Search results

Home / Search

Category:
Select
Select

11271 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk assessment of outsourced hosting service


    Answer:

    This is basically the question of the ISMS scope - you should include in your scope (and therefore in your risk assessment) only the assets you can control. So you should include in your scope/risk assessment the applications and your data on those virtual servers you control, however you should exclude the physical servers because you do not control them.

    However, control A.15.1.1 requires you also to perform risk assessment of your suppliers, so this means that you should assess how this hosting service can affect confidentiality, integrity and availability of your data - for that purpose you can use the same Risk Assessment Table, and write as an asset "hosting service". So you won't be assessing the physical servers, but figure out what incidents can happen in general - e.g. unauthorized access to your data, loss of data, unavailability of the service, etc.

    These articles can also help you:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • Determining scope of internal audit


    Answer:

    There is no specific requirement to audit entire scope of the standard and even entire organization in a one year period. However, it is recommendable to audit the system against all requirements of the standard during one year period since it is a natural time frame for every company. It is hard to find justification for auditing only part of the organization against part of the standard per year.

    Quality policy should be reviewed during management review, but if the top management chooses not to make changes to the policy, it can be left as it is without changing dates or any other information.

  • Identifying requirements for mandatory documents


    Answer:

    Each clause defines whether it requires documented information or not and in what form. The standard uses two phrases to specify whether it requires record or a document. THe phrase "maintain documented information" means that a document is required, the term "documented information as an evidence" means that a record is required.

    For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

  • Assess the risk for each asset


    Answer:
    I am not sure if I have understood 100% your question, but you need to assess the risk for each asset, and obviously the risk is related to the business. To calculate the risk in a simple way, you can use basically 2 parameters: Consequences and likelihood. This article can be interesting for you “How to assess consequences and likelihood in ISO 27001 risk analysis” : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    And also this one “ISO 27001 risk assessment & treatment - 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    Finally, our online course can be also interesting for you because we give more information about the risk assessment process “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Access directly to a database?


    Answer:
    If this information is not confidential, I do not see problems, although to give direct access to the Oracle database for me is not a best practice, so would be better to give this information in another way, for example through a web page (in an architectural pattern Model-View-Controller).

    Another recommendation is that you define a classification for the information, so this article can be interesting for you “Information classification according to ISO 27001” : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

    And remember that before the implementation of controls, you need to perform the risk assessment in order to determine what kind of security controls are needed. This article can be interesting for you "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work /

    Finally, this online course can be also interesting for you, because we give more information about the classification of the information “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Setting up ISO 14001 in construction company


    Answer:

    First step is to conduct GAP analysis to determine to what level your company is already compliant with the standard. The GAP analysis will provide you with answers on what needs to be done to achieve full compliance with the standard. Here you can find free GAP Analysis tool https://advisera.com/14001academy/iso-14001-gap-analysis-tool/

    Once you determine what documents need to be created and what activities need to be performed, you should create a Project Plan where you will define all above mentioned as well as deadlines, responsibilities and resources. You can find a free sample of the Project Plan here https://advisera.com/14001academy/free-downloads/ . This step is not mandatory, however it will help you avoid missing something out.

    Next step is to create all necessary documents, this includes the documents required by the standard itself and the documents that you find necessary to run your environmental management system and achieve intende d results. Here yo can use our documentation template which includes all mandatory documents together with most common documents used to set up the EMS (environmental management system) according to ISO 14001:2015. You can find free preview of the toolkit here https://advisera.com/14001academy/iso-14001-premium-documentation-toolkit/

    Then you need to implement all the activities prescribed by the documentation into your daily business activities. Finally, you need to conduct internal audit and management review to ensure your system is compliant with ISO 14001 requirements. And then you can hire certification body to conduct certification audit and issue your company the certificate.

    For more information about steps in ISO 14001 implementation, see: ISO 14001 Implementation diagram https://advisera.com/14001academy/free-downloads/

  • Applicability of ISO 14001


    Answer:
    ISO 14001 is applicable to any type of industry and especially for manufacturing . It helps organizations adopt systematic way to handle environmental aspects and also provides a framework for identifying and complying with legal and other requirements regarding the environment.

    For more information, see:
    - 6 Key Benefits of ISO 14001 https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
    - Case study: Using ISO 14001 KPIs to reduce waste in manufacturing https://advisera.com/14001academy/blog/2016/05/16/5135/

  • Exclusion of clause 8.5.5 in cement manufacturing company


    Answer:

    Clause 8.5.5 relates only to the organization that provide post delivery activities such as installment, servicing, maintenance, recycling, etc. Since your business is production of cement and once you sell it to the customer, you don't have any further activities related to the sold product, you can exclude this clause from the scope of your QMS.

    For more information, see:
    - What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/

  • Competence, training and awareness documentation


    Answer:

    The standard only requires you to keep records as an evidence of employees competence and this can be training records, employees CV, diplomas, certificates, etc. No procedure or documented training modules are necessary, but you can create them if you find them necessary. In my opinion it is good to have a procedure that defines how you identify need for training and awareness, how you conduct them and how you evaluate their effectiveness and to have training and awareness raising program, but training modules seem as an overkill.

    Here you can find free previews of the documents related to competence, training and awareness:
    - Procedure for Competence, Training and Awareness https://advisera.com/9001academy/documentation/procedure-human-resources/
    - Training P rogram https://advisera.com/9001academy/documentation/training-program/
    - Training Record https://advisera.com/9001academy/documentation/training-record/
    - Record of Attendance https://advisera.com/9001academy/documentation/record-attendance/

  • Budgeting the selected controls

    Sure, you can document the budget separately, but then you have to refer to that budget from your Risk treatment plan.
Page 994-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +