Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Acceptable level of risk
Answer ISO 27001 does not prescribe acceptable level of risk, which means that each company must set their own acceptable level of risk - this is usually done through the Risk assessment methodology.
See these articles for explanation:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
These materials will also help you regarding acceptable level of risk:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
PPAP and occurrence, severity and detection
Answer:
Production part approval process (PPAP) is used in the automotive supply chain for establishing confidence in component suppliers and their production processes. Actual measurements are taken of the parts produced and are used to complete the various test sheets of PPAP.
The result of PPAP approval process is a series of documents gathered in one specific location (a binder or electronically) called the "PPAP Package". The PPAP package is a series of documents which need a formal certification/sign-off by the supplier and approval/sign-off by the customer. The form that summarizes this package is called PSW (Part Submission Warrant). The signature in the supplier certification area of the PSW indicates that the supplier-responsible person (usually the Quality Engineer or Quality Manager) has reviewed this package and that the customer-responsible person (usually a Supplier Quality Engineer or Supplier Quality Manager) has not identified any issues that woul d prevent its approbation.
PPAP is the confirmation that the product meets the customer requirements for series production. The PPAP will be considered signed when a full PSW is approved by your customer and added to the PPAP folder.
PPAP does not require severity, occurrence and detection to be defined, those values are determined by applying FMEA risk assessment methodology and results of this assessment are inputs for the PPAP. For more information about FEMA, see: Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/ -
Process capability and Process Capability Index
Cp (Process Capability Index) estimates what the process is capable of producing if the process mean were to be centered between the specification limits. Assumes process output is approximately normally distributed.
Unfortunately, I cannot write you the formulas because of limitations in this writing tool, but you can find them online. -
Documenting the context and risks and opportunities
1-the organization context.
2-the risk,opportunities, how to arrange that related to the others processes for documentation of the ISO 9001:2015
Answer:
Both clauses 4.1 Determining context of the organization and clause 6.1 Addressing risks and opportunities do not require documents. It is completely up to organization to decide how it will document those requirements and even is it going to document them at all. However, since they are new requirements I suggest companies to develop documented procedures for those clauses.
When developing procedure for determining context of the organization it is important to define how will be involved in determining context of the organization, what elements of the context needs to be considered, which parts of the context will be documented and how often the context will be reviewed. For more information about the context of the organization, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/ also you can download a free preview of our Procedure for Determining Context of the Organization and Interested Parties https://advisera.com/9001academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/
In case of addressing risks and opportunities, if you decide to create a documented procedure, you will need to define again the responsibilities within this process and also methodology, criteria for acceptance and frequency of revision. For more information about the risks and opportunities, see How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ and you can also download free preview of our Procedure for Addressing Risks and Opportunities https://advisera.com/9001academy/documentation/procedure-for-addressing-risks-and-opportunities/
The way you address these clauses will not affect the other processes but rather the results of determining context and risks and opportunities will affect the processes. For example, the risk assessment may result in actions that include development of additional work instructions or making changes in the processes to avoid nonconformities. -
ISO 27001 records of implementation
1. Risk treatment plan (clauses 6.1.3 e and 6.2) to evidence what was planned for the control implementation (e.g., policies, procedures, trainings, etc.).
2. Records of training, skills, experience and qualifications (clause 7.2), to evidence that people performing the control are competent to do so
3. Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3), to provide information to be evaluated and trigger other related controls (e.g., incident response)
4. Monitoring and measurement results (clause 9.1), to evidence the control is actually working
5. Results of internal audits (clause 9.2), to evidence independent evaluation on of the implemented control
6. Results of the management review (clause 9.3), to evidence management follow-up of the risk treatment plan and the control results
7. Results of corrective actions (clau se 10.1), to evidence improvement
Answer: The risk treatment plan evidences only that you made a plan to implement controls. You will need all the other listed information to evidence the controls are actually in place, operating and being followed up properly, and that information will be spread in many areas of you organization (e.g., HR, operations, top management, etc.). You can think of the risk treatment plan as the source you will consult to where to find all the "records of implementation".
This article will provide you further explanation about what to consider as evidences of implementation:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
These materials will also help you regarding evidences of implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Datacenter procedures
Answer: We don't have specific procedures for data center assets management in our documentation, but according the processes you mentioned, I suggest you take a look at the following documentation:
- Inventory of Assets https://advisera.com/27001academy/documentation/inventory-of-assets/
- Change Management Policy https://advisera.com/27001academy/documentation/change-management-policy/
- Internal Audit Checklist https://advisera.com/27001academy/documentation/internal-audit-checklist/
Each document makes reference to which ISO 27001:2013 Annex A control they cover, so you can use this information to identify which items in the Internal Audit Checklist you need to use.
There are free demos of them, so you can verify if they can attend your needs.
These articles will provide you further explanation about ho w these documentation can help in asset management:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding how these documentation can help in asset management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 27001 Controls and Controls Objectives
Answer: I assume you are referring to how many controls and controls objectives exist in ISO 27001:2013. In this case I can tell you ISO 27001:2013 Annex A has a total of 114 controls, grouped in 14 security control categories. Regarding control objectives, there are 14 control objectives, one for each security control category.
This article will provide you further explanation about controls:
- Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
These materials will also help you regarding :
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Local vs. centralized Service Desk
Both of the solutions have some pros and cons. Here are the characteristics.
Local Service Desk:Physically situated on User site
- No language or cultural barriers
- Same time-zone
- Specialized User- groups
. specialized or Customer aligned Services including specific Knowledge
- Users have "VIP" treatment
Central Service Desk:
- Service Desk employees located at central site
- Cost-efficient
- Greater Call-Volume
- Higher Skill-Level
- "Training-effect"
- Additional local presence possible
Read the article "ITIL Service Desk types" https://advisera.com/20000academy/blog/2014/05/06/itil-service-desk-types/ for more information. -
Information Security metrics
Answer: A metric is something used to verify if an effort is leading toward defined objectives. Thus, good metrics for ISO 27001 must:
- Be closely related to information security objectives (clause 6.2), or you will end up with metrics that no one will care about. For example, for the objective "information security culture disseminated in the organization", a good metric would be "number of employees who knows the security policy", or "employees knowledge level about information security practices".
-Be capable to express the effort's results in a way that makes sense to the objective. In the examples, the "number of employees" and the "knowledge level" provides you a good perception of how disseminated the information security culture is.
- Represent only a tiny fraction of the effort to achieve the result. Generally, well planed process and projects already posses internal metrics that can be used, so no new measurement effort is needed. Still considering the example, traini ng effectiveness evaluation and personnel performance evaluation, common HR practices, can be used to provide the data.
This article will provide you further explanation about defining metrics:
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
These materials will also help you regarding metrics definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Toolkit application
Answer: Besides a practical environment to implement a toolkit, I would advise you to try one of these strategies:
- Identify a potential scenario of your company, or other company you know, and simulate an implementation
- Search in google for lists like "top ten information risks" or "main information risks by industry" and from those lists you try to follow the implementation path
In those scenarios the simulation would follow the steps: risk assessment and treatment, controls elaboration and audit checklist elaboration. Also try to simulate that some controls are with problem, identifying what we call "triple non conformity elements" (rule to be followed, the situation that is breaking the rule, and an verifiable evidence), so you can state a proper non conformity. By doing that you will be capable to understand the whole implementation process in a broader view, which wi ll facilitate your understanding when working on a specific scenario.
These materials will also help you regarding the needed steps for a certification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/