Guest
What sections or where would the handling termination and change of employment with ISO 27001 be located? Not sure how where to find that.
1 - is there a tool to help with risk assessment coverage from ISO 27k to 9k/20k?
Need to update Risk assessment and wanted to know if there is set Guidance and or tool to assist
2 - is there set policy or regulations for doing a risk assessment to include these additional ISO's?
I have one minor clarification.
In all procedure templates have a validity and document management section as below:
Validity and document management
This document is valid as of [date].
---------------------------------------------------------------------------------
If we are creating this document today, which date do we need to mention here as valid as of [date].
Is it like we need to keep a date after 1 year or so when we plan to review the document again?
For example, today is 12 AUG 2023, do we need to mention as “This document is valid as of 12 AUG 2024”.
Please clarify.
If we keep a date after one year, then we should ensure we review/revise document before that and change this date to date after one year again. Correct?
I am reviewing the document toolkit for a project that I am about to start with a client and have the following initial questions to ask.
Printed documents
The documents are stored in electronic format in most organisations, but nowhere on the document does the statement ‘uncontrolled when printed’ or similar appear in the header of footer
We have always inserted this statement into all documents within our work as otherwise a printed document could be picked up and used without checking that it is the latest version.
We also note that a lot of certification bodies would pick up a non-conformance in these instances. Can I ask why this statement is not included on all electronic documents please?
Improvement / non-conformance log
I cannot find a register for non-conformance or what I would call an improvement log / register. The toolkit has a corrective action procedure and a corrective action form template only.
We would always include an improvement log where all non-conformalities and improvement suggestions (complaints, Issues, Improvement ideas and changes to documented information, processes or context) are recorded according to their source. In other words a spreadsheet register that matches the con-conformance form fields but allows one to view all non-conformities / issues in one place without having to sift through a pile of forms to find out which ones are overdue or still open.
Document control
I don’t understand the document control procedure as it does not state how a change request is raised for consideration (document change request for instance)
Again we would not call this a non-conformity but it would be raised in the improvement log prior to any change of document being authorised. What is this ‘Track changes’ referring to please?
The procedure states
All changes to the document must be made using "Track changes," making visible only the revisions to the previous version, and must be briefly described in the "Change History" table; if Track changes option is unavailable, or if the changes are too numerous, then the Track changes option is not used.
Each document should preferably have a "Change History" table used to record every change made
The toolkit does not contain a document register?
This is going to make it difficult to show the version of all latest documents – most cert bodies in my experience are looking for a master document register.
Hope that makes sense and apologies if I am missing something
Hi There
looking for a Gap Analysis worksheet / spreadsheet for ISO 27001:2022. Any ideas?
Many thanks
1. I have the ISO 27001 Internal Audit Toolkit English and am starting the internal audit. The checklist provided for ISO 27001 only has listed up to A.8.34. The Statement of Applicability has up to A.18.2.3. Could I have the checklist up to A.18.2.3, please?
2. Also should the policies and procedure documents be specifically named individuals rather than Job title?
In the risk register/table, some risks relate to high-level or more general assets that I do not have in my asset register.
For example:
User error >> most assets
Information interception >> most assets
Malicious action by employees >> almost everything
Unauthorized access to the information system >> all system and docs
Leakage/disclosure of information >> all docs and data
Unauthorized change of records >> all systems with records
What should I write as an asset for these risks in the relevant tables (risks, risk treatment etc).
A company is going for its first year ISO 27001 surveillance audit based on ISO 27001:2013. I have been appointed to perform its internal audit. Kindly advise if we should cater for the 2022 revision during my audit. If yes, in which section and how.