Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Pulverizing samples
ISO 17025 does not prescribe technical details regarding methods. In order to establish a suitable process and sample preparation procedure, you need to consider the performance capability of the pulveriser, your type of sample and the time it takes the operator to clean or prepare pulverising cups. Then you can do a mathematical calculation of the process capacity over 10 h.
For more information on ISO 17025 requirements, see the articles
What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/ and
What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/ -
Risk assessment
1. The risk assessment methodology document is the same for 22301 and 27001? There is no direct reference to ISO 22301 in the sample document, only ISO27001. Is it appropriate in case I'm not only implementing 27001? Let’s suppose I implement ISO 22301 or possibly ISO 22301 + 27001 simultaneously.
ISO 22301 does not prescribe a risk methodology approach to be used, so you can use the Risk Assessment and Risk Treatment Methodology document defined for ISO 27001 for complying with ISO 22301 requirements.
For further information, see:
- How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
- How can ISO 27001 and ISO 22301 help with critical infrastructure protection? https://advisera.com/27001academy/blog/2017/09/25/how-can-iso-27001-and-iso-22301-help-with-critical-infrastructure-protection/
2. Do I understand correctly that risk assessment should cover all business processes / activities involved in the business continuity management system?
Your understanding is correct. The risk assessment must be applied to all elements defined in the BCMS scope.
These articles will provide you a further explanation about risk assessment in business continuity:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
-
Setting corporate objectives and target for a large organization which has several departments
Please check this free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/ - where I show examples of company risks and opportunities derived from context and interested parties. I know you are working with ISO 14001, but this webinar still applies.
Once you determined risks and opportunities you need to think about what actions and in what sequence need to be developed to handle risks and opportunities.
Please check this information below with more detailed answers:
- ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
- ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
- Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
-
Random Shipping paperwork audits
You can carry out such controls or inspections for routine checks. But if you have ISO 9001:2015 or IATF 16949:2016 certificate; You should make system audits at certain periods.
If you have such certificates and you are not performing a system audit, then there may be nonconformity in the audit.
-
Certification maintenance
After the certification audits, there are yearly surveillance audits.
During surveillance audits, it will be checked if your Information Security Management System is working as designed. So, the main steps are following your policies and procedures and keep related records (e.g., incidents logs, measurements reports, corrective actions, and non-conformities reports, internal audits reports, management review minutes, etc.)
Additionally, if your organization had any minor non-conformity or observations during the previous audit, be sure that auditors will look into those issues with special care to confirm that actions were taken to close those nonconformities.
These articles will provide you a further explanation about certification maintenance:
- ISO 27001 Certification: What’s next after receiving the audit report? https://advisera.com/27001academy/blog/2015/05/18/iso-27001-certification-whats-next-after-receiving-the-audit-report/
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
- How to maintain the ISMS after the certification https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/ -
ISMS Scope Statement
From your question, it is not clear whether you are referring to the content of the ISMS Scope Document, or about the scope text that will be displayed in the ISO 27001 certificate.
If the former is the case, then the statement is far too short, and you should consider using the ISMS scope template included in your toolkit (it contains comments on how you can provide detailed information to fulfill the standard’s requirements). If the latter is the case, then the statement is too long – in this case, you should consult with your certification body about how to develop this text.
These articles will provide you a further explanation about ISO 27001 scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding ISO 27001 scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
-
Defining the scope of the ISMS
Considering you referred to “…overall IT infrastructure and security of all departments…”, then your last bullet makes sense because it basically defines all your organization in your ISMS scope.
In case you want something specific out of the scope (e.g., a specific process or department), you can state this part as an exclusion in your scope document.
Please note that you do not need to include in the scope references to contractual agreements (this may unnecessarily restrict your scope) because these can be defined in a separated document (the List of Regulatory, Contractual and Other Requirements template, include in folder 2 of your ISO 27001 Documentation Toolkit).
These articles will provide you a further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
-
Security Awareness Training
Completed status for attended training or completed quizzes can be used as evidence for ISO 27001 clause 7.2 (competence). As additional evidence of fulfillment, in case more evidence is needed, an auditor can use other methods, like observation or interviews.
This article will provide you a further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
These materials will also help you regarding awareness and training:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.
-
Risk assessment treatment
First of all, sorry for this inconvenience. This particular video was made for an earlier revision of the standard, and you can disregard the information about controls identification (this situation does not affect the logic of the risk assessment implementation presented in the tutorial).
In the current version of the standard (2013), control A.7.1.2 refers to "Terms & Conditions of Employment".
Every time you find similar discrepancies between the tutorials and documentation, please consider the information in the templates as the correct one, because they are the most updated version.
If you still feel you need more information about this topic, you can schedule a meeting with one of our consultants. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/