8 of ISO/IEC 17020 but only when the QMS covers the activities of the inspection body.
Page 945-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +