Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Internal Audit Checklist


    Answer: You can write one or more of the following types of evidences to support the decision that the audited area is compliant or not with the requirement covered by the question:

    - Presence or absence of records, procedures, policies, or any other documentation defined by the ISMS;
    - Auditor's observation of a compliant or non compliant situation; or
    - Declaration by a person with authority to do so (e.g., a manager or process owner).

    For example, for the question "Is the risk treatment process documented, including the risk treatment options?" if the audited area is compliant, you should write in the evidence column the identification of the procedure used by the audited area.

    2- Do you have list on that evidence?

    Answer: To answer this question, you must first understand that some questions are pretty straightforward, requiring only the existence of a specific doc ument or record (like my previous example), but others require more analysis to ensure conformity. For example, simply having a documented scope cannot answer the question "Are the general ISMS objectives compatible with the strategic direction?". For verifying compliance you should understand the process that lead to that scope and see how strategic direction influenced its creation. In fact, most part of an internal audit that adds value to the business is not about documentation, but about whether the processes and activities are capable to consistently meet the requirements.

    That said, for a list of documents and records, you can consult this article to see not only mandatory documents (that for sure you can relate to the questions on the checklist), but also the most commonly used documents for ISO 27001 implementation (that may or may not cover the questions on the checklist, depending upon the context of the organization and audited area):

    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    Regarding other evidences that would require more preparation to analyse and evaluate, I suggest you take a look at these materials, so you can know how to prepare yourself properly:

    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

    Also, in the video tutorials that came with your toolkit, you can see examples of the mentioned types of evidences you can use to write your audit checklist.

  • Security in SDLC


    Answer: The whole section A.14 from ISO 27001 Annex A can provide you support for security testing to be included in you SDLC:
    - From control A.14.2.1 (Secure development policy) you can get support to establish high level rules for security testing (e.g., the need to perform security testing).
    - From control A.14.1.1 (Information security requirements analysis and specification) you can get support to establish security requirements for your systems (e.g., system should fail securely in case of error).
    - From control A.14.2.8 (System security testing) you can get support to establish how to perform security testing (e.g., white/black box testing).

    And finally, from the control A.14.3.1 (Protection of test data) you can establish directives to protect testing data, so the tests conditions can emulate the real environment as best as possible without putting t he real data at risk.

    These articles will provide you further explanation about Security in SDLC:
    - How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
    - How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
    - What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/

    These materials will also help you regarding Security in SDLC:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ISO 27001 implementation project


    Answer: Sure. In our free download area you can have access to the following material:

    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
    - Diagram of ISO 27001:2013 Implementation (https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process) to help you get a view of the implementation process as a whole.
    - Project plan for ISO 27001 / ISO 22301 implementation (https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation) to help you document the project information

    These materials will also help you regarding ISO 27001 implementation project:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    To help you organize and manage your project, I suggest you take a look at our online ISO tool, Conformio (https://advisera.com/conformio/). When you open a free account you can get access to the most detailed list of steps in ISO 27001 implementation.

  • Risk Assessment and Treatment


    Answer: First of all, not all identified risks must be treated, only those considered unacceptable according your established criteria and security levels.

    Considering this, a company can implement certain controls after the certification if: (1) all the major risks are resolved before the certification, (2) in the Risk Treatment Plan it is clearly defined that those controls will be implemented at a later date, and (3) the risk owners have accepted the risks related to controls that will be implemented later.

    2 - Also, do you do ISO certification inspections?

    Answer: Unfortunately, we do not provide certification services because this would be a conflict of interest. We provide you help with the implementation of a standard with our documentation toolkits, online courses, books and other online tools. This article will help you: How to choose a certificat ion body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

    This article will provide you further explanation about Risk Assessment and Treatment:
    - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

    These materials will also help you regarding Risk Assessment and Treatment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ISO 17020 and ISO 9001


    Answer:

    ISO 9001 and ISO 17020 have little in common since they cover completely different areas. ISO 17020 is contains requirements for the competence of bodies performing inspection and for the impartiality and consistency of their inspection activities while ISO 9001 specifies requirements for a quality management system. ISO 9001 can be used by organization to meet requirements in 8.2 to 8.8 of ISO/IEC 17020 but only when the QMS covers the activities of the inspection body.

  • Risks and opportunities and environmental aspects


    Answer:

    ISO 14001:2015 requires organizations to consider risks and opportunities related to environmental aspects, compliance obligation and context of the organization. Although the standard does not make distinction between significant and insignificant aspects regarding this matter, it does not require organizations to determine risk and opportunities for each environmental aspect. For more information, see: ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/

  • GAP analysis before the implementation


    Answer:

    The gap analysis is not a mandatory step, it represent the usual practice. The purpose of the gap analysis is to determine to what level your company is already compliant with the standard and what needs to be done to achieve full compliance with the standard. It represents a good basis for planning the implementation but again the company can implement the standard even without using the gap analysis. For more information about the gap analysis, see: Should you use a gap analysis in your ISO 9001 implementation? https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/

  • ISO standards for schools


    Answer:

    Implementation of management system standards has more or less the same workflow but again it will depend on the standard that you want to implement. The first step is to conduct the GAP analysis to determine to what level your organization is already compliant with the standard, in case of ISO 9001, you can use this free GAP analysis tool https://advisera.com/9001academy/iso-9001-gap-analysis-tool/

    Once you determine the gaps, you need to define what activities will be taken and what documents should be created to achieve full compliance with the standard and this is where the implementation starts. The best way to implement the standard is to manage the implementation as a project, so you can develop project plan for the implementation where you will define all roles and responsibilities in the project, all activities and documents and resources and deadlines. Here you can find our free Project Plan for ISO 9001 implementation htt p://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word

    After the project is finished, you need to conduct internal audit and management review to make sure that your management system is compliant with the standard and then you can hire certification body to conduct certification audit and issue your organization the certificate.

    For more information about implementation and certification steps, see: Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/

  • Control of ISO documents


    Answer:

    The purpose of controlling the documents is to ensure that appropriate documents are available on the place of application and it is adequately protected. In order to establish document control, you need to define how the documents are created and updated, and you also need to define how following activities should be conducted:
    - distribution, access, retrieval and use;
    - storage and preservation, including preservation of legibility;
    - control of changes (e.g. version control);
    - retention and disposition.

    Beside defining how these activities will be carried out, you also need to define roles and responsibilities within the document control process. Also, you need to identify and control the documents from external origin.

    For more information about document control, see: Some Tips to make Document Control more useful for your QMS https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/

  • Sensitive data back up


    Answer: Your scenario provides a reasonable justification to not backup customer sensitive data, but before going with that decision I would consider what would be the impact, if for any reason, during troubleshooting you render the data useless to proceed with the activity. One example is that you would have to ask for the customer to send the data again. What would be the impact of that situation for you (e.g., for the image of the organization?)

    If you evaluate there is no relevant impact regarding this situation, you can go fine with not doing that backup. If you consider that there may be an relevant impact, you can go for an different backup schedule, let's say something like making a single copy of the data, to troubleshoot on it, and keep the original data away from the process, only for as long as the troubleshooting duration. It's the standard procedure used by forensics investigators to work on evidences to preserve their integrity you can adapt to your availability needs.

    This article will provide you further explanation about sensitive data back up:
    - Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/

    These materials will also help you regarding sensitive data back up:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 946-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +