Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Document management in ISO 27001
Answer:
The requirements about the documented information in the ISO 27001:2013 are established in the clause 7.5 Documented information, which is composed by the subclauses 7.5.1 General, 7.5.2 Creating and updating, and 7.5.3 Control of documented information.
You cannot find the explicit text “document management and control”, but you can see above what are the clauses that ISO 27001:2013 uses to manage and control the documented information. This article can be interesting for you "Document management in ISO 27001 & BS 25999-2" : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
By the way, do you know that there are a list of mandatory documents? This article can be interesting for you “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
F inally, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Information to capture external and internal issues
Answer:
Regarding the external issues, the information that you need to capture includes the identification of interested parties and their requirements (interested parties can be employees, suppliers, etc). This article can be interesting for you "How to identify interested parties according to ISO 27001 and ISO 22301" : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Regarding the internal issues, you need to make sure that your information security objectives are aligned with the business strategy, perform the risk assessment, determine resources, information security roles and responsibilities, capabilities, etc.
For more information, please read this article “Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)” : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
By the way, ou r online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Procedure for document and record control
1. Who is responsible for document approval: it may be only [job title] (for example CEO or deputy CEO) or can be group or committee?
ISO 27001 allows you to have one person or a group of persons, but my recommendation is that you have one person only - it is more efficient.
2. Is it necessarily to write header and footer as in clause 3.1 (is it ISO27001 requirements?) or we can adapt to the organization's standard practice? Which of this fields: organization name, confidentiality level, document name, current version, date of document is required by ISO27001?
No, headers and footers are not required by ISO 27001 - you should adapt it to your company practice. You should include document name, current version and date of the document somewhere in the document; you should include confidentiality level only if you define control A.8.2.2 as applicable in your Statement of Applicability.
3. Our local language is ***. We must c reate documents in English and then translate to our local language. Shall we approve both of them? What are ISO27001 requirements about it?
ISO 27001 requires only that the documentation is suitable for use, which means it needs to be understandable by all workforce that will be using the documents. Therefore, you can have documents in your local language only, in English only, or both. In your Procedure for document and record control you should define which language is the main one, and then documents in this language must be approved by responsible person; the documents in other language will be translated but they do not need to be approved.
4. In our organization we store both: scan of approved paper version and approved paper version. What are requirements of ISO27001?
ISO 27001 doesn't specify how the documents need to be approved nor how they are stored. The most practical way is for responsible person to approve the documents digitally (i.e. through some document management system), so that way there is no need for paper documents nor for scanning.
5. Who can be responsible person for "Person responsible for storage" and "controls for record protection" in clause 5 (managing records)?
This depends on record type - e.g. for backup logs, the person responsible for storage will be IT administrator, and controls for record protection will by the system access controls to those logs; for incoming mail register, the person responsible can be the secretary who receives all the incoming mail, and controls for record protection could be the access control to her computer. -
ISO 27001 record types
Answer:
ISO 27001 defines that "documented information" relates to all documents and records that are necessary for the information security management system (ISMS). Therefore, yes - you could say that when "records" are mentioned in ISMS documentation, they refer to security-related records.
However, these records will include backup logs, access control logs, corrective actions, reports, and large amount of other records that help you manage your security. See also this article: Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
If you have a checklist that you fill out by checking the items you have completed, than this would also be a record. -
Typical documents kept in manufacturing company
Answer:
In accounts, there are no mandatory documents, and the accounting is often left out from the scope of the Procedure for Documents and Records Control since it has a lot of records prescribed by the law and there is no need to apply the same rules as for the rest of QMS documents and records.
For the maintenance process, it is very common to keep maintenance records for the equipment, preventive maintenance plan, etc, for monitoring and measuring equipment it is mandatory to keep calibration records.
In the production department there are more records, since the process is the most complex. It can be product specification, work order, production registry, working instructions for the most complex activities, etc.
For more information, see:
- How to use IS O 9001 to facilitate the manufacturing of a complex product https://advisera.com/9001academy/blog/2016/02/02/how-to-use-iso-9001-to-facilitate-the-manufacturing-of-a-complex-product/ -
Consultant or documentation toolkit
Answer:
Every approach has its pros and cons, hiring consultant is more expensive and consultants tend to make it as easier as possible for the company and this usually leads to less involvement of the employees in the implementation process which eaves them with insufficient knowledge for later maintenance of the quality management system. Very often, after the consultant leaves, the company only formally has the standard without really implementing new processes.
On the other hand, documentation toolkit will require more time and effort of your employees, but this will make them learn more about the standard and it will enable them to later maintain the system without additional help. The documentation toolkit is consisted of documents that need to be adjusted to the organization and this makes companies writing the procedures for themselves and not hiring someone from the outside of the comp any to do it for them and this makes the procedure more inline with the company operations.
Whether hiring a consultant or buying the documentation toolkit, you will be able to meet the 4 months deadline, but the effort invested in the implementation will pay off later during maintenance and will enable your company to achieve benefits from ISO 9001 implementation.
For more information, see: Comparison matrices for ISO 9001 implementation solutions https://advisera.com/9001academy/comparison/ -
ISO 27013
Answer:
Unfortunately we don't have such toolkit. But, ISO 20000 and ISO 27001 toolkits are fully compatible (e.g. structure of the documents) and can be used together. Additionally, there is a matrix (available as free download) which explains relationships between clauses of ISO 27001 and ISO 20000, and gives an overview of common requirements of these two standards with tips on how to fulfill them with as little documentation as possible. Here is the link to get "ISO 27001 vs. ISO 20000 matrix" https://advisera.com/27001academy/free-downloads/
Toolkits are available here:
ISO 20000 toolkit https://advisera.com/20000academy/iso-20000-documentation-toolkit
ISO 27001 toolkit https://advisera.com/27001academy/free-downloads/ -
Lead Auditor + Lead Implementer?
Answer:
Yes, from my point of view can be good for you to become also Lead Implementer, because can give you more knowledge and experience about ISO 27001 (from other point of view, I mean, from the implementer side).
Anyway, if you want to focus your career on auditing, the Lead Implementer will be little relevant for you. I recommend you to read this article about differences about both courses “Lead Auditor Course vs. Lead Implementer Course - Which one to go for?” : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go–for/
And if you are really interested in the Lead Implementer course, this article can be interesting for you “How to become an ISO 27001 / ISO 22301 consultant” : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
Finally, remember that we also have our online courses:
“ISO 27001: 2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
“ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO certification for indivuduals
Answer:
Depending on the job you will be performing, you can decide to go on different courses. If you plan to perform a job of certification auditor, you will have to pass accredited course, these courses include not only the information about requirements of the standard but also the techniques for certification audit and they are the most expensive.
If you are planning to work as an internal auditor or part of the quality department in a company and not to perform certification audits, you may go for some less demanding courses (in terms of money) and still get sufficient level of knowledge regarding the standard.
We provide two types of free ISO 9001, ISO 14001 and ISO 27001 online courses:
- Foundations course that will give you an insight on the requirements of the standard and the best practices for implementation and maintenance of the management system, and
- Internal Audit course that includes Foundation cou rse plus one additional day for explaining techniques for planning, conducting and reporting on internal audits.
More information about our online curses, you can find on this link https://advisera.com/training/
The courses are completely free, however, certain fee should be paid to pass the certification exam.