Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Clause 8.1

    I’m assuming you are referring to clause 8.1 Operational planning and control.

    Considering that, please note that this clause does not require a specific document by itself.

    To fulfill this clause, you need to implement:

    • the first version of the Risk assessment, Risk Treatment, Statement of Applicability, and Risk Treatment Plan (clauses 8.2 and 8.3 refers to subsequent implementations of risks assessment and risk treatment processes)
    • the controls from Annex A stated as applicable in the Statement of Applicability
    • the mandatory documents related to clauses 4 to 10.

    These articles will provide you with a further explanation of ISO 27001 required documents:

  • 27001 question

    In order to keep their certification status, ISO 27001:2013 Lead Auditor certificate holders might need to attend some updated training events (for more information you need to contact your certificate issuer).

    Regarding Lead Implementer certificate holders, they will not need to "upgrade" their certificates because there is no such requirement from accreditation bodies. 

    Regarding the certification of organizations, they will need to transition to the new version if they want to keep their certification. Most probably the transition period will be of twenty-four months after the release of the new version of ISO 27001 (the transition period will be confirmed soon after the release of the new version of the standard).

    For further information, see:

  • Merging ISMSs

    You should treat this merge as an implementation project with some adjustments:
    1) reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the merged organizational context and requirements of interested parties;
    2) review of risk assessment and treatment methodologies, to see which elements can be merged and which ones need to be kept separate;
    3) review the risk assessment and define the updated risk treatment plan;
    4) adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new merged context;
    5) people training and awareness;
    6) controls operation;
    7) performance monitoring and measurement;
    8) perform internal audit;
    9) perform management critical review; and
    10) address nonconformities, corrective actions, and opportunities for improvement.  

    Regarding challenges, some of them may be:

    Lack of management support: without this support, you won't have the minimal resources and engagement to implement a proper merging.
    Not using a project management approach: such implementation involves coordinating several people to perform dozens of activities, and without a methodology, you will finish inside a huge mess with no security at all.
    Lack of time for the merging project: The project can be very important, but normally, there are a lot of urgent things happening that postpone the project.
    ISMS scope wrongly defined: not protecting information that really matters considering the merged context.
    Documentation: Procedures in excess or lack of details may compromise operations.
    These articles will provide you additional information:
    - Three strategies for ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#options 
    - ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

  • Risk Register section

    In risk assessment, you need to identify risks that exist in your context, and you consider relevant. The fact that some of them may already have controls in place is considered when you analyze them to define likelihood and impact (in most cases this will mean that they will have low risk and won’t be part of the risk treatment step).

    Considering that, both of your examples would be included in the risk assessment, so you can document either the risks or the controls already implemented to treat them.

    For further information, see:
    - 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
    - Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

  • Lista de proveedores aprobados

    En la Lista de Proveedores aprovados deberá tener todos aquellos proveedores que sean relevantes para el alcance definido en su Sistema de Gestión de Calidad. Sino va a contar con algunos de esos proveedores en la evaluación debe especificarlo y explicar el por qué no los incluye, por ejemplo puede hacerlo en el procedimiento que vaya a crear para compras y evaluación de proveedores. En general, los proveedores de suinistros no se evalúan así que puede incluirlo en su procedimiento y justificarlo. 

    Para más información sobre la evaluación de proveedores, puede ver los siguientes materiales:

    - How to evaluate supplier performance according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
    - How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
    - También puedes echar un vistazo a nuestro procedimiento para compras y la evaluación de proveedores: https://advisera.com/9001academy/es/documentation/procedimiento-para-compras-y-evaluacion-de-proveedores/
    - Curso gratuito online - Fundamentos de la norma ISO 9001:  https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
    - Libro  - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

     

  • Query ISO 27001

    You can add as many roles as you see fit in the Project Plan so you can have better control and management of your project.

    For small companies generally, the roles of the project sponsor and project manager are enough to implement the ISMS.

    For further information, see:

  • Security Awareness training - Compliance question

    I’m assuming you refer to a certification audit situation.

    Considering that, to be compliant with clauses 7.2 Competence and 7.3 Awareness you need to ensure that at least the personnel in the main roles related to information security (e.g., the CEO, the CISO, IT Head, IT staff, internal auditor, etc.) had performed their training and awareness activities and that there are no overdue activities (i.e., you do not need that all employees complete the program by the time of the certification audit, only to evidence that the program is ongoing).


    This article will provide you with a further explanation about awareness and training:

  • EU - Representative

    If you need to have an EU - Representative per Article 27 GDPR - Representatives of controllers or processors not established in the Union – you must choose a company that will represent your commercial interests and that is ready to take the responsibility for such an important task. This is why usually companies appoint wholly-owned EU subsidiaries or consultancy companies with which they sign a services contract detailing all the responsibilities and clear accountabilities for each party. We have such a template for an Agreement for the Appointment of an EU Representative, part of our EU GDPR Toolkit.

     

    Regarding the recent announcement of the Trans-Atlantic Data Privacy Framework, it is not a final agreement, it is only an announcement for a future legal agreement. No legal details have been shared, moreover, it is clearly stated that “The teams of the U.S. government and the European Commission will now continue their cooperation with a view to translating this arrangement into legal documents that will need to be adopted on both sides to put in place this new Trans-Atlantic Data Privacy Framework”.

     

    Please consult these resources:

  • Key Technical Personnel (KTP)

    If the Key Technical Personnel are authorised to approve the validity of a test measurement, then this is equivalent to a signatory as they are “signing off” a batch of results for release. The same procedure can be used, just adjust the wording. In all cases the toolkit template should be customised to represent your specific situation and process. If there are different responsibilities between the KTPs, just table them.
    This article may be of assistance - 8 steps to manage ISO 17025 competence of personnel at https://advisera.com/17025academy/blog/2021/05/26/how-to-manage-competence-in-a-laboratory-according-to-iso-17025/

  • UKAS Accreditation

    All accreditation bodies need to be compliant with ISO 17011, the standard which defines the process of accreditation, so there is no such thing as a lesser certification. It is more a question of market preference or legal requirement (e.g., a law, regulation, or contract may require a specific accreditation body).  

    For further information, see:
Page 97-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +