Search results

Electronic File/Folder structure SOP

ISO 27001, like other ISO management standards, has requirements for document and records management you can use to define how to create, approve, review, distribute, and communicate them, among other things.

Considering electronic documents and records, if the quantity of them is not so big you can consider organizing them in folders identified by each section of the standard which requires them (e.g., in folder named "Information Security Policy" you can store the Information security policy, in folder "Risk assessment and Treatment" you can store documents and records related to the risk management process, etc.)

If the quantity of documents is big, you should consider a document management solution (you can see an example of such solution in our platform Conformio at this link: https://advisera.com/conformio/)

For physical records, you should consider a central cabinet to store them, adopting a folder structure similar to the electronic documents.

To see how a procedure to control documents and records compliant with ISO 27001, please take a look at the free demo of this template: https://advisera.com/27001academy/documentation/procedure-for-document-and-record-control/

These articles will provide you a further explanation about document and record management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

These materials will also help you regarding document and record management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 9001 Warehouses

ISO 9001:2015 is not about departments but about processes.

What kind of processes happen at a warehouse?

• Reception of materials and goods
• Expedition of materials and goods 

Reception starts with quality control, then identification, then storage, then supply to production.

Expedition may start with quality control, then identification, then packaging, then storage, then expedition.

Clauses related with that can be:

• 6.1 risks about can happen in the warehouse
• 7.1.3 maintenance of hardware, software, communications, facilities and transport
• 7.1.4 relevant requirements about the work environment
• 7.2 people working at the warehouse is competent
• 8.4 purchasing information, quality control requirements
• 8.5.2 identification and traceability
• 8.5.3 property belonging to clients and external providers
• 8.5.4 preservation
• 8.6 quality control
• 8.7 treating nonconformities 

You can find more information below:

• How ISO 9001 improves shipping procedures - https://advisera.com/9001academy/blog/2019/07/09/how-iso-9001-improves-shipping-procedures/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO 9001 Risk Assessment

ISO 9001:2015 has no mandatory requirements concerning risks and opportunities – please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ . So, whatever the method used by your organization to document and evaluate your risk assessment is valid if it suits your needs. Without knowing your particular approach is very difficult to help you.

You can find more information below:

• How to address risks and opportunities in ISO 9001:  https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
• For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Internal Auditor from outside

Please note that ISO 27001 does not require the internal audit procedure to be documented, but it requires the internal auditor program and audit results to be documented, so your hired internal auditor needs to provide at least the internal auditor program and the Audit report.

This article will provide you a further explanation about mandatory documents:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

This material will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Questions for ISO 27001 & 22301 List of Mandatory Documents

For questions 1 to 4, and 6 to 7, please note that there are no clauses in the Standard, nor controls from Annex A, requiring these procedures and policies to be documented, but the related annexes are mandatory because at least one of the related clauses or controls requires the information they contain to be recorded, providing evidence that these clauses and controls are implemented. Related policies and procedures are included in the toolkit because they are commonly implemented as good practice.

Regarding question 5, you are correct, and we apologize for this mistake. The reference must be indeed A.16.1.2, nor A.6.1.2.

For further information about mandatory documents, please read:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

DRP aplicabilidade

Controles não implementados informados conforme aplicáveis na Declaração de Aplicabilidade podem de fato levar a uma não conformidade, mas seu grau dependerá de outros fatores, tais como se eles estão relacionados a riscos relevantes, ou fazem com que uma cláusula obrigatória da norma não seja cumprida.

Nas situações quando um controle ainda não se encontrará implementado no momento da auditoria de certificação, a melhor alternativa é aceitar os riscos relacionados a este controle, informar na Declaração de Aplicabilidade que o controle se encontra em situação de implementação e apresentar ao auditor as evidências do andamento da implementação.

Desta forma a situação de implementação não pode ser caracterizada como uma não conformidade.

Estes artigos podem prover mais informações:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
• Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/

Este material também pode prover mais informações:

• ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

DRP applicability

Unimplemented controls reported as applicable in the Applicability Statement may in fact lead to non-compliance, but their degree will depend on other factors, such as whether they are related to relevant risks, or cause a mandatory clause of the standard to be breached.

In situations when a control is not yet implemented by the time of the certification audit, the best alternative to avoid a nonconformity is to accept the risks related to this control, inform in the Statement of Applicability (SoA) that the control is in an implementation situation, and present to the auditor the evidence of progress in implementation.

This way, the implementation situation cannot be characterized as a non-conformity.

These articles can provide more information:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
• Infographic: The brain of an ISO auditor - What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/.

This material can also provide more information:

• ISO 27001 / ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

What does the graphic/pic represent?

The picture represents that information security only can be properly managed when people, processes, and technologies are considered together.

Improper technologies, untrained people, or undefined process, if only one of those things happen your effort to prevent incidents can be wasted.

VDA ISA Certificate

Although VDA ISA requirements, part of TISAX standard, have many similarities with ISO 27001 main clauses and its Annex A controls (the excel table in the link you provided, in its tab “Information Security”, column q – “Reference to other standards”, provides a mapping between the two documents), we are not experts on VDA ISA to provide a proper answer regarding VDA ISA maturity level, because this information also depends on the fulfillment of requirements for prototype protection requirements, which are not related to ISO 27001.

This article will provide you a further explanation about TISAX and VDA ISA:

• How ISO 27001 and TISAX are related https://advisera.com/27001academy/blog/2019/03/11/how-iso-27001-and-tisax-are-related/

ISMS Implementation Flow

In a general way, you covered all necessary steps, but the order for an optimized implementation effort would be a bit different.

After getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:
1) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
2) development of risk assessment and treatment methodology;
3) perform a risk assessment and define the risk treatment plan;
4) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
5) people training and awareness;
6) controls operation;
7) performance monitoring and measurement;
8) perform internal audit;
9) perform management critical review; and
10) address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you a further explanation about ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001 implementation:

• Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

To see how documents compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our ISO 27001 documentation toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/