Search results

Statement of Acceptance of ISMS Documents

Only the "Statement of Acceptance of ISMS Documents" is not enough to be compliant with ISO 27001 requirements related to competence (clause 7.2) and awareness (clause 7.3).

You will also need information regarding actions taken to provide the necessary competence/awareness (e.g., reading of the documentation, awareness presentation, etc.), and evaluation of actions effectiveness (e.g., questions about the presented documentation).

For those, you can use the Training and Awareness Plan template included in your toolkit, in folder 9 Training and Awareness. Both “Training and Awareness Plan” and "Statement of Acceptance of ISMS Documents" will be sufficient to evidence awareness about the documentation.

This article will provide you a further explanation about awareness and training:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness and training:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

Verification Inspection Reports

This probably depends most on whether the PRRC is within the company, in the same place where the batch release takes place, or is dislocated. If the PRRC is dislocated, one of the simpler ways is that batch release records can be sent to him via email and then he can confirm by email that he complies.

Conflicting approaches to Risk Assessment

First of all, sorry for this confusion.

This is only different writing of the methodology name. The approach is the same regardless of the order of its elements. The results will be the same, because the risk calculation is based on sum or multiplication, which result is independent of the order of elements.

For further information, see:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

This material can also help you:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

Uploading current quality standards/results

Since such in-company information is actually information, I have not seen it shared much. TS 16949:2019 or IATF 16949:2016 also does not have such a requirement from suppliers.

However, if it is a potential supplier, such information can be seen in the company during the audit or company visit.

ISO 27001 - feedback about some documents

I’m assuming you are referring to documents 10.1 Internal Audit Program, 10.2 Internal Audit Report, 11.2 Management Review Minutes, and 12.1 Corrective Action Form.

Considering that, the Internal Audit Program needs to be filled before the internal audits are performed (this is the document that will define how many audits will be needed, covering which topics and their dates).

The internal audit report needs to be filled in after the conclusion of each planned internal audit.

The Management Review Minutes are typically filled out after the management review has been completed, but some companies might use Minutes also as a preparation and in such cases you can use a 2-step approach: 1) data required as input for management review is filled in in the Minutes after all ISMS elements to be implemented are defined and as soon as the data is available; and 2) data required as output for management review is filled in after the end of the meeting.

Corrective action forms are filed at any time a corrective action is required. Please note that corrective action can be originated either as a result of an internal audit or as a result of an incident or operational deviation.

For further information, see:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
- Project checklist for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation

Implementing controls

First is important to note that only controls deemed applicable due to results of risk assessment and applicable legal requirements need to be implemented. So, depending on the organizational context, not all controls from ISO 27001 Annex A may need to be implemented.

For those controls deemed applicable, not all of them may need to be included in policies or procedures.

These articles will provide you a further explanation about documenting controls:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

ISO certification questions

1) Is the risk assessment documents in the toolkit in line with ISO 27005, e.g. we as organization, after we are ISO Certified using the toolkit can say we adhere to ISO 27005?

The risk assessment documents in the toolkit are compliant with ISO 27005.

ISO 27005 is a supporting standard to ISO 27001, detailing how to implement risk management for information security (basically covering ISO 27001 clauses 6.1.2 and 6.1.3).

This article will provide you a further explanation about implementing risk management:

• ISO 27001 risk assessment & treatment – 6 basic steps https:// advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

2) ISO is international, it would be the same as Canada as it would for New Zealand as an example.

BCP

I would like to know if I have a company with a certified ISO 27001 BCP, if it is in compliance with the BS25999 or ISO 22301 standard. In case yes, you have the standards of those norms.

ISO 27001 requirements for business continuity are not sufficient to be fully compliant with BS 25999 or ISO 22301, so if you have a BCP compliant with 27001 it may be not enough to ensure it is compliant with BS 25999 or ISO 22301.

BS 25999 is an outdated standard that was superseded by ISO 22301, which can be bought at ISO site: https://www.iso.org/standard/75106.html

These articles will provide you a further explanation about ISO 27001 and ISO 22301:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/

This material will also help you regarding ISO 27001 and ISO 22301:

• ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand]  https://advisera.com/27001academy/webinar/iso-27001-iso-22301-better-implement-together-free-webinar-on-demand/

Asset, Incident and Problem Management

ISO 27001 does not require documentation of asset management and problem management. For Incident management you can take a look at this template: https://advisera.com/27001academy/documentation/incident-management-procedure/

For asset management and problem management, I suggest you take a look at these ISO 20000 templates to see if they can fulfill your needs:

• Asset Management Process (ISO 20000) https://advisera.com/20000academy/documentation/asset-management-process/
• Problem Management Process (ISO 20000) https://advisera.com/20000academy/documentation/problem-management-process-iso-20000/

ISO 20000 Documentation Toolkit also has this template for incident management: https://advisera.com/20000academy/documentation/incident-management-process/