Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Management Representative for ISMS 2013
Answer: A Management Representative is not a requirement in ISO 27001:2013, so you do not need a MR appointment letter for ISMS 2013. However, ISO 27001:2013 equerries the definition of roles, responsibilities and authorities related to information security and, depending upon the organization's context (e.g., size, processes complexity) it may define a role to coordinate information security (e.g., a security officer or a chief information security officer - CISO), in a job description or any other way the organization uses for responsibilities assignment.
This article will provide you further explanation about roles and responsibilities:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- How to document role s and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
These materials will also help you regarding roles and responsibilities:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
The Transition Toolkit and the transition process
How long do i need to make sure my documentation of 9001:2015 is ready for an audit ( just need your expertise on this one because i want to finish within a month).Is that possible .I already have the 2008 existing for 3yrs. I'm trying to plan how much time i have and include budget for purchasing your kit.
Answer:
Whit purchase of the Transition toolkit you will receive the procedures that are fully editable in Word format. You will get not only the new procedures such as Procedure for Determining Context of the Organization and Interested Parties but also old procedures such as Procedure for Document and Record Control that contain updates according to ISO 9001:2015. The changes are marked with "track changes" tool so you can see exactly what new version of the standard requires and there are also comments that will help you in u nderstanding what you need to do.
Since you already have your system for three years, you can conduct the transition within a month, especially because you will be entitled to our expert support which includes one hour online meeting with an expert and unlimited support via email. There are also video tutorials that explain how to fill in the documents.
Here you can see wht ISO 9001:2015 Transition Toolkit includes in terms od documents and support https://advisera.com/9001academy/iso-90012015-transition-toolkit/ -
ISO20000 and ISO27001 documentation
Answer: Yes, provided that the content of the document meets the requirements of ISO 27001.
2 -¿Cómo se pueden tomar los mismos documentos y sólo actualizarlos indicando que también son o sirven para la ISO27001?
Answer: You should check on your documented information control procedure (documents and records) how you indicate that a document is compliant with the ISO 20000 standard, and then use the same way to indicate that the document is also in line with the standard ISO 27001. In general, policies or procedures informs its application scope and normative references used, and the reference to the scope of ISO 27001 and compliant clauses may be included in these sections.
3 -¿Se puede?
Answer: Yes, and the new versions of the standards, which are based on Annex SL, are facilitating this kind of integration.
4 - ¿Se tienen que tener documentos separados? ¿Uno para cada certificación?
Answer: Not necessarily. The need of your organization is what will determine whether or not you need to separadados documents.
This article will provide you further explanation about some documentation development: Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
This whitepaper can provide you information about similarities between ISO 27001 and ISO 20000: ISO 27001 vs. ISO 20000 matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix -
Environmental aspects and objectives
Answer:
The main requirements regarding significant environmental aspects is not to set environmental objectives regarding them (although it is recommendable) but to set operational controls to keep the impact of the aspects within acceptable boundaries. The objectives are short term and they provide effects withing their deadline while the operational controls are long term measures to decrease environmental impact.
You do not need to set a new objective regarding this environmental aspect but you should set the operational control for it. For more information about environmental aspects and operational controls, see: Defining and implementing operati onal control in ISO 14001:2015 https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/ -
How to speed up OHSAS 18001 implementation
Answer:
There are different approaches in implementation of OHSAS 18001 and some are faster than the other. The best way to speed up the implementation is by hiring the consultant and he will develop the documentation and provide you with information on what you need to do to achieve full compliance, but this is the most expensive solution.
The second way to speed up the implementation is to use some of online tools such as our documentation toolkit. This approach requires you to fill in the documents and apply new procedures by yourself but you will receive know how and support from us.
For more information about different approaches in OHSAS 18001 implementation, see: Compare OHSAS 18001 implementation options https://advisera.com/18001academy/comparison/ -
Controlling emissions to air
Answer:
There is not much you can do once the pollutant is in the air, but you can install filters and they can reduce the amount of the pollutant released in the air. Not every significant environmental aspect can be reduced to zero, but the company should do its best to reduce the pollution and this is done through the operational controls. For more information on how to establish operational controls, see: Once a pollutant is emitted to air, what can we do to reduce its impact? https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/ -
Risk assessment in OHSAS 18001 and ISO 9001
Thx -
Performing Risk Assessment and Treatment
Answer: I assume you are referring to the Risk Assessment Table and the criteria provided in the Risk Assessment and Treatment Methodology document. The existing controls must have to be taken into account when determining the total risk, and they must be informed in the "Existing Controls" column from the Risk Assessment Table.
2 - For example, if I do consider existing controls and assume they are good enough so that when combined with impact the total risk is 0, 1, or 2 – which I have defined as acceptable – would I have to write anything in “Means of implementation” on the Risk Treatment Table?
Answer: If a risk you identified in the Risk Assessment Table already has a control implemen tend to treat it, you only would have to include it in the Risk Treatment Table if the existing control needs to be improved. Otherwise, you can keep the record only in the Risk Assessment Table.
3 - If the existing control that I have judged to be strong is a control that directly matches a control in the ISO Appendix A, do I say on the Statement of Applicability that it is applicable?
Answer: Yes, if you can macth the implemented control with a control in the ISO 27001 Appendix A, you can state that that control is applicable in the Statement of Applicability.
4 - Do my questions make sense?
Answer: Yes, your questions make all sense, and your perception of what should be done is right. :)
These materials will also help you performing the risk assessment and treament:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Continuing Professional Education (CPE) and ISO 270001
Answer: The total CPE points you will earn after completing a ISO 27001 educational activity will depend upon the duration of the activity you attended (e.g., lead auditor training course, lead implementer training course, ISO 27001 workshops, etc.). The general rule is you will get one CPE point for each hour of learning activity, but you have to check the CPE earning rules used by the organization to which you will report the activity.
These articles will provide you further explanation about some ISO 27001 educational activities:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
Documenting the control A.17.1.2
Answer: ISO 27001:2013 in its Annex A has control A.17.1.2 which says "organization shall ... document ... procedures ... to ensure the required level of continuity".
By the way, in the article you're referring to we have said "Please note that documents from Annex A are mandatory only if there are risks which would require their implementation." - this means that control A.17.1.2 needs to be applied (and documented) only if it is applicable according to the results of the risk assessment.
These materials will also help you regarding business continuity and information security:
- article How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
- webinar ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/es/webinar/iso-27001-iso-22301-why-is-it-better-to-implement-them-together-free-webinar-on-demand/