Search results

Determining scope

First is important to note that ISO 22301 does not require organizational context to be documented, only to be determined.

Considering that, you can use the organizational context as criteria to see if the proposed BCMS scope is enough for your business. For example, if an external issue is a law or regulation, you need to verify if your proposed scope is enough to fulfill it, or if it does not violate it in some manner. The same is applied for an internal issue like a core activity or a process (is it covered by the proposed scope or not).

As a way to get people thinking about organizational context when evaluating their own products and processes, you should consider developing a short customized presentation, linking internal and external issues to specific products and processes, and questions on how these issues can affect their products and processes.

These articles will provide you a further explanation about scope definition (although they are about ISO 27001, the same concept applies to ISO 22301:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

This material will also help you regarding Scope definition:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Appendix 1 – List of Legal, Regulatory, Contractual and Other Requirements

ISO 27001 does not prescribe the identification of contractual requirements to be made for every client, so you can use the approach that best fits your needs. One way is to define a list of requirements for a specific set of clients with specific characteristics:
- are from the same country
- have similar size
- contracts the same service
- the contracts have similar value.

Of course, you can have a list of requirements for specific clients you value the most or wants to monitor closely.

Software SaaS company

ISO 27001, ISO 9001, and ISO 20000 are management standards (for information security, quality, and IT service management, respectively), while ISO 90003 is a guideline for the application of ISO 9001 to computer software.

Considering that, as management standards, ISO 27001, ISO 9001, ISO 90003, and ISO 20000 share many requirements that allow them to be integrated (the SDLC for agile development process would part of the scope to be defined for the integrated management systems). In the integration process you should consider two phases:

1 – Integration of the common parts of ISO management systems, e.g., control of documents, internal audit, management review, etc. These have basically all the same requirements, requiring only minor adjustments to refer to all systems covered.
2 – Integration of the specific parts of each system (basically sections 6 and 8 of each standard, covering planning, support and operation).

Regarding ISO 27001, this means including in the organizational process the activities related to information security risk assessment and treatment processes.

As for building a team with ITIL/ ISO 20000, you should map the competencies needed for such a team and define them as requirements for your integrated system.

These articles will provide you a further explanation about integrating ISO management systems:
- How to implement integrated management systems https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/

This material will also help you regarding Integrating management systems:
- ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/9001academy/webinar/iso-27001-implementation-how-to-make-it-easier-using-iso-9001-free-webinar-on-demand/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Risk treatment plan

First is important to note that ISO 27001 does not prescribe the use of information assets for the definition of the Risk Treatment Plan. The RTP only defines the activities that are required to decrease the risks, which can be identified by different approaches, such as asset bases, process bases, and scenario based.

Considering that, when using an asset-based approach, you should consider the ISMS documentation as an asset, because the information you want to protect can be compromised if a document or record fails to fulfill standard’s requirements or any other identified requirement.

These articles will provide you a further explanation about risk assessment and risk treatment:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

These materials will also help you regarding risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 14001 Significant aspects

You determine a set of environmental aspects. Then, you evaluate and segregate the significant from the nonsignificant environmental aspects:

Organizations do not have enough resources to act upon every environmental aspects. Each organization has the authority to determine its own method to evaluate significant from nonsignificant aspects. Many organizations use, as criteria, the frequency or probability of the environmental aspect and the severity of its impact.

Please check this information below with more detailed answers:

• Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
• Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

Creation of training procedure

When writing the training procedure; you should especially consider clauses 7.2,7.2.1,7.2.3,7.2.47.3.1 of the IATF 16949: 2016 standard.

The training procedure should mainly include the following topics:

• How is the training need determined,
• How training needs are evaluated and planned,
• How to measure training effectiveness,
• How are employee competencies developed,
• How to increase awareness  of employees for quality and customer expectations
• On-the-job training should be provided for each new and assigned personnel and this subject should be explained.
• How to prepare and review an annual training plan
• How and for how many years training records will be kept

For more information please see:

• How to ensure the competence of your employees according to IATF 16949 https://advisera.com/16949academy/blog/2017/10/04/how-to-ensure-competence-of-your-employees-according-to-iatf-16949/

• Procedure for Competence, Training and Awareness https://advisera.com/16949academy/documentation/procedure-for-competence-training-and-awareness/
• Training Record https://advisera.com/16949academy/documentation/training-record/ 

• ISO 9001 Corrective action

  First, let us consider the general situation:

   

  Based on my interpretation of your text, you are describing a correction, not a corrective action. A corrective action will start when you look for the root cause of the short circuit. So, why did you have a short circuit?

  After finding the root cause you should implement an action to remove that root cause. After implementing that action, you should look for a way of testing its effectiveness.

  You can find more information below:

  • How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Third party

  Among data controllers and data processors, it is always required a Data Processing Agreement (DPA) by Article 28 GDPR either if the processor has remote access to data or not. The nature of processing is determined by the controller while the processor processes data on the controller’s behalf under a written legal agreement with binding effects.

  Here you can find more information about the data controller and the processor, consent, and data subjects:

  • Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
  • Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
  • EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

  In order to understand how to manage data subjects PII, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Are templates mapped with NIST and CIS 20 requirements

  By your question, I’m assuming you are referring to templates of the ISO 27001 Documentation Toolkit.

  Considering that, these templates are developed considering the requirements of ISO 27001 standard, so there is no available mapping to NIST and CIS 20 requirements.

  However, included in the toolkit there is a List of documents file that shows which clauses and controls of the standard are covered by each template. Additionally, NIST documents already have annexes that identify the relations between their requirements and ISO 27001 requirements (e.g., NIST 800-171 Annex D and NIST 800-53 Annex H).

  As for CIS 20, most of its controls can be related to ISO 27001 Annex A controls (e.g., CIS control “Inventory and Control of Hardware Assets” can be related to ISO 27001 controls “A.8.1.1 Inventory of assets” and “A.8.1.2 Ownership of assets”).

  These articles will provide you a further explanation:

  • How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
  • How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/

  These materials will also help you regarding ISO 27001:

  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  • Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/

• Clauses that require records

  On this link, you can find the white paper with all mandatory documents and records required for ISO 13485. Feel free to download it.

  • Checklist of Mandatory Documentation required by ISO 13485:2016 - https://info.advisera.com/13485academy/free-download/checklist-of-mandatory-documentation-required-by-iso-134852016