Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Documentation and classification in ISO 27001


    Answer:
    I am not sure what you mean with your first question, but ISO 27001:2013 has the point 7.5 Documented information, where defines basic principles to manage documents and registers.

    This article can be interesting for you “Document management in ISO 27001 & BS 25999-2” : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

    Regarding the top secret documents, the best way to send them to another party, is to encrypt the information, and for this you can use various open source tools (and free). By the way, this article about the classification of information according to ISO 27001 can be also interesting for you “Information classification according to ISO 27001” : https://advisera.com/27001academy/blog/2014 /05/12/information-classification-according-to-iso-27001/

    Finally, these materials will help you to learn more about ISO 27001 and the classification of information:
    - free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • ISO 20000 implementation order


    Answer
    ISO 20000 does not require any particular order in which requirements will be implemented. But, from the experience point of view, I would recommend to:
    1. establish the SMS (Service Management System
    2. Implement the processes

    There are two elements which can help. First one is to follow the order in the toolkit (you can see the list of documents here https://advisera.com/20000academy/iso-20000-documentation-toolkit/# .
    Additional help could be "ISO 20000 implementation diagram" https://advisera.com/20000academy/free-downloads/

    On the other side, ITIL needs different approach, and you can get useful ideas in the article "Ready, steady… go – Starting ITIL implementation" https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/

  • Documents requred by clause 4.4


    Answer:

    This clause has overall requirements for entire quality management system. Requirements for this clause are related to every part of the quality management system, and can be met indirectly through documented procedures, policies and records.

    When it requires organization to maintain documented information to support the operation of its processes, this means that you need to decide what documentation (procedures, SOP, work instruction, etc) are necessary for running the processes and to create them. Another requirement is to retain documented information to have confidence that the processes are being carried out as plan and this means that you need to decided what records are needed and to create them according to your needs.

    For more information, see:
    - New approach to document and r ecord control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

  • Risk assessment in ISO 22301


    Answer:
    You can do the risk assessment using ISO 27001 risk assessment framework, but defining critical activities and processes involved in your business. This article can be interesting for you “Can ISO 27001 risk assessment be used for ISO 22301?” : https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/

    Finally, these materials will help you to understand how to perform the risk assessment:
    - free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Back up of information regarding ISO 9001


    Answer:

    ISO 9001 does not mention or require back up of the organization information. It only requires documented information (in this case in electronic form) to be available, adequately protected, stored and preserved but it doesn't define how. It is completely up to organization to define how this will be achieved. If you want to back up your organization information, you can do it either by some cloud service, some additional hard disk drives, etc. but whatever you decide, you need to define it in your procedure for control of documented information.

    For more information, see:
    - Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/

  • ISO 31000 and ISO 9001

    ISO 31000 is much more related to ISO 27001, in this article you'll find the details: ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

  • Implementing QMS from scratch


    Answer:

    Implementation of QMS can start with the GAP analysis to determine to what level your organization is already compliant with the standard. Once you determine what are the gaps, you can create a project plan with defined activities and documents to be created as well as responsibilities and deadlines.

    Once you conduct all the activities and create all necessary documents, you need to conduct internal audit and management review to make sure your company is compliant with ISO 9001. Finally, after conducting all these activities your company will be ready for the certification audit.

    For more information, see:
    - Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/

  • Should information security objectives be measurable?

    Please note that your last phrase is not true (“This though is not mandatory since minimum requirement is to leave… “).  ISO 27001 does not prescribe the use of two-level setting objectives, neither the use of top-level, topic-specific, and control-specific objectives. It requires only that objectives are defined at relevant functions and levels. This leaves organizations free to adopt objectives that better suit theirs needs.

    Considering that, both of your proposed approaches are ok if they fulfill standard’s requirements, but you need to understand that you are defining them this way because you consider they suit your needs the way they are, not because of any standard´s requirement.

    For example, you can have:

    • a single set of organizational-wide information security objectives, linked to no specific control (in this case you will measure only final organizational results against defined objectives).
    • a two-level set of information security objectives, composed of organizational-wide objectives and departments/processes objectives, the last ones defining how each department/process contribute to the organizational objectives
    • a three-level set of information security objectives, composed of organizational-wide objectives, departmental/processes objectives, and role/function/control objectives, the last ones defining how specific roles/functions/controls contribute to the departments/processes objectives, and how each department/process contributes for the organizational objectives.

    Note that as you increase the number of levels you increase the complexity, cost, and administrative effort, but also you have more detailed information to identify where potential problem points are. So, you need to evaluate the better scenario for you, remembering that you do not need to define objectives for all departments/processes/controls in your scope. You can start with a single level, then include the most critical departments/processes/controls later, and increase coverage as you gain more experience and maturity managing the objectives.

  • Clause 7.1.6 Organization knowledge

    Ok. thanks.

  • ISO 27001 for telecommunication industry

    ISO 27001 is not specifically developed for the telecommunication industry, and there are no specific controls for the telecommunication industry in ISO 27001, which means that all security controls are applicable or can be beneficial. For example, control A.12.3.1 Backup from ISO 27001 will be most likely applicable to any telecom company.

    Finally, these materials will help you:
    - free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Page 984-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +