Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Setting corporate objectives and target for a large organization which has several departments
Please check this free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/ - where I show examples of company risks and opportunities derived from context and interested parties. I know you are working with ISO 14001, but this webinar still applies.
Once you determined risks and opportunities you need to think about what actions and in what sequence need to be developed to handle risks and opportunities.
Please check this information below with more detailed answers:
- ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
- ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
- Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
-
Random Shipping paperwork audits
You can carry out such controls or inspections for routine checks. But if you have ISO 9001:2015 or IATF 16949:2016 certificate; You should make system audits at certain periods.
If you have such certificates and you are not performing a system audit, then there may be nonconformity in the audit.
-
Certification maintenance
After the certification audits, there are yearly surveillance audits.
During surveillance audits, it will be checked if your Information Security Management System is working as designed. So, the main steps are following your policies and procedures and keep related records (e.g., incidents logs, measurements reports, corrective actions, and non-conformities reports, internal audits reports, management review minutes, etc.)
Additionally, if your organization had any minor non-conformity or observations during the previous audit, be sure that auditors will look into those issues with special care to confirm that actions were taken to close those nonconformities.
These articles will provide you a further explanation about certification maintenance:
- ISO 27001 Certification: What’s next after receiving the audit report? https://advisera.com/27001academy/blog/2015/05/18/iso-27001-certification-whats-next-after-receiving-the-audit-report/
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
- How to maintain the ISMS after the certification https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/ -
ISMS Scope Statement
From your question, it is not clear whether you are referring to the content of the ISMS Scope Document, or about the scope text that will be displayed in the ISO 27001 certificate.
If the former is the case, then the statement is far too short, and you should consider using the ISMS scope template included in your toolkit (it contains comments on how you can provide detailed information to fulfill the standard’s requirements). If the latter is the case, then the statement is too long – in this case, you should consult with your certification body about how to develop this text.
These articles will provide you a further explanation about ISO 27001 scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding ISO 27001 scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
-
Defining the scope of the ISMS
Considering you referred to “…overall IT infrastructure and security of all departments…”, then your last bullet makes sense because it basically defines all your organization in your ISMS scope.
In case you want something specific out of the scope (e.g., a specific process or department), you can state this part as an exclusion in your scope document.
Please note that you do not need to include in the scope references to contractual agreements (this may unnecessarily restrict your scope) because these can be defined in a separated document (the List of Regulatory, Contractual and Other Requirements template, include in folder 2 of your ISO 27001 Documentation Toolkit).
These articles will provide you a further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
-
Security Awareness Training
Completed status for attended training or completed quizzes can be used as evidence for ISO 27001 clause 7.2 (competence). As additional evidence of fulfillment, in case more evidence is needed, an auditor can use other methods, like observation or interviews.
This article will provide you a further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
These materials will also help you regarding awareness and training:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.
-
Risk assessment treatment
First of all, sorry for this inconvenience. This particular video was made for an earlier revision of the standard, and you can disregard the information about controls identification (this situation does not affect the logic of the risk assessment implementation presented in the tutorial).
In the current version of the standard (2013), control A.7.1.2 refers to "Terms & Conditions of Employment".
Every time you find similar discrepancies between the tutorials and documentation, please consider the information in the templates as the correct one, because they are the most updated version.
If you still feel you need more information about this topic, you can schedule a meeting with one of our consultants. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/
-
Pen-test
ISO 27001 does not prescribe a pen-test from a third party as a requirement for ISO 27001 certification.
Pen-tests, including those performed by third parties, are only required if there are relevant risks (i.e., risks evaluated as unacceptable according to your criteria), or legal requirements (e.g., laws, regulations, or contracts).
These articles will provide you a further explanation about selections of controls and pen tests:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/These materials will also help you regarding controls selection:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/