Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 documents

    1 - In order to show evidence that ISMS has been implemented, must we show a minimum period of implementation?  For example, 3 months?


    This is different from one certification body to the other - some require you to have ISMS in full operation for at least 3 months, while others do not have such criteria. The best would be if you ask for proposals from a couple of certification bodies, and ask them this specific question.

    These articles may also help you:

    2 - What will the external auditor look out for in terms of actual implementation of the ISMS for ISO27001 certification?  Please advise.


    The certification auditor will look for all documents and records stated as mandatory by the standard, and those considered applicable by the organization (e.g., policies and procedures related to applied controls).

    In the ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non-mandatory requirements/documents are related to the words “may” or “should”.

    Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:

    • Scope of the ISMS (clause 4.3)
    • Information security policy and objectives (clauses 5.2 and 6.2)
    • Risk assessment and risk treatment methodology (clause 6.1.2)
    • Statement of Applicability (clause 6.1.3 d)
    • Risk treatment plan (clauses 6.1.3 e and 6.2)
    • Risk assessment report (clause 8.2)
    • Records of training, skills, experience, and qualifications (clause 7.2)
    • Monitoring and measurement results (clause 9.1)
    • Internal audit program (clause 9.2)
    • Results of internal audits (clause 9.2)
    • Results of the management review (clause 9.3)
    • Results of corrective actions (clause 10.1)

    These articles will provide you a further explanation about documents required for certification and the certification audit:

    These materials will also help you regarding the certification process:

  • Scope

    For organizations with up to 50 employees, the best approach is to include all the organizations in the ISMS scope, because in this situation in the majority of cases the effort to separate elements in the scope from those out of it is not worthy.

    When the organization uses a third-party Platform-as-a-Service, the data and all application software should be included in the ISMS scope, while everything else is out, including all system software.

    These articles will provide you a further explanation about scope definition:

    These materials will also help you regarding scope definition:

  • ISMS implementation

    1. Processes and services. Should I write about each service and each process specifically as part of the whole business model. Example : Managed Service Provider Service and all its processes Software Development Service and all its processes Software Support Service and all its processes Cloud Infrastructure Consulting Service and all its processes OR May I just put something more general that points to the idea that all the organizational business and processes are in the scope. A broader definition might be open to interpretation, but we really want the whole organization to be covered by the security benefits of having an ISMS in place. Example : Every service and process that is a part of the organization and its business is included in the scope.

    Since your whole organization is part of the ISMS scope, you can use a text identifying your core business and including business management and supporting processes. Something like: Software development processes and their related supporting processes, and business administrative processes.

    2. Organizational units May I just get away with putting down that the whole organization and all organizational units are included in the scope. Do I need to define organizational units if I am not going to leave any of them out of the scope ? Would an auditor be OK with that definition and would he/she understand that the whole organization is covered by the ISMS ? The problem is that the organization is fairly fluid and ever-moving and changing in regards to units and departments. This doesn't mean that people that are responsible for certain things are not appointed. Everything is logged, double checked and audited, but it would be a bit difficult to channelize every organizational aspect into a department or a unit.

    Since your whole organization is part of the ISMS scope, then you can only state that the whole organization is in the scope.

    3. Network and IT infrastructure This one seems really tricky for me. A lot of our IT infrastructure is ever-changing so to speak of - networks, devices, services are constantly added, removed, migrated, changed. If I need to list every piece of IT infrastructure and network that would be an Inventory of Assets of its own. So the question is - when I've actually done the work to mark every piece of data in the Inventory of Assets do I need to relist everything under the "Networks and IT infrastructure" as well ? May I just put in something showing the general concept of ISMS coverage ( i.e everything ). Would a definition like "All networks and IT infrastructure that are located in the ( and here I would just specify the location )" is a part of the scope. Our IT infrastructure is only in one physical location and also the cloud. We are using the IaaS model and sometimes PaaS as a model. In this regard I would list those in the supplier policies and not in the scope.

    Considering your context, the proper definition here is the one you thought “All networks and IT infrastructure that are located in the <location>”.

    This article will provide you a further explanation about defining scope:

    This material can also help with defining scope:

  • Are employees of 17025 certified labs required to have transcripts on file?

    In terms of ISO 17025 requirements, education and training records and evidence of competence are essential. Typically the diploma without a transcript will be suitable. Laboratories should, however, have recruitment criteria and minimum education requirements documented. If necessary, to verify a specific educational achievement for a particular position, a transcript would be required. This could, for example, be a result (e.g.,>70%) for a specific course; or diploma. Furthermore, depending on the sector, employees may need their transcripts to join a professional body mandated by legislation, for example, a veterinary association or professional scientists association.

    To assist you, have a look at the Competence, Training and Awareness Procedure and the four related appendices, available as part of the toolkit, at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ 

    See too, the article How to manage competence in a laboratory according to ISO 17025  at https://advisera.com/17025academy/blog/2021/05/26/how-to-manage-competence-in-a-laboratory-according-to-iso-17025/

  • IATF 16949:2016 for Application software by companies supplying to OEMs

    Companies that write and develop software embedded in the vehicle; should work on software design, verification, validation, configuration verification, etc., and document the details. These issues are related to the 8.3 and sub-clauses of the IATF 16949:2016 standard.

  • Level of implementation in a country’s companies

    You can find information about ISO certification by country in the ISO Survey, which can be accessed through this link: https://www.iso.org/the-iso-survey.html

  • Nivel de implementación en las empresas de un país

    Puede encontrar información sobre la certificación ISO por país en la Encuesta ISO, a la que se puede acceder a través de este enlace: https://www.iso.org/the-iso-survey.html

  • Certification for IATF 16949 Section 8.3 (Design and Development of Products)

    Since you will also design products for automotive, you are responsible for all clause 8.3 of the IATF 16949:2016 standard. There is no special list, but; you should prepare for all "shall" requirements written between 8.3-8.3.6.1 in the IATF 16949:2016 standard. 

  • Filling out documents in integrated toolkit

    In the toolkit folder, you will find the file named "List of Documents" where you can find the reference to the EU GDPR or the ISO standard, I suggest you follow the order of the folders and fill documents with EUGDPR reference.

    For example, you can begin with Folder 1 "Preparation for the project" and file 01.1 EU GDPR Readiness Assessment in order to verify what is your current status and the preparation for the project at file 01.2. The next step is folder 4 with General policies and document 04.2 Personal Data Protection Policy and keeps following the EU GDPR relevant documents.
Page 162-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +