Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • How long should the ISMS be in place before going for the certification audit


    Answer:

    This is different from one certification body to the other - some require you to have ISMS in full operation for at least 3 months, while others do not have such a criteria. The best would be if you ask for proposals from couple of certification bodies, and ask them this specific question.

    These articles may also help you:
    - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
    - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

  • Procedure for document control - only for ISMS documents?


    Answer:

    ISO 27001 requires you to control only your ISMS documents; however if you find this system useful you can use it for all of the internal and external documents in your company.

    So it is really up to you to decide to which documents does this procedure refer to - just make sure that you specify this clearly in the procedure.

  • Governance framework and management reporting


    Answer: ISO 27001 doesn't require having a "Governance framework" as a single document, what it does require are a couple of documents that help you manage your ISMS - Information security policy, Procedure for document control, Procedure for corrective actions, Procedure for internal audit, etc. - all of those documents you'll find in your toolkit. Regarding governance it is very important that you set general and security specific ISMS objectives, and document them. General objectives are documented either through the Information security policy or as a separate document - we do not have a template for such a separate document since it is not really needed; specific ISMS objectives are usually documented through Statement of Applicabil ity - you'll notice a column in our template for that purpose.

    This article will also help you: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

    Regarding Management reporting, it is necessary (1) that you measure the achievement of all the objectives, (2) that those results are regularly reported to the management, (3) that you set clear responsibilities for this reporting, and (4) that during the Management review your top management reaches decisions based on these reports.

    We do not have a special template for defining how the reporting is done because companies usually already have a reporting system in place - some have Balanced Scorecard, some have some other system of reporting towards the management - in my view it is important that information security reporting is included in this existing system. For management review you'll find the Management review minutes in the toolkit.

    See also this article: How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

  • Corrective and preventive actions


    Answer:
    I am sorry but in the new ISO 27001:2013 it is not used the term “preventive”, only is used the term “corrective” (the term “preventive” was only used in the previous version of the standard, I mean, ISO 27001:2005). Furthermore, the adequate definition is “corrective action”, not “corrective maintenance”.

    Anyway, a corrective action is an action to eliminate the cause of a detected nonconformity or other undesirable situation, while a preventive action is an action to eliminate the cause of a potential nonconformity or other undesirable potential situation.

    This article can be interesting for you “Practical use of corrective actions for ISO 27001 and ISO 22301” : https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

    If you need information about the transition from ISO 27001:2005 to ISO 27001:2013, this article can be also interesting for you “How to make a transition from ISO 27001 2005 revision to 2013 revision” : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/

    And our online course can be also interesting for you because we give more information related to the corrective actions “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Information Life Cycle Management for ISO 27001


    Answer:

    I'm sorry, but Information Life Cycle Management is not mentioned in ISO 27001, so we do not have any materials related to it. If you could explain exactly what do you need, we will be happy to help you.

    If you are interested in managing records, this article will help you: Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

    By the way, this free online course will explain you all that you need to know about this standard: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Integrating ISO 14001 and ISO 45001


    Answer:

    It is still early to go into the details wit the integration, since the ISO 45001 is not published yet (For more information, see: First glance at ISO/DIS 45001 – How different is it from OHSAS 18001? https://advisera.com/18001academy/blog/2016/01/20/first-glance-at-isodis-45001-how-different-is-it-from-ohsas-18001/). So far, we know that ISO 45001 adopted the high level structure as ISO 14001 and ISO 9001 so the integration will be much easier than with OHSAS 18001.

    Integration is basically the merge between the same or similar requirements of different standards into one process or document and ISO 14001:2015 and ISO 45001 will have many common requirements, such as context of the organization, roles and responsibilities, risks and opportunities, emergency preparedness and response, documented information, competence and awareness, internal audit and management review. For mor e information, see: ISO 14001 vs. OHSAS 18001: What is different and what is the same? https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-vs-ohsas-18001-what-is-different-and-what-is-the-same/

  • Defining scope of QMS


    Answer:

    The standard requires organizations to define the scope of its quality management system, meaning that you need to determine what processes, locations, products and services will be included in your quality management system. This can be the entire organization, but in some cases the companies create separate QMS for separate locations or departments of the same company.

    There is no need for writing a procedure for determining the scope of QMS, however it must be documented somewhere. This is usually done in the Quality Manual or in separate document about the scope of QMS. Here you can find a free preview of our Scope of Quality Management System https://advisera.com/9001academy/documentation/scope-of-quality-management-system/

    For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/documentation/scope-of-quality-management-system/

  • Identifying external providers


    Answer:

    It depends mostly on how you defined the scope of the QMS. If you have one QMS that covers your entire company and includes all units around the globe than it wouldn't be considered as an external provider. However, if you defined separate QMSs for each unit of your company that, those other units should be considered as external providers. Another way to bypass this requirement is to exclude the other units of your company form the procedure for control of externally provided processes, products and services. For more information, see: How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/

  • Mandatory documents for internal audit

    Thanks

    Answer:

    ISO 9001:2015 requires less documents for internal audit compared to the 2008 revision of the standard. The only mandatory documents for internal audit are internal audit program and internal audit report. You can find the free preview of those documents here:
    - Internal Audit Program https://advisera.com/9001academy/documentation/internal-audit-program/
    - Internal Audit Report https://advisera.com/9001academy/documentation/internal-audit-report/

    However, there are some other documents that are not mandatory but can help you with internal audit, such as internal audit procedure and internal audit checklist. We created the documentation package designed for internal audit only, and you can find free preview here https://advisera.com/9001academy/iso-9001-2015-internal-audit-toolkit/
Page 1001-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +