Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk owner's approval
My question is when we need to obtain risk owner's approval and its' should be record as evidence?"
Answer:
Basically, the owner's approval is required before the Risk treatment plan is to be implemented. As evidence you can maintain a meeting with the risk owner (you need a minute of the meeting).
This article about the steps of the risk assessment & treatment can be interesting for you “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
And also this article about the risk owners “Risk owners vs. Asset owners in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Finally, maybe our online course can be also very interesting for you because we also talk about the risk owners “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Information security at strategic level
Answer:
I am sorry but I am not sure what do you mean, anyway, at a strategic level, from my point of view, you need to show the benefits to invest in ICT or cybersecurity. Remember that ISO 27001 is very related to ICT and cybersecurity, and you can use it to implement cybersecurity in your organization (with the support of the ICT). In this case, at a strategic level, you can show the benefits of the implementation of ISO 27001 that basically are 4 main points: compliance, marketing edge, lowering the expenses, and putting your business in order. This article can be interesting for you “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And also this free webinar “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
By the way, do you kn ow our free eBook about cybersecurity? You can download it here “9 Steps to Cybersecurity” : https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/ -
Security measures
The question is related to this article which speaks about the Statement of Applicability, so the form he mentions is Statement of Applicability: https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Answer:
I suppose that you mean “security measures”, if so, these measures should be determined by the company that have implemented ISO 27001 (not by his customer or by his certification body), and you only need to implement the measures that are necessary to reduce the risks identified during the risk assessment & treatment. So, in the SOA you will need to apply only the security measures that are necessary to reduce the risks identified.
By the way, you will complete the SOA after the risk treatment, but before the risk treatment plan. Do you want more information about the steps of t he risk assessment treatment? This article can be interesting for you “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This article can be also interesting for you “Risk Treatment Plan and risk treatment process – What’s the difference?” : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Finally, do you know our online course? “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Document management in ISO 27001
Answer:
The requirements about the documented information in the ISO 27001:2013 are established in the clause 7.5 Documented information, which is composed by the subclauses 7.5.1 General, 7.5.2 Creating and updating, and 7.5.3 Control of documented information.
You cannot find the explicit text “document management and control”, but you can see above what are the clauses that ISO 27001:2013 uses to manage and control the documented information. This article can be interesting for you "Document management in ISO 27001 & BS 25999-2" : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
By the way, do you know that there are a list of mandatory documents? This article can be interesting for you “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
F inally, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Information to capture external and internal issues
Answer:
Regarding the external issues, the information that you need to capture includes the identification of interested parties and their requirements (interested parties can be employees, suppliers, etc). This article can be interesting for you "How to identify interested parties according to ISO 27001 and ISO 22301" : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Regarding the internal issues, you need to make sure that your information security objectives are aligned with the business strategy, perform the risk assessment, determine resources, information security roles and responsibilities, capabilities, etc.
For more information, please read this article “Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)” : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
By the way, ou r online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Procedure for document and record control
1. Who is responsible for document approval: it may be only [job title] (for example CEO or deputy CEO) or can be group or committee?
ISO 27001 allows you to have one person or a group of persons, but my recommendation is that you have one person only - it is more efficient.
2. Is it necessarily to write header and footer as in clause 3.1 (is it ISO27001 requirements?) or we can adapt to the organization's standard practice? Which of this fields: organization name, confidentiality level, document name, current version, date of document is required by ISO27001?
No, headers and footers are not required by ISO 27001 - you should adapt it to your company practice. You should include document name, current version and date of the document somewhere in the document; you should include confidentiality level only if you define control A.8.2.2 as applicable in your Statement of Applicability.
3. Our local language is ***. We must c reate documents in English and then translate to our local language. Shall we approve both of them? What are ISO27001 requirements about it?
ISO 27001 requires only that the documentation is suitable for use, which means it needs to be understandable by all workforce that will be using the documents. Therefore, you can have documents in your local language only, in English only, or both. In your Procedure for document and record control you should define which language is the main one, and then documents in this language must be approved by responsible person; the documents in other language will be translated but they do not need to be approved.
4. In our organization we store both: scan of approved paper version and approved paper version. What are requirements of ISO27001?
ISO 27001 doesn't specify how the documents need to be approved nor how they are stored. The most practical way is for responsible person to approve the documents digitally (i.e. through some document management system), so that way there is no need for paper documents nor for scanning.
5. Who can be responsible person for "Person responsible for storage" and "controls for record protection" in clause 5 (managing records)?
This depends on record type - e.g. for backup logs, the person responsible for storage will be IT administrator, and controls for record protection will by the system access controls to those logs; for incoming mail register, the person responsible can be the secretary who receives all the incoming mail, and controls for record protection could be the access control to her computer. -
ISO 27001 record types
Answer:
ISO 27001 defines that "documented information" relates to all documents and records that are necessary for the information security management system (ISMS). Therefore, yes - you could say that when "records" are mentioned in ISMS documentation, they refer to security-related records.
However, these records will include backup logs, access control logs, corrective actions, reports, and large amount of other records that help you manage your security. See also this article: Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
If you have a checklist that you fill out by checking the items you have completed, than this would also be a record. -
Typical documents kept in manufacturing company
Answer:
In accounts, there are no mandatory documents, and the accounting is often left out from the scope of the Procedure for Documents and Records Control since it has a lot of records prescribed by the law and there is no need to apply the same rules as for the rest of QMS documents and records.
For the maintenance process, it is very common to keep maintenance records for the equipment, preventive maintenance plan, etc, for monitoring and measuring equipment it is mandatory to keep calibration records.
In the production department there are more records, since the process is the most complex. It can be product specification, work order, production registry, working instructions for the most complex activities, etc.
For more information, see:
- How to use IS O 9001 to facilitate the manufacturing of a complex product https://advisera.com/9001academy/blog/2016/02/02/how-to-use-iso-9001-to-facilitate-the-manufacturing-of-a-complex-product/ -
Consultant or documentation toolkit
Answer:
Every approach has its pros and cons, hiring consultant is more expensive and consultants tend to make it as easier as possible for the company and this usually leads to less involvement of the employees in the implementation process which eaves them with insufficient knowledge for later maintenance of the quality management system. Very often, after the consultant leaves, the company only formally has the standard without really implementing new processes.
On the other hand, documentation toolkit will require more time and effort of your employees, but this will make them learn more about the standard and it will enable them to later maintain the system without additional help. The documentation toolkit is consisted of documents that need to be adjusted to the organization and this makes companies writing the procedures for themselves and not hiring someone from the outside of the comp any to do it for them and this makes the procedure more inline with the company operations.
Whether hiring a consultant or buying the documentation toolkit, you will be able to meet the 4 months deadline, but the effort invested in the implementation will pay off later during maintenance and will enable your company to achieve benefits from ISO 9001 implementation.
For more information, see: Comparison matrices for ISO 9001 implementation solutions https://advisera.com/9001academy/comparison/ -
ISO 27013
Answer:
Unfortunately we don't have such toolkit. But, ISO 20000 and ISO 27001 toolkits are fully compatible (e.g. structure of the documents) and can be used together. Additionally, there is a matrix (available as free download) which explains relationships between clauses of ISO 27001 and ISO 20000, and gives an overview of common requirements of these two standards with tips on how to fulfill them with as little documentation as possible. Here is the link to get "ISO 27001 vs. ISO 20000 matrix" https://advisera.com/27001academy/free-downloads/
Toolkits are available here:
ISO 20000 toolkit https://advisera.com/20000academy/iso-20000-documentation-toolkit
ISO 27001 toolkit https://advisera.com/27001academy/free-downloads/