Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implementing 2015 revision by using old documents
Answer:
You might implement any version of the standard you want and use existing documents from your company. The only difference is that you need to revise those documents to make sure they are aligned with the requirements of the new version. I assume that you will be using procedures for document and record control, HR, internal audit, corrective actions, etc. All these documents should be revised and slightly changed just to meet requirements of the new standard but it will save you a lot of time since the changes are minor in these areas.
For more information, see: How to make the transition fro m ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/ -
Internal audit and financial report
Answer:
It is not very common to bind financial report with internal audit report because they are quite different and are not related to each other. It wouldn't be a nonconformity to file both these reports at once but it doesn't provide any additional value.
Audit criteria represents requirements to which the system is being audited. For example, if you are conducting ISO 9001 internal audit, the audit criteria would be ISO 9001, or if you are auditing compliance to legal and other requirements, the criteria would be the legal requirements.
For more information, see Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/ -
What to include in Information security policy?
Answer:
ISO 27001 does not require you to include product and services, nor partnerships, supply chains and interested parties in your Information security policy. According to ISO 27001, this policy is a top-level document without many details - see this article: Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
Typically, you should include info rmation about your products and services in your ISMS Scope document, see this article: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
And the information about interested parties and their requirements should go to a separate list, learn about it here: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
You could include all this information in the Information security policy, but this would be very impractical.
This free online course will also be of great help to you: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
How long should the ISMS be in place before going for the certification audit
Answer:
This is different from one certification body to the other - some require you to have ISMS in full operation for at least 3 months, while others do not have such a criteria. The best would be if you ask for proposals from couple of certification bodies, and ask them this specific question.
These articles may also help you:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/ -
Procedure for document control - only for ISMS documents?
Answer:
ISO 27001 requires you to control only your ISMS documents; however if you find this system useful you can use it for all of the internal and external documents in your company.
So it is really up to you to decide to which documents does this procedure refer to - just make sure that you specify this clearly in the procedure. -
Governance framework and management reporting
Answer: ISO 27001 doesn't require having a "Governance framework" as a single document, what it does require are a couple of documents that help you manage your ISMS - Information security policy, Procedure for document control, Procedure for corrective actions, Procedure for internal audit, etc. - all of those documents you'll find in your toolkit. Regarding governance it is very important that you set general and security specific ISMS objectives, and document them. General objectives are documented either through the Information security policy or as a separate document - we do not have a template for such a separate document since it is not really needed; specific ISMS objectives are usually documented through Statement of Applicabil ity - you'll notice a column in our template for that purpose.
This article will also help you: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Regarding Management reporting, it is necessary (1) that you measure the achievement of all the objectives, (2) that those results are regularly reported to the management, (3) that you set clear responsibilities for this reporting, and (4) that during the Management review your top management reaches decisions based on these reports.
We do not have a special template for defining how the reporting is done because companies usually already have a reporting system in place - some have Balanced Scorecard, some have some other system of reporting towards the management - in my view it is important that information security reporting is included in this existing system. For management review you'll find the Management review minutes in the toolkit.
See also this article: How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/ -
Corrective and preventive actions
Answer:
I am sorry but in the new ISO 27001:2013 it is not used the term “preventive”, only is used the term “corrective” (the term “preventive” was only used in the previous version of the standard, I mean, ISO 27001:2005). Furthermore, the adequate definition is “corrective action”, not “corrective maintenance”.
Anyway, a corrective action is an action to eliminate the cause of a detected nonconformity or other undesirable situation, while a preventive action is an action to eliminate the cause of a potential nonconformity or other undesirable potential situation.
This article can be interesting for you “Practical use of corrective actions for ISO 27001 and ISO 22301” : https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
If you need information about the transition from ISO 27001:2005 to ISO 27001:2013, this article can be also interesting for you “How to make a transition from ISO 27001 2005 revision to 2013 revision” : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
And our online course can be also interesting for you because we give more information related to the corrective actions “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Information Life Cycle Management for ISO 27001
Answer:
I'm sorry, but Information Life Cycle Management is not mentioned in ISO 27001, so we do not have any materials related to it. If you could explain exactly what do you need, we will be happy to help you.
If you are interested in managing records, this article will help you: Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
By the way, this free online course will explain you all that you need to know about this standard: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Integrating ISO 14001 and ISO 45001
Answer:
It is still early to go into the details wit the integration, since the ISO 45001 is not published yet (For more information, see: First glance at ISO/DIS 45001 – How different is it from OHSAS 18001? https://advisera.com/18001academy/blog/2016/01/20/first-glance-at-isodis-45001-how-different-is-it-from-ohsas-18001/). So far, we know that ISO 45001 adopted the high level structure as ISO 14001 and ISO 9001 so the integration will be much easier than with OHSAS 18001.
Integration is basically the merge between the same or similar requirements of different standards into one process or document and ISO 14001:2015 and ISO 45001 will have many common requirements, such as context of the organization, roles and responsibilities, risks and opportunities, emergency preparedness and response, documented information, competence and awareness, internal audit and management review. For mor e information, see: ISO 14001 vs. OHSAS 18001: What is different and what is the same? https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-vs-ohsas-18001-what-is-different-and-what-is-the-same/