Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • What % of companies have already transitioned to ISO 9001:2015?

    probably about 25% since there is still two more years for the trasition

  • Defining BCMS scope


    Answer: The BCMS should be implemented in all departments that can affect your organization's capability to deliver your products and/or services. For example, in a beverage industry the logistics department plays a crucial role in delivering the products, so it should be considered in a BCMS implementation. The same applies to air traffic control activities for airports. So, you should consider your business products and/or services nature to identify on which departments the BCMS should be implemented.

    This article is related to ISMS, but can provide some tips about defining a BCMS scope:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    These materials will also help you regarding BCMS scope definition:
    - Book Becoming Resilient, The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Free online training ISO 22301: An overview of the BCM implementation process https://advisera.com/27001academy/webinars/

  • Threats identification

    thanks, very helpful input. will consider your suggestions.

  • ISO 27005 and ISACA RiskIT


    Answer: Unfortunately we do not have this kind of material in our toolbox, but RiskIT framework material provided by ISACA, in Appendix 2 has a high-level comparison with other risk management standards and frameworks, including ISO 27005. To download this material you only have to have a site login, you can obtain one free of charge. What I can inform you without incur in Intellectual Property Rights violation is that ISO 27005 processes (Risk analysis, identification, estimation, and evaluation) are covered by RiskIT process RE2 (Analyse Risk), but since RiskIT is a more specific framework, it has a deeper level of detail than ISO 27005.

  • Certification audit findings


    I am confusing about that, I have seen many report samples on google but every one is different from the other. Should I submit the stage 1 report with the mention of all non-conformists and it's corrective actions or I should just submit a list of what I find whatever it was negative or positive.

    Answer:

    During both stages of certification audit, the auditor can find minor and major nonconformities and observations. If you found any nonconformity during the 1st stage audit, you should write them in your report, but you shouldn't write corrective actions because it is up to organization to decide what kind of corrective action will it take to address the nonconformity.

    For more information, see: How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/

  • Audit checklist


    Answer: External audit phase 1 verifies if your documentation (e.g., policies and procedures) complies with ISO 27001:2013 mandatory requirements (e.g., is there an information security policy?), so you have to verify if you attend all "must" statements presented in the standard. The phase 2 looks for evidences that support the procedures are implemented and achieving the expected results. The main checklists you have are the Statement of Applicability, where all the controls considered relevant are listed, and the Risk Treatment Plan, which lists how they are implemented. From there you will find which documents and records you have to present to the auditor.

    These articles will provide you further explanation about audit readiness:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - Becoming ISO 27001 certified – How to prepare for c ertification audit https://advisera.com/27001academy/iso-27001-certification/
    - Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
    - Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/

    These materials will also help you regarding audit readiness:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
    Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course
    https://advisera.com/training/iso-27001-foundations-course/

  • ISO 27017 and ISO 27018 implementation

    I mean company just develop and deploy our software in cloud and give access to our different customers. We are NOT a cloud hosting company like xxx or xxx.

    Answer: As you said, you provide the SaaS service to your customers, it does not matter if you use a third party infrastructure to do that. If their contractual relationship is with you, any problem your customers have caused by the cloud service provider you selected, they will charge from you. So, I would recommend you to implement both ISO 27017 and ISO 27018, so you have means to ensure that cloud service provider you use to provide your SaaS service properly protects both its cloud infrastructure and your customers data.

    This article will provide you further explanation about supplier managem ent:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    This article will provide you further explanation about ISO 27017 and ISO 27018:
    - ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
    - ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

    These materials will also help you regarding supplier management:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
    Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course
    https://advisera.com/training/iso-27001-foundations-course/

  • EU GDPR

    Answer: An interesting question. In Article 4, definitions, in any moment the regulation mentions the type of media that contains the information. The definitions covers what is done with the information. So, in a broader sense, EU GDPR is applicable to physical data. You may note that when data is not on transit it is stored in some physical place, e.g., a server or a back up media, that must be protected properly. 2 - What eugdpr saya about channels like cloud, mobile?? Answer: EU GDPR does not make reference to specific technologies (when they are referred, the term used is only technology or technologies). Thus, for EU GDPR, it does not matter where information travels or by what means it is processed. If you deal with personal information from EU citizens, the EU GDPR applies. This article will provide you further explanation about EU GDPR: - What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/articles/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/ - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

  • Management Representative in ISO 27001:2013

    There is no universal rule about which role should be in a higher position (e.g., both can answer to top management, CISO may answer to MR, both can answer to other different roles in the organization, etc.), so you have to evaluate your organizational context to define which case is more adequate to your organization.

    Regarding policies and procedures elaboration, both roles are required to have competency in elaborating policies and procedures, with CISO specialized in information security requirements and the MR specialized in management system requirements (in an ISMS with no MR, the CISO has to cover both information security and management system requirements).

    As for documentation approval, generally policies and procedures which have overall impact on the organization are approved by top management (e.g., quality policy, information security policy, procedure for control of documents and records, etc.), specific information security related policies and procedures are approved by CISO, and other policies and procedures are approved by the MR.

    These articles wi ll provide you further explanation about CISO and document management:
    - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
    - Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
    - Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//

    This material will also help you regarding document management:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Document control


    Answer:

    The standard requires the documents to be available on place of application, so the approved versions of procedures, work instructions and records must be available where they are needed. Original or approved version of document can be kept in the library but the copies must be distributed to the place of application.

    This requirement raises many other issues as availability of right version of the documents, withdrawal, update and distribution of the documents and records. For that reason, the standard defines all these activities and for every document there should be information about the valid version as well as distribution list so when the document is updated the company knows where are the documents that need to be withdrawn and replaced with new ones.

    For more information about document control, see:
    - Some Tips to make Document Control more useful for your QMS https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
Page 959-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +