Search results

What ISO Standard does ISO 27001 Auditor follow during Audits?

ISO 19011 is the standard used for auditing ISO management systems, including ISO 27001. You can find this standard here: https://www.iso.org/standard/70017.html

For certification audits the ISO 27006 needs to be taken into account. This standard specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS).

For further information, see:
- How to perform an internal audit using ISO 19011 (PDF) https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

These materials will also help you regarding audits:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

KPIs

The term Key Performance Indicator refers to measurements you used to determine the performance and effectiveness of the QMS. This is completely up to you, but the main question you need to ask yourself is "What do I need to measure to know that my QMS processes are performing as expected and that they are effective?". KPIs also depend on what is a company’s strategy and competitive advantage.

For example, the following questions can be asked for defining the KPI for production:How long does it take to produce a product? When you define that time (e.g. 2 hours), then your KPI is to produce by that time or less. If you want the production time to be shorter (eg 1.5 hours), then it is necessary to analyze which step can be shortened without affecting the final quality of the productHow much waste is during production? The KPI is that you want the waste to be around 2% for example.

For more information regarding the KPI, please see the following article, regardless of what is their mention of the ISO 9001 standard:

• How to define Key Performance Indicators for a QMS based on ISO 9001 https://advisera.com/9001academy/blog/2016/05/24/define-key-performance-indicators-qms-based-iso-9001/

• ISO 27001 vs ISO 27002

  The main differences are:

  • ISO 27001 is a certifiable standard that defines the requirements for an Information Security Management System (ISMS), as well as provide, on its Annex A, suggested security controls to be implemented, according to results of risk assessment or legal obligations.
  • ISO 27002 is a non-certifiable standard that provides details and guidance on the implementation of the controls from ISO 27001 Annex A.
  • ISO 27002 is not mandatory to be certified against ISO 27001.

  These articles will provide you a further explanation about ISO 27001 and ISO 27002:

  • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
  • ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

  These materials will also help you regarding ISO 27001 and ISO 27002:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Time to prepare and get certified

  For AS9100 implementation, the time duration can be very different for different companies, so giving one estimate is not possible. For the time to learn the standard, there are many AS9100 training courses that take 1 – 2 days if you want to do this rather than independent study. Implementation then will take a varying amount of time depending on many factors such as size of company, complexity of processes, time allowed for implementation personnel, etc. When it comes to certification, after a documentation audit the certification audit often takes 3—4 days (again, depending on the company) as well as any time needed to respond to nonconformances of the processes.

  You can learn a bit more on how to assess the time for implementation in the article: How long does AS9100 implementation take?, https://advisera.com/9100academy/blog/2019/03/26/how-long-does-as9100-implementation-take/

• Internal Audit

  I don’t know if I understand your question correctly.

  ISO 9001:2015 doesn’t mention departments and has no requirements regarding marketing. So, why are you auditing sales and marketing, if you don’t have that working in your organization? ISO 9001:2015 mentions processes, not departments. Why don’t you audit processes? About sales, use ISO 9001:2015 clause 8.2.

  Another possibility is that your organization has not yet implemented a quality management system. If that is the case, consider doing a gap analysis:

  • Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
  • Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/blog/2016/05/17/use-gap-analysis-iso-9001-implementation/

• Register of Requirements — how detailed should it get?

  Please note that the "cybersecurity requirements" to be included in the register are those defined in the customer contracts (e.g., data backup, need for data segregation, right to audit, etc.). You can either write the requirements in the register or only refer to contract clauses.

  The link between the legal register and the Statement of Applicability will be the ISO 27001 Annex A controls applied to fulfill the contractual requirements. For example:

  • data backup: A.12.3.1 Information backup
  • need for data segregation: A.13.1.3 Segregation in networks
  • right to audit: A.12.7.1 Information systems audit controls

  In Conformio this is performed during risk assessment and treatment when you identify relevant risks of legal requirements compromise and define the necessary controls to be applied for risk treatment (these will be displayed in the SoA).

  Additionally, once security policies and procedures are being written, Conformio reminds users about the relevant requirements from the Register of Requirements.

• How to find and choose a good certification body for ISO 27001

  Elements you should consider when selecting a certification body are at least these ones:

  • Reputation.
  • Accreditation.
  • Specialization in your industry.
  • Experience.
  • Integrated audit.
  • Flexibility.
  • Required maturity for certification.
  • Language.

  For further information, see:

  • How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

  Regarding certification costs, this will depend on the size and complexity of the scope, so without more detailed information, it is not possible to provide you a precise estimation.

  There are a significant number of variables to be considered when estimating the certification cost, such as size and complexity of the scope, number of employees, number of sites, etc.

• Including opportunities in ISO 14001 register

  About risks and opportunities in ISO 14001:2015 I recommend reading Annex A.6.1.1. What does your organization want from the environmental Management System (EMS)?

  

  How is this done? With a set of action plans:

  

  Risks and opportunities are:

  

  What A6.1.1 tell us is:

  • Look into your list of environmental aspects, which can create risks and opportunities. Your significant aspects can generate significant impacts and those can be seen as risks and opportunities
  • Look into your list of compliance obligations, are there risks of failing to comply, or opportunities to be better than compliance obligations?
  • Look into your context and interested parties, which can create risks and opportunities? For example, trends in environmental legislation, trends in neighborhood or client’s sentiment about your organization’s environmental performance.
    
    

  Currently I’m working with an industrial organization where we considered as opportunities:

  • Starting to use solar energy in order to reduce CO2 emissions
  • Starting to use water-based adhesives in order to reduce use of volatile organic compounds
  • Change waste operators in order to reduce amount of wastes going to landfill
     

  Think about your environmental objectives and determine actions that can improve your performance towards them.

  Please check this information below with more detailed answers:

  • Environmental aspect identification and classification - https://advisera.com/14001academy/knowledgebase/environmental-aspect-identification-and-classification/
  • Catalog of environmental aspects - https://advisera.com/14001academy/knowledgebase/catalogue-of-environmental-aspects/
  • ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
  • Risks and opportunities in ISO 14001:2015 – What they are and why they are important - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
  • Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
  • ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
  • Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
     

• How to drive opportunity reports by IQA team

  First you need to identify the opportunity. This can be done using a SWOT analysis where you look at the Strenghts, Weaknesses, Opportunities and Threats. Once you identify the opportunity, you will need to assess if it is significant or it is not. For that purpose you can use a simple criteria such as impact and probabibilty. If the opportunity is significant you will need to take the necessary actions to conduct it, defining resources needed, responsibilities, deadlines, etc. In addition you will need to assess the effectiveness of the actions taken in order to implement that oppotunity within your organization. This information should be included in the reports.

  For more information about how to drive oppotunity reports see the following materials: 

  - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

  - Enrol this free course - ISO 9001 Foundations course: https://advisera.com/training/iso-9001-foundations-course/

  - Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

   

   

• GDPR Certification Exam

  1 - It is my intention to write the GDPR Certification Exam the end of this Month.

  I trust that this will create the Environment that will enable me to write both ISO 27001 Lead Implementor and Lead Auditor Exams.

  GDPR certification is not enough to cover all necessary knowledge for ISO 27001 Lead Implementor and Lead Auditor Exams (normally the certification path is the other way around).

  Please note that GDPR defines requirements for privacy protection, while ISO 2700 provides requirements for information security in general, so ISO 27001 is more comprehensive, and someone needs more knowledge before going for ISO 27001 Lead Implementor and Lead Auditor Exams.

  For further information, see:

  • Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
  • How an ISO 27001 expert can become a GDPR data protection officer https://advisera.com/27001academy/blog/2020/01/20/iso-27001-practitioner-becoming-a-gdpr-data-protection-officer/

  2 - I would really appreciate any Communications regarding progress on Creation of Advisers POPIA Content and an opportunity to present same to a number of Corporate and Government Clients in our portfolio.

  Please be assured of my commitment to broadening my ISO Certifications based upon the Advisers offerings

  We have POPIA (the South African law for data protection and privacy) in our product pipeline for development, but not for at least the next twelve months.