Search results

ISMS audit fidings

First, it is important to note that, considering ISO 19011, the standard used for auditing ISO management systems, audit findings can be conformity, nonconformity, opportunities for improvement, and recommendations (i.e., there is no definition for observation in the standard as an audit finding).

As for minor and major NC, these definitions are normally used by certification auditors, to differentiate NCs that impact mandatory documents, or systematically affects the management system, from punctual NCs that do not affect the general operation of the management system.

The difference between an NC and observation is that for the second one you do not have enough evidence to support a non-conformity statement. In this situation, an auditor can make an observation to the organization so its staff can decide to work on an evaluation to identify if further work has to be done. It also can be used by another auditor in another audit to verify if the situation has evolved to a well-based non-conformity or not.

For further information, see:

• Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

This course can give you further information about internal audit:

• ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/

Polices version 27001

ISO 27001 does not prescribe how to make version numbers, only that documents are controlled, so organizations are free to adopt any versioning system they want, and this versioning system does not need to be equivalent to the numbering of ISO 27001, so the situation you described wouldn’t be a nonconformity.

This article will provide you a further explanation about managing documents:

• Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

These materials will also help you regarding document management:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 controls

Please note that controls objectives and controls descriptions from ISO 27001 Annex A are aligned with controls guidance and recommendations from ISO 27002, and the description of these controls in ISO 27002 starts in section 5. Sections 1 to 4 of ISO 27002 does not refer to controls, so that’s why there are controls A1 to A4 in ISO 27001 Annex A.

This article will provide you a further explanation about ISO 27002:

• ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

These materials will also help you regarding ISO 27002:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 certification benefits

I’m assuming that you are referring to ISO 27001 certification, not accreditation because the main purpose of accreditation is to provide certification audit services, not managed services.

Considering that, a certified supplier saves customer costs on performing its own audits on supplier’s sites to ensure it is compliant with standard’s requirements. But most important of all, it increases customer’s confidence that the organization can properly protect customer’s information.

This article will provide you a further explanation about ISO 27001 benefits:

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

These materials will also help you regarding Iso 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

7 Controls in the A.6

The seven controls from ISO 27001 Annex A section A.6 are:

• A.6.1.1 Information security roles and responsibilities
• A.6.1.2 Segregation of duties
• A.6.1.3 Contact with authorities
• A.6.1.4 Contact with special interest groups
• A.6.1.5 Information security in project management
• A.6.2.1 Mobile device policy
• A.6.2.2 Teleworking

These articles will provide you a further explanation about controls from section A.6:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
• Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
• How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
• What to include in an ISO 27001 remote access policy https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/

These materials will also help you regarding controls from section A.6:

• Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home
• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Measures Appendix A

1 - we are in possession of your toolkit for ISO 27001 and are in point 6 (declaration of applicability). The 114 specified measures are to be checked for applicability. For us, however, the question arises as to whether all measures really have to be applied, since theoretically quite a few of them could be used or whether only suitable measures have to be defined for the risks that we have assessed with risk levels 3 and 4 (unacceptable risks).

Please note that you only have to state as applicable in the Statement of Applicability the controls you defined as needed to treat the risks you identified as unacceptable (according to your Risk Treatment Table), and those required by legal requirements. For the other controls, you can state that they are not applicable because there are no risks or legal requirements demanding their implementation.

By the way, included in your toolkit you have access to a video tutorial that can help you fill in the Statement of Applicability.

For further information, see:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2 - In addition, we would like to know whether there are any legal regulations in Germany to which we must pay special attention in the course of the introduction of Iso 27001.

We are not legal experts, so our recommended approach is indeed for organizations to hire local expert advice to identify legal requirements that must be fulfilled to be compliant with the ISO 27001 in required countries. An online search can help at the beginning of your work (for an overview), but local expert advice is highly recommended.

This article can provide a start: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

But please note that the list in this article is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations for each country are listed (some even may have been withdrawn).

This article will provide you a further explanation about the identification of requirements:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Complying with ISO 27001 and EU GDPR

Please note that ISO 27001 was designed to be implemented by organizations of any size and industry, so it can be applicable to your organization. Freelancers/consultants can be viewed as outsourced services and treated accordingly.

Regarding GDPR, it depends on the activity of your organization. If your organization processes a high volume of personal data, or monitors behavior, or processes special categories of personal data like health data, political opinion, sex orientation, criminal convictions, so you require a Data Protection Officer (DPO). If your organization does not deal with this data, you do not require a DPO.

The DPO does not need to be an employee of the organization, this role can be outsourced, but you need to ensure that required roles and responsibilities are included in the contract or service agreement.

These articles will provide you a further explanation about ISO 27001 and DPO:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• How to hire the right DPO? https://advisera.com/articles/how-to-hire-the-right-dpo/
• The role of the DPO in light of the General Data Protection Regulation https://advisera.com/articles/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

These materials will also help you regarding ISO 27001 and DPO:

• How to integrate GDPR with ISO 27001 https://advisera.com/webinars/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• EU GDPR Data Protection Officer Course https://advisera.com/training/eu-gdpr-data-protection-officer-course/

Email won't respond unless I give certain info in order to be GDPR-compliant - is this GDPR-relevant?

In your first question, you stated that they can find that you are an employee from the content of your complaint so that they can discover it without asking you. The consequences arising from your complaint may differ from your contract and your home labor law but do not involve GDPR. Depending on how sensitive your allegation and complaint are, I would suggest you talk to a lawyer to get a better consultation over your concrete situation.From the perspective of GDPR compliance, it is a common procedure to confirm identity in order to handle correctly a data subject access request.

Designing the audit checklist

Let us develop a checklist for clause 7.2 of ISO 14001:2015 and hope you can apply the same technique to develop a checklist for any clause of ISO 14001:2015.

Translate clause 7.2 into a set of actions, look for the verbs:

a) determine the necessary competence of person(s)

b) ensure that these persons are competent

c) determine training needs

d) take actions to acquire the necessary competence,

d) evaluate the effectiveness of the actions taken.

Now, where do you want to start your audit? At the end? In the beginning? In the middle? Let us start at the middle.

Have you determined training needs? (about c)) Did you plan actions to address them? Can I see your overall plan to address them? (about the first d)) Was the plan approved? By whom? Was the plan fulfilled? Choose two or three actions and ask for evidence of their realization. Who participated in these actions? Why? To what extent have these actions met training needs? Has the effectiveness of these actions been assessed? What was the result? Can I see evidence of the evaluation? (about the second d)) To what extent have these actions met skills gaps? Can I see those gaps? Choose two or three people who attended the chosen training courses and see what are the competence requirements of the functions they perform (about a) and b)) and how did the training contribute to their evolution?

Translate the standard into verbs, then ask questions to check if the actions were done and evidence of that.

You can find more information below:

• Please check this free webinar on-demand - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/ where I present an example of the development of a checklist.
• You can also attend this free course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Calibration

Considering the requirement 7.6 Control of monitoring and measuring equipment, it is not prescribed what is the tolerance for calibration measuring. This mostly depends on some technical standards, but also how precise must be what you are measuring. It is not the same if you calibrate a thermometer for the warehouse where it is allowed to have a temperature range from 5 to 30 Celsius degree or a thermometer for a fridge where it is allowed a temperature range from +2 to +8 Celsius degrees. 

For more information, please see the following article:

• Calibration requirements in ISO 13485 https://advisera.com/13485academy/blog/2019/03/08/calibration-requirements-in-iso-13485/

You can see how our document for Maintenance and Calibration Record looks in our ISO 13485:2016 Documentation toolkit: https://advisera.com/13485academy/documentation/maintenance-and-calibration-record-iso-13485-2016/