Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Is the risk assessment done before the BIA?


    Answer: ISO 22301 (and most of other business continuity methodologies) allow you to do it either way, and the truth is - I don't think there is a huge difference. My personal preference is to do the risk assessment first, because then you'll have a better impression of which incidents can happen while doing your business impact analysis.

    You'll learn more here: Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

  • How to describe treatment options


    Answer: In the Risk treatment table, when you select the option "Transfer of a risk to a third party", then you shouldn't select the control in the next column; instead, you should simply write what is your intended action - in your case you should write "Purchase an insurance policy."

    By the way, in the video tutorial about Risk treatment plan (that you received with your toolkit), you'll see more examples on how to fill out these treatment options.

  • Inventory of assets


    Answer: In the Impact column you should copy the information from the Consequence column from the Risk assessment table. In the column Notes you should input any additional information you consider relevant regarding the asset that is not fit in any other column, e.g., Asset maintenance contract is valid only until xx/xx/xxxx.

    This article will provide you further explanation about inventory of assets:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    These materials will also help you regarding inventory of assets:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Integrating ISO 9001 and ISO 27001

    I have few clarifications.
    1.We are implementing QMS as well as ISMS .
    Can we have a common document for Document_and_Record_Control taking care of QMS/ISMS requirements.
    If you have a combined format can you please share.
    Also any other Common procedures of ISMS used by QMS ?

    You can merge the Procedure for Document and Record Control for ISO 9001 and ISO 27001 into one, especially because the requirements are practically the same. Beside this procedure, you can also merge Procedure for Human Resources, Procedure for Management of Nonconformities and Corrective Action, Procedure For Internal Audit and Procedure for Management Review. Unfortunately, we currently do not have Integrated Documentation Toolkit for ISO 9001 and ISO 27001 so we do not have combined procedure. Here is one whitepaper that can be useful for mapping common requirements of ISO 9001 and ISO 27001, it refers to ISO 9001:2008 but you will get an idea:
    - ISO 9001 vs. ISO 27001 matrix https://info.advisera.com/9001academy/free-download/iso-9001-vs-iso-27001-matrix/

    2. Second clarification is on Risk management. In the templates , Procedure_for_Addressing_Risks_and_Opportunities is about performing risk analysis for QMS level or enterprise level risk management . How to modify to cover for project management risk . Is it like project managers/QA manager use same risk methodology . And critical risk from projects gets highlighted to QA Manager and get listed in enterprise level risks? Please suggest

    You can use the procedure for assessing project management risks, basically, instead of writing risks regarding context of the organization, you will assess risks for the project but those risks and not a part of the risks related to the context of the organization but for individual projects.

    3) Do you have a Change control procedure in the template for 9001 ? I couldn't find one in template

    We do not have such procedure because ti is not mandatory, all information about the changes are stated in the Quality Manual. Here is one article about the integration of ISO 9001 and ISO 27001, that can be helpful to you:
    - How to integrate ISO 9001 and ISO 27001 https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/

  • ISO 9001:2008 question.

    Thank you so much Strahinja. You've confirmed my point unless it's stated in the client's procedure the frequency of the boiler being serviced it cannot be considered as a nonconformity.

  • Resolving 14001 certification audit findings

    Dear Strahinja, thank you for invaluable expertise and advice! I have a question in reference to ISO 9001:2008, can I post it here or on the 9001 blog?

  • Optimising ISMS management effort


    Answer: Considering the number of documents you could advise him to review the need for them considering:

    - standard mandatory requirements (I'm assuming his ISMS is ISO 27001 certified, if not please disregard this)
    - contracts, statutory and other legal requirements
    - results of risk assessments
    - organization own decisions to adopt them (generally this are the main cause of too much documentation)

    If a document is not supported by neither of these reasons, your client can consider to exclude it from his ISMS. The documentation review could also consider reducing the number of documents by merging related information into fewer documents (e.g., backup and log guidelines could be merged into IT operational procedures).

    As for the question of too heavy information security policies and procedures, you could advise him to define high l evel guidelines to be followed by all organizational units and let them define implementation details according their local requirements (the "plan globally, implement locally" approach). This way there are much more chance the security effort will be compatible to the risks they face.

    These articles will provide you further explanation about optimising ISMS management:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
    - One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
    - How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/

    These materials will also help you regarding ISMS management:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Business Continuity Plan in ISO 27001


    Answer: You need to include Business Continuity Plan as an information security control considering ISO 27001 certification only if one of these situations apply:

    - There is a law, contract or other legal requirement demanding you to have a business continuity plan for information security
    - The Business Continuity Plan for information security is considered as a control to address risks identified as unacceptable in your risk assessments
    - Your organization decides to implement Business Continuity Plan for information security as a best practice

    If none of these situations happen your organization does not need to implement Business Continuity Plan for information security. In our experience, I could say to you that approximately 90% of the companies are including this control in ISO 27001 implementation.

    If your organization decides to select this control, you should use the "Disaster Recovery Plan" from the toolkit to be compliant with ISO 27001.

    In the video tutorials that came with your toolkit, you will see information about risk assessment, risk treatment and how identify applicable controls.

  • ISO 27001 and ISO 9001 and information security


    Answer: No. While ISO 27001 focus is indeed information security, ISO 9001 purpose is quality management (if you note, nowhere in ISO 9001 the word "security" is mentioned). Regarding the aspects covered, they are similar in some aspects (e.g., document and record control, internal audit, management review, etc.) but completely different in others (e.g., only ISO 27001 covers information security risk assessment while only ISO 9001 covers product and service provision).

    These articles will provide you further explanation about how to work with ISO 27001 and ISO 9001 together:

    - Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
    - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

    This material will also help you regarding how to ISO 27001 and ISO 9001 together:
    - Free webi nar ISO 27001 implementation: How to make it easier using ISO 9001 https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/

  • Missed aspect

    Thank you !
Page 953-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +