Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Assets valuation and the information classification policy


    Answer: I assume you are referring to how to valuate an asset, considering the information it handles. A direct answer would be using the results of the risk assessment, i.e. the higher the impact you identified for a particular asset, the higher level of classification you should use.

    This article will provide you further explanation about risk assessment:
    - How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    This article will provide you further explanation about information classification:
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

    These materials will also help you regarding risk assessment and information classification:
    - B ook Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
    Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course
    https://advisera.com/training/iso-27001-foundations-course/

  • Implementation steps for OHSAS 18001


    Answer:

    The best way to start with the implementation is to get familiar with requirements of the standard first and then to conduct a GAP analysis to determine to what level your company is already compliant with the standard and what needs to be done to achieve full compliance. Here you can find our free GAP Analysis tool https://advisera.com/18001academy/ohsas-18001-gap-analysis-tool/

    Once you determine what needs to be done, it is good to develop project plan for the implementation, to define deadlines for each step as well as the responsibilities. Here you can download our free Project Plan for OHSAS 18001 Implementation https://info.advisera.com/18001academy/free-download/project-plan-for-ohsas-18001-implementation

    When you finish the implementation, you can hire a certification body to conduct the certification audit and issue your company the certificate.

    For more information about i mplementation and certification steps, see: OHSAS 18001 Implementation diagram https://info.advisera.com/18001academy/free-download/ohsas-18001-implementation-diagram

  • Quality Policy as a framework for quality objectives

    5.2.1 Establishing the quality policy Top management shall establish, implement and maintain a quality policy that:
    b) "provide a frame for setting quality objectives".....it means what..?

    Answer:

    Purpose of the Quality Policy is to define general mission and vision of the company and to provide strategic direction in which the company is going. It contains statements regarding different aspects of the QMS (Quality Management System) that demonstrate company's commitment to satisfy applicable requirements and strive towards continual improvement.

    All the statements in the Quality Policy provide a framework for setting Quality Objectives. For example, is you say in your policy that your company is committed to enhance customer satisfaction, this statement provides you with a framework on the objectives regarding customer satisfaction. The objective based on this statement in the policy would be to increase custom er satisfaction for 10% in the next year.

    For more information about the policy, see: How to Write a Good Quality Policy https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/

  • Determining physical boundaries of the scope


    Answer:

    Physical boundaries of the scope of EMS are necessary to be determined if you decide to limit your scope only to certain departments or processes in your company and not the entire company. In that case, you need to specify which department and offices and facilities are included in the scope of EMS.

  • Internal and external issues for processes


    Answer:

    Internal and external issues don't have to be determined on the process level, they should be determined on the global level for the entire company and QMS. What can be determined for each process are risks and opportunities and those should be related to quality of process outputs. For example you can determine what are the risks for nonconformities to occur in the process or what are opportunities to improve the process performances.

    For more information, see:
    - ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/

  • Gap analysis for ISO27001 and ISO 22301


    Answer: As though ISO 27001:2013 and ISO 22301:2013 share the same basic structure, based on Annex SL, they have some slightly text differences in chapters 5,6,7,9 and 10, and are totally different in chapter 8, which makes it unpractical to use the Advisera's Free ISO 27001 Gap Analysis Tool to perform a gap analisys for ISO 22301.

    2 - Can the "ISO 27001/ISO 22301 Internal Audit Toolkit" be used as a GAP analysis as well?

    Answer: In general, an internal audit toolkit can act as a gap analysis tool, because one of its contents is the internal audit checklist. Especifically about the ISO 27001/ISO 22301 Internal Audit Toolkit you mentioned, it has sections dedicated to both ISO 27001 and ISO 22301 requirements (sections 1 and 2, respectively), and you can use these sections to perform a gap analisys regarding an ISMS or BCMS.

    This material will also help you regardi ng ISO 22301:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • ISO 27001 Annex A controls and the Statement of Applicability


    Answer: According to ISO 27001:2013, clause 6.1.3.d, all the 114 controls described in the Annex A must be listed in SoA. The controls which are not needed, because there are no related risks or requirements of interested parties to justify their implementation, can be marked as non applicable.

    This article will provide you further explanation about the Statement of Applicability:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    These materials will also help you regarding the Statement of Applicability:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
    Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course
    https://advisera.com/training/iso-27001-foundations-course/

  • Information Security Policy review

    Answer: There is no need to elaborate a new version of the Information Security Policy if there is no changes in the ISMS scope, but you also must consider that other changes on internal or external elements that can affect the ISMS can require an Information Security Policy review, like changes on the organizational context, the purpose of the organization or on the information security objectives. One way to verify this need is through management reviews.

    These articles will provide you further explanation about inforamtion security policy review: - What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/ - Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and -iso-22301/

    These materials will also help you regarding: - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • RA and BIA in a single document


    Answer: I assume you are referring to place Risk Assessment and Business Impact Analysis in a single document. I would not recommend to place them in a single document for two reasons: the first, as you said, both may become large documents by themselves, making a single document unpractical to use; the second, and the most relevant reason, is that since they are used in different contexts, and for different purposes, documenting them togheter would mean that someone accessing one information (RA or BIA) would unnecessarily have access to the other, increasing risk of unauthorized information disclosure.

    This article will provide you further explanation about risk assessment and business impact analysis:

    - Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

    These materials will also help you regarding :
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
    Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
Page 964-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +