How to Maintain ISO 9001 Certification

Written by
What is the ISO 31000 Standard?

It’s not easy for an organization to implement the International Organization for Standardization (ISO) 9001 and obtain an ISO certification for the standard. But just because you’ve achieved ISO 9001:2015 (the latest version) certification, doesn’t mean your work is done. That’s because your company has to be continually audited to ensure it still meets the requirements of the ISO 9001 standard. ISO 9001 is the international standard that details the requirements necessary to create a quality management system (QMS). A quality management system focuses around providing products and services that meet customer needs, along with industry and government regulations. ISO 9001 is the most popular of the ISO 9000 series of ISO standards and the only ISO standard in the…

Tags: , ,
Categorized in:

ISO 9001 Quality Management Principles

Written by

ISO 9001 is the international standard for quality management systems (QMS), published by the International Organization for Standardization (ISO). ISO standards are the most widely used quality management standards worldwide. Increasingly, your customers are looking for a guarantee that the products they’re buying from you have gone through quality management best practices. Adopting the ISO 9001 standard is one step toward offering that guarantee. The current version is ISO 9001:2015, which was released in September 2015. The goal of ISO 9001, part of the ISO 9000 family of quality management standards, is to help you prevent quality issues that could affect your customers, employees, business partners, and even your industry.  ISO 9001 defines the requirements for creating a quality management system. The…

Tags: ,
Categorized in:

FedRAMP Low, Moderate, High: Understanding Security Baseline Levels

Written by
FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a federal program that ensures that the proper level of information security is in place when U.S. government agencies access cloud products and cloud services.  FedRAMP standardizes the approach to security assessment, authorization, and continuous monitoring of cloud service providers (CSPs). FedRAMP grants authorizations to CSPs at three impact levels: low, medium, and high.  These levels refer to the intensity of a potential impact that may occur if an information system is jeopardized. Here’s a quick summary of each level, with detailed sections below: Low impact risk: Encompasses data intended for public use. Any loss of data wouldn’t compromise an agency’s mission, safety, finances, or reputation. Moderate impact risk: Mainly includes…

Sox Management Review Controls

Written by

The Sarbanes-Oxley Act of 2002 (SOX) designates management review controls (MRCs) as one of the required internal controls. MRCs are the reviews of key financial information conducted by a company’s management to assess its reasonableness and accuracy. They are a key aspect of a public company’s internal control over financial reporting (ICFR).  Examples of these SOX management reviews include:      Review of reconciliations     Review of journal entries     Trigger events     The work supporting an estimate     Budget to actual variances  Management review controls are more complex than other controls since they require the examination of combined results as opposed to individual transactions. They involve comparisons of recorded amounts with associated projections based on…

Tags: ,
Categorized in:

Introducing ZenGRC + ZenConnect

Written by
ZenConnect

A Connected Information Security Ecosystem  At Reciprocity, our mission has always been to simplify the way your organization manages risk and compliance, and to encourage transparency and trusted relationships with your key stakeholders.  With ZenGRC, we delivered the industry’s best GRC solution and simplified a traditionally complicated tool to make it easy for CISOs, CROs and CCOs to manage their organization’s information security.  Today, we are excited to announce our next massive milestone: ZenConnect.  ZenGRC + ZenConnect is the first and only integrated GRC solution that fosters a continuous flow of information between the systems, applications and people that are core to your business. It enables out-of-the-box connections to the tools you have in your tech stack to empower a…

ZenGage #AMA Series with Dr. Maxine Henry on the CCPA

Written by

The nation’s most stringent data protection law (so far), the California Consumer Privacy Act of 2018 takes effect Jan. 1, 2020— and it’s generating a lot of buzz. Businesses from coast to coast are girding themselves for sweeping changes in how they collect, share, and protect California residents’ personal information. With the deadline for compliance right around the corner, GRC professionals have a lot of work to do.   ZenGage, the new Slack community for information security and GRC professionals, recently hosted CCPA expert Dr. Maxine Henry, in its first #AMA (Ask Me Anything) live Slack chat series. In this candid discussion, Dr. Henry answers a broad range of questions, starting with the rights that the CCPA grants to California residents,…

Preparing for an ISO 27001 and 27002 Audit

Written by
Preparing for an ISO 27001 and 27002 Audit

Preparing for an ISO 27001 and 27002 Audit Getting your certification for ISO 27001 is a complex and time-consuming endeavor. But for many organizations, it’s worth the effort. That’s because ISO 27001 is the international standard for Information Security Management System (ISMS). Being able to say you’re “ISO 27001 certified” tells stakeholders that your organization is serious about protecting the security and privacy of their information. Stakeholders include your current and future clients, business partners, suppliers, and customers. In this day and age, that’s no small claim. And in fact, ISO 27001 certification is a must for many enterprises that do business with you. Mere ISO 27001 compliance isn’t always enough. To become certified as ISO compliant, you must pass…

Tags: , , ,
Categorized in:

Which PCI SAQ Do I Need?

Written by

Which PCI SAQ Do I Need? Which of the nine Payment Card Industry Data Security Standard (PCI DSS) Self-Assessment Questionnaires (SAQs) your organization needs to fill out and submit depends on several factors:     How you process credit-card transactions. Do you outsource these transactions to a third party to process, or do it yourself?     What type of payment processing machine or terminal you use for credit and debit card transactions.     Whether you accept payments in-store from customers with a physical card or phone-pay application, or are strictly e-commerce only.   What is an SAQ, and what is it for?  PCI DSS Self-Assessment Questionnaires (SAQs) are tools provided by the PCI Security Standards Council (PCI SSC)…

How to Become PCI DSS Certified

Written by

How to Become PCI DSS Certified The short answer to the question of achieving PCI DSS certification is: you can’t. There is no certificate attesting to Payment Card Industry Data Security Standard (PCI DSS) compliance. There is, however, a way your organization can stand apart as being especially committed to credit card security. Instead of submitting the self-assessment questionnaire (SAQ) and Attestation of Compliance to your acquiring bank, you may choose to pass an on-site audit by a PCI Security Standards Council-certified Qualified Security Assessor (QSA) or your own Internal Security Assessor, and have them file a Report on Compliance (ROC). The difference between these two alternatives is vast. With an SAQ and AOC, your enterprise is assessing itself. An…

PCI DSS: Testing Controls and Gathering Evidence

Written by

PCI DSS: Testing Controls and Gathering Evidence Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is not easy to achieve. Quite the opposite, in fact: A 2017 Verizon report stated that 80 percent of companies fail their PCI DSS assessments, and only 29 percent of those that pass are still compliant after one year. PCI DSS compliance, like information security as a whole, is not a one-and-done process but ongoing. To succeed, your enterprise must be vigilant. And comply you must, if your organization wants to do business. Penalties for non-compliance can be high—even crippling— but never fear. With planning and preparation, you can obtain that coveted Report on Compliance (ROC) or Attestation of Compliance (AOC) with relative…