Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Ensuring Quality Objectives

    For a general question I can only give a general answer. Please check this free webinar on demand about Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar-on-demand/
     
    Check particularly the slides about the improvement journey.
     
    The following material will provide you more information:

  • Risk re-evaluation processes Risk Treatment and Annex A controls

    In the situation where you review the risks (i.e., the ISMS is already fully implemented), you need to go through your Risk assessment table and Risk treatment table and conclude if there are any new risks and/or new controls that need to be addressed - if yes, you need to update these documents, and also reflect this change in the Statement of Applicability. If there are no new risks, you need to document this fact, the best way to do this is to inform the top management at the next management review so that this is recorded in the Management review minutes. 

  • Document editing

    We apologize for these problems - you are right, these elements of the IT Security Policy are not best suited for fully remote organizations, and we are working on making the appropriate corrections. 

    There are three options you can take: 

    (1) develop the IT Security Policy from a Word template where you can edit everything according to your preferences (we will send you the template free of charge) and then upload this document to Conformio, or 

    (2) declare the control A.11.2.9 Clear desk and clear screen policy as not applicable in your Statement of Applicability (you can do this only if there are no larger risks or requirements from interested parties), and then the sections "3.12.1. Clear desk policy" and "3.12.3. Protection of shared facilities and equipment" will be automatically deleted from the IT Security Policy, or 

    (3) adapt the text in Conformio's IT Security Policy according to the suggestions below:

    - 3.12.1. Clear desk policy - leave the text as it is, because your remote employees might have some paper documents in the future (e.g., printed unlock keys for encrypted disks, Disaster Recovery Plans, etc.). 

    - 3.12.3. Protection of shared facilities and equipment - write the following "Facilities for dispatch and receipt of postal email are not existing in employee's home offices, and are protected by (this is not applicable)."

    - 3.17 Teleworking - write the following "Teleworking must be authorized by the CEO by signing the employment contract."

  • Question about toolkit

    Incredible points. Great arguments. Keep up the great work.

  • Registering users

    ISO 27001 does not prescribe who must register users, so organizations can perform this task as they see fit for their needs.

    In a general way, information systems users are registered by IT personnel upon formal request from the system owner.

    This article will provide you with a further explanation about access control:

  • ISO 27001 Internal Auditor Certification

    1 - I would like to do the ISO 27001 Internal Auditor Certification from Advisera, however, I would like to know whether the certification exam will be based on ISO 27001:2013 or ISO 27001:2022 or both.

    The current certification exam for ISO 27001 Internal Auditor Certification will be based on ISO 27001:2013. The date from which the exam will be based on ISO 27001:2022 will be confirmed after the new version standard is released.

    For further information, see:

    2 - Also, we will be facing our 1st surveillance audit on June 13, 2022, my question is whether the newly added security controls will be checked by the auditor or it will be based on ISO 27001:2013 only.

    On the date you stated, the audit will be based only on ISO 27001:2013.

    For further information, see:

  • Toolkit content

    First is important to note that all mandatory, and some non-mandatory, documents are included. Documents related to Annex A controls can be found in folder 08 Annex A Security Controls.

    Please note that ISO 27001 does not require each control in Annex A to be implemented, only those deemed necessary as a result of risk assessments, legal requirements, or organizational decisions. To see the required documents by the standard, and the most common documents implemented to support an ISMS, please see this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/  

    The same concept applies to ISO 22301. For the ISO 22301 documents, please see: ISO 22301:2019 List of mandatory documents https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/

    Our toolkits focus on small and mid-size companies, and that's the reason we do not write documents to cover each control of ISO 27001 Annex A – for those companies this large number of documents would result in overkill for many of them. Instead of that, a single template may cover multiple controls. 

    In the root folder of the toolkit, you'll find a document called “List of Documents” that explains which clauses and controls are covered by which document. 

    Regarding clauses or annexes, please note that the text of ISO 27001 itself is not included in the price - this needs to be purchased separately, however is not essential for the implementation (toolkit templates and related comments are all you need for the implementation).

  • Min number of employees necessary for lab to get 17025

    There is no minimum number, a single person laboratory can be accredited. As long as the Lab has the necessary personnel resources and competency to meet the ISO 17025 requirements.

  • Implementation controls

    I’m assuming you are referring to ISO 27002, the standard which provides guidance for the implementation of controls requirements defined in ISO 27001 Annex A.

    Considering that, please note that ISO 27002 is not mandatory to implement ISO 27001. ISO 27002 is usually used by consultants who want to learn more about the standard.

    This article will provide you with a further explanation of ISO 27001 and ISO 27002:

  • Annexure SL

    I’m assuming that by “Annexure SL” you mean “Annex SL”.

    Considering that, Annex SL is part of the document “ISO/IEC Directives, Part 1 - Procedures for the technical work”, and it can be found on the ISO site: https://www.iso.org/sites/directives/current/consolidated/index.xhtml#_idTextAnchor569

    The Annex SL is not part of any ISO Management System Standard. It only supports the definition of a common framework for their development, so common clauses between different management systems can be treated in a similar way.

    Considering that, ISO 27001:2022 will be compliant with Annex SL definitions.

    For further information, see:
Page 95-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +