Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • To whom will the auditor speak to?


    Answer: During the ISMS audit both internal and external (certification) auditor has the right to speak to anyone in the company, ​so he can speak to people from IT department, security department, to the CEO or to any business department.

    The point of the audit is to find out whether the employees are complying to the policies and procedures, and these documents are not only applicable to security department.

    This free online training explains the whole audit process: ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • Information security board


    Answer: ISO 27001 does not define any requirements for information security boards, this phrase is not even mentioned in the standard. If you wish, you can organize some kind of a body that will coordinate information security activities, but it is not mandatory, and you can organize its work any way you want.

    On the other hand, the role of the top management in a company is strictly defined by ISO 27001 - you'll learn about it in these articles:
    - Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
    - Why is manag ement review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

  • ISO 9001 implementation form scratch


    Answer:

    The first step in the implementation is to conduct GAP analysis to determine to what extent your company has already met requirements of the standard and what needs to be done to achieve the full compliance (Here you can find free GAP analysis tool https://advisera.com/9001academy/iso-9001-gap-analysis-tool/). Once you determine this, you can create the project plan (here you can download free Project Plan for ISO 9001 implementation https://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word) and define activities responsibilities and deadlines for the project.
    After you finish implementing the standard, you need to conduct internal audit and management review and hire a certification body to conduct certification audit. For more information, see: Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/

  • Excluding certain departments from the ISMS scope


    Answer: Yes, ISO 27001 allows you to set the scope of your ISMS for only one part of your organization. However, this is not recommendable for smaller organizations (smaller than 100 employees) - this is because all parts of your organization that will be outside of the scope will be treated as an "outside world" which means you will need to protect the information within the ISMS scope from those departments which are outside of the scope.

    This problem is described in detail in this article: Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    For a larger organization, it is quite normal to go with a smaller scope, because the project is going to be quicker and cheaper .

    Read also: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  • Attesting to ISO 27001 compliance


    However, many folks I work with often inquire about or request some form of attestation of compliance (e.g. not certification, but some form of attestation that they are compliant with the standard). My inquiry was more about that… Can anyone attest to 27001 compliance (internally or via a third party)? Perhaps a bit of a grey area…

    Answer: Internal audit is mandatory according to ISO 27001, so this is something you must do - however this internal audit has no relevance for the outside world. For the third parties, only the ISO certificates issued by certification bodies are recognized.

    Here are a couple of articles about the internal audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    I’m guessing in such cases it really boils down to the ‘opinion’ of the person / party providing the attestation and their willingness to stake their reputation on such a claim. Correct?

    Answer: I would say this is primarily a question of credibility - if the "certificate" is issued by a company that has no license for performing the certification, who would trust them?

  • Questions during the internal audit


    Answer:

    Answers on the question asked during internal audit should provide you evidence on whether requirements of the standard are met or not. Usually, the questions provide you with yes or no answers and all requirements of the standard should be covered during the internal audit. Here you can find interesting articles on the topic:
    - Writing an Audit Checklist for ISO 9001 Processes https://advisera.com/9001academy/blog/2014/11/25/writing-audit-checklist-iso-9001-processes/
    - How to create a check list for an ISO 9001 internal audit for your QMS https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/

    There is no particular part of the system that you have to be f ocusing on by default. You should pay special attention to the most complex processes and the ones in which the probability of spotting nonconformities is the highest.

  • Nonconformities in ISO 9001 vs. ISO 14001


    Answer:

    The requirements in terms of identification and handling nonconformities are the same for ISO 14001:2015 and ISO 9001:2015, the only difference is in scope, environment or quality. For more information, see: Environmental Nonconformity Management: How is ISO 14001 different from ISO 9001 https://advisera.com/14001academy/blog/2014/10/08/environmental-nonconformity-management-iso-14001-different-iso-9001/

  • Limiting the scope of QMS


    Answer:

    You can define the scope of the QMS any way you want, it can be narrowed to only one process in the organization. In such case you will have to consider the rest of the organization as a separate entity. For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/

  • Risk management from a remote location


    Answer: Interesting question... in my opinion, it would be possible to coordinate the risk assessment and risk treatment process from a remote location, however I think that the following things would need to be done locally in the office for which the risk management is done:
    - Listing all the assets, determining threats and vulnerabilities - this is because someone who is remote cannot be aware of all these elements
    - Determining the impact and likelihood - again, the same explanation as above
    - Implementing the controls - if we speak about physical controls that, of course, needs to be done locally; also all the technical controls (e.g. alarm systems and other hardware, locally installed software, etc.)

    Somewhere halfway are organizational controls (e.g. policies, procedures, etc.) - of course, you can write all the documentation from a remote location, however the question is whether you can convince all the on-site employees to start using them? If your company culture allows this, then you would be able to do this, however there are not many companies who could succeed in such approach.

    By the way, here's an article that describes the whole risk management process: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • ITIL and COBIT


    Answer:
    There is no cookbook how to do it. COBIT is IT governance framework and ITIL is IT service management framework. You can see COBIT as interface between company (and its strategy, goals, risks...) and IT services. ITIL should enable excellence in management of your IT services (throughout their lifecycle) and COBIT should enable alignment of the IT organization with the goals of the business.
    COBIT is much broader than ITIL and ITIL goes much more in details. Ideally, they are implemented together to integrate business and IT services.
Page 969-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +