Search results

Conformio expert question about asset and access mgmt processes

ISO 27001 does not require an asset management process to be implemented, only that an inventory of assets associated with the Information Security Management System (ISMS) is drawn up and maintained in case-control A.8.1.1 Inventory of assets is identified as applicable by the organization.

Considering that, Conformio enables you to draw up the list of assets during the risk assessment process by suggesting a checklist of potential assets you can find in your company.

For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

For access management Conformio provides you with the Access Control Policy document through which you define rules on which people can access which systems and with whose authorization.

For further information, see:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

Internal audit ISO 13485

No, Iso 13485Internal audit checklist responds only to the requirements stated in the ISO 13485:2016. Missing elements from the ISO 9001:2015 are the ones considering context, interested parties, and business risks. 

More information regarding the Internal audit checklist for ISO 9001 you can find on the following link:

• ISO 9001 Audit Checklist https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/

How it is constructed in our ISO 9001:2015 Documentation toolkit you can find on the following link:

• Internal Audit Checklist https://advisera.com/9001academy/documentation/internal-audit-checklist/

• Conducting Process audits /product audits /Internal audits

  1. With just inquiry/Sample order (before products approval) how can we conduct Process audits /product audits /Internal audits?

  All internal audits, according to IATF standard 7.2.3; should be done by competent auditors. The automotive process approach is essential in system audits. You may need to take internal auditor training for this. Production audits should be made for each shift and for each production process. In addition, it is necessary to be competent in the process of FMEA and control plan. You may need training in this. Product audits can be performed by employees who understand the technical drawing of the product and use measuring instruments.

  2. How can we monitor KPI?

  KPIs ''key process indicators'' on a monthly or quarterly basis, on a process basis; can be followed with excel tables.

  3. How can we conduct MRM?

  Every subject mentioned in IATF standard 9.3.2 and 9.3.2.1 should be reviewed with senior management and the team at least once a year. These meeting notes can be documented with either word or PowerPoint. It would be better if the decisions are documented with who, when, what to do, and the result format.

• A.14.2.7 - is a developer hired as a consultant considered outsourced development?

  Yes, legally you have to treat this person as an employee of a third party, but even then you can require this third party that their employees follow the internal rules (policies and procedures) of your own company.

• Implementing 27001 or 22301?

  Considering your area of expertise in consultancy, certifying against ISO 27001 can bring you a competitive advantage since you will be able to demonstrate that you can properly protect the intellectual property and privacy of data your customers share with you.

  Regarding ISO 22301, this implementation will provide your customers more confidence that your work won’t be significantly impacted by disruptive events, and that you will be more able to fulfill deadlines and service levels agreed with them.

  For further information, see:

  • Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
  • ISO 22301 benefits: How to get your management’s approval for a business continuity project https://advisera.com/27001academy/knowledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/

• ISMS evidence

  About evidence of the Communication Plan for Communications Related to the ISMS, please note that ISO 27001:2013 requires you to define a communication process, although there is no requirement that such a process must be documented.

  Considering that, communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes. So to have a centralized communication procedure would overhead people responsible for communication with activities that may not be a part of their attributions. That’s the reason there isn’t a specific template for clause 7.4.

  The main documents in the toolkit that define how communication needs to be done are:

  • the Information Security Policy, located in folder 4 General Policies
  • the Training and Awareness plan, located in folder 9 Training and Awareness
  • the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
  • the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

  About evidence of Documented Management Review Process, there is no requirement that such a process must be documented. The rules defining interval and purpose for performing the management review are defined in the Information Security Policy, section 4.4. This template is located in folder 4 General Policies. 

  About and Evidence of the Results of the Management Reviews, ISO 27001:2013 requires only the results of the management review to be documented, and for that, you can use the Management Review Minutes template, located in folder 11 Management Review.

• Submitting CAPA for NC on opportunities for Improvement

  I’m assuming that the opportunity for improvement came from the auditor.

  Considering that, first is important to note that Opportunities for Improvement are recommendations of the auditor, and never will be a Non-Conformity.

  By pointing an Opportunity for Improvement, the auditor only wants the organization to take a look at a situation to evaluate if it is worthy to take action to achieve suggested benefits. If the organization decides to take no action, there will be no problem at all.

  Considering that, an organization may or may not submit an Action Plan for an Opportunity for Improvement. Please note that I used the term Action Plan because Preventive Action is not required by ISO 27001, so the term Corrective and Preventive Action (CAPA) would not be appropriate for this situation.

• Cost of IATF 16949 certification

  Audit days vary according to the number of people working in the company. In this regard, the calculation table in the IATF rules 5 booklet is used. 

  Stage 1 audit takes 1 day, but stage 2 audit varies according to the number of employees. 

  Audit daily prices also differ from country to country. 

  I recommend that you get a price quote from 3 or 4 certification bodies operating in your country.

• ISO 27001

  I’m assuming you are referring to templates Risk Assessment Table and Risk Treatment Table.

  Considering that, in the field “Number” you need to enter a unique numerical identifier, so each row can be uniquely identified (this is the Risk ID), and a sequential number is one example that can be used.

  By the way, included in the toolkit you have access to video tutorials that can explain and help you fill in the Risk Assessment Table and Risk Treatment Table. 

• Which bodies are obligate to have ISO 27001 certification?

  Please note that ISO 27001 certification is not mandatory, although some countries have established laws and regulations that are easier to be fulfilled by implementing ISO 27001.

  On top of this, an increased number of customers are preferring ISO 27001 certified organizations as suppliers because they consider such organizations are more capable to help them.

  Considering that, you need to evaluate your legal environment and customers’ needs to see if an ISO certification is interesting to you.

  This article will provide you a further explanation about ISO 27001:
  - What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
  - Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
  - Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/