Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 9001 and Gap Analysis and Internal Audit

    A) Stage 1 audit is mostly about the design of the management system. Is the system well designed? Does the system considers all the requirements in the management standard? Is the management system ready for a stage 2 audit? Nonconformities may be raised.

    Stage 2 audit is mostly about implementation. This stage usually follows a few weeks after the Stage 1 audit. The auditor will check whether your management system has really materialized in your company, or if it is only there on paper. He will check this through observation and interviewing your employees, but mainly by checking your records. So, you need to make sure you are really complying with everything you have written in your policy and procedures. If there are no major nonconformities, the certification body will issue the certificate to your company.

    You already know, from stage 1, that the system is designed according to the standard; however, now you want to know if the system is implemented, if documents are followed and mandatory records kept.

    Checklist for stage 1 is different from checklist for stage 2 because the audit purpose is different.

    B) Gap analysis and internal audit both activities play crucial roles in driving organizational improvement and ensuring the successful implementation of a management system. A gap analysis is primarily concerned with identifying gaps between an organization's current practices and the requirements of a management system, whereas an internal audit evaluates the adequacy and effectiveness of the implemented system (main difference), including compliance with standards and regulations. The checklist used in a gap analysis can be generic and have a column to report what exists already and the gaps. The checklist used with internal audits has a column to report what is actually being found and observed.

    C) When you’re planning an audit you should try to minimize the disruption brought by the audit team while carrying out the audit. You don’t want to audit a role in the morning and after lunch of the first day and in the morning of the second day. So, consider this constraint while scheduling your audit plan. I prefer identifying departments in the audit plan because is something that everybody in the organization is aware about. Not everybody knows about processes and even less about the clauses of the standard. Remember, the audit plan is a communication tool. About the matrices, I like to write them while I prepare the checklist to be aware of the kind of questions I should ask.

    You can find more information in the following documents:

    • Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/blog/2016/05/17/use-gap-analysis-iso-9001-implementation/
    • Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/

    • Processo de adequação à ISO 27001

      Em termos gerais, depois de obter suporte para seu projeto (por meio da aprovação do plano de projeto do SGSI) e da aprovação do Procedimento para Controle de Documentos e Registros, você deve considerar estas etapas:

      • definir a estrutura básica do SGSI (por exemplo, escopo, objetivos, estrutura organizacional), por meio da compreensão do contexto organizacional e dos requisitos das partes interessadas
      • desenvolvimento de avaliação de risco e metodologia de tratamento
      • realizar uma avaliação de risco e definir o plano de tratamento de risco
      • implementação de controles (por exemplo, documentação de políticas e procedimentos, aquisições, etc.)
      • treinamento e conscientização de pessoas
      • controla a operação
      • monitoramento e medição de desempenho
      • realizar uma auditoria interna
      • realizar a revisão crítica da gestão
      • abordar não-conformidades, ações corretivas e oportunidades de melhoria.

      Para ver como são os documentos em conformidade com a ISO 27001, sugiro que você dê uma olhada na demonstração gratuita de nosso kit de documentação ISO 27001 neste link: https://advisera.com/27001academy/pt-br/kit-de-ferramentas-da-documentacao-da-iso-27001/

      Este artigo fornecerá uma explicação adicional sobre a implementação do ISMS:

      Esses materiais também irão ajudá-lo com relação à implementação da ISO 27001:

    • ISO 27001 compliance process

      In general terms, after gaining support for your project (through approval of the ISMS project plan) and approval of the Document and Records Control Procedure, you should consider these steps:

      • define the basic structure of the ISMS (eg scope, objectives, organizational structure), by understanding the
      • organizational context and stakeholder requirements
      • development of risk assessment and treatment methodology
      • perform a risk assessment and define the risk treatment plan
      • implementation of controls (eg, documentation of policies and procedures, procurement, etc.)
      • people training and awareness
      • controls the operation
      • performance monitoring and measurement
      • perform an internal audit
      • carry out a critical management review
      • address nonconformities, corrective actions, and opportunities for improvement.

      To see what ISO 27001-compliant documents look like, I suggest you take a look at the free demo of our ISO 27001 documentation kit at this link: https://advisera.com/pt-br/kits-de-documentacao/

      This article will provide further explanation of ISMS implementation:

      • ISO 27001 Implementation Checklist https://advisera.com/27001academy/pt-br/knowledgebase/iso-27001-implementation-checklist/

      These materials will also help you with regard to implementing ISO 27001:

    • Questions

      1. We are a rather small start-up company with about 50 employees, manufacturing a product with both hardware and software.

      We do not have a CISO or an IT manager, just myself as the ICT lead to do all IT and Security related tasks.

      What should we put in the documentation instead of CISO?
      Or should we write somewhere that wherever it says CISO that would be the ICT lead acting as the CISO?
      Or alternatively should we only include job titles that we actually have in the company?
      I am not sure how to present this in the documentation and audit.

      Please note that, besides top management, ISO 27001 does not prescribe any specific role to perform information security-related activities, so you can use the job titles that you actually have in your company.

      For further information, see:

      2. One of our team members looking at the risk part of our ISO 27001 plan suggested we combine 06.1_Appendix_1_Risk_Assessment & 06.2_Appendix_2_Risk_Treatment because:
      1) they include a lot of the same columns.
      2) you can use filter instead of copy pasting those risks that need treatment. Copy pasting between tables is error prone.

      Does the standard require these tables to be seperate?
      Can you explain why these are separate in the toolkit?
      Any other comments will be very welcome.

      ISO 27001 does not prescribe risk assessment and risk treatment to be documented as separate documents, but we do not recommend merging the Risk assessment table and Risk treatment table. 

      This is because not all risks from the Risk assessment table need to be treated, and very often for one risk you would need several controls (i.e., several lines for the same risk, each one associated with a different control). Keeping a single table would result in an unnecessarily big and complex table to manage.

      Therefore, it is much easier to have two separate sheets for this purpose.

    • Non-Conformity in RR

      ISO 27001 does not require the impact on confidentiality, integrity, and availability to be assessed as separate values. 

      The Risk Assessment Methodology document generated through Conformio specifies that the risks related to confidentiality, integrity, and availability will be identified by listing the assets, threats, and vulnerabilities, while the same document specifies that the consequences of endangered confidentiality, integrity, and availability will be assessed by assessing the level of impact. The Risk Register implements risk assessment according to those rules. 

      Here is what ISO 27001 says: 

      • ISO 27001 clause 6.1.2 c) 1) requires “apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity, and availability for information within the scope of the information security management system”
      • ISO 27001 clause 6.1.2 d) 1) requires “assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;”

      In other words, the standard does require that risks related to confidentiality, integrity, and availability to be identified, and their consequences to be assessed but this doesn’t mean separate values for these. As a consequence, the majority of companies that go for ISO 27001 certification (I’m referring here not only to Advisera, but also to non-Advisera customers) do not use separate values for confidentiality, integrity, and availability. 

    • Support re. internal audit section of ISO 27001 2022

      There is no need to change the templates’ reference to ISO 27002.

      Please note that ISO 27001 is the main standard for Information Security Management Systems, while ISO 27002 is a supporting standard that can be used to help implement controls from ISO 27001 Annex A. 

      Additionally, in certification audits, the auditor reference is ISO 27001, not ISO 27002.

      For further information, see:

    • ISO 27001:2022 implementation issue

      The definition of the risk acceptance criteria will depend on how you calculate risk value.

      For example, if your method of risk calculation produces values from 2 to 10, then you can decide that an acceptable level of risk is, e.g., 7 – this would mean that only the risks valued at 8, 9, and 10 need treatment.

      Alternatively, you can examine each individual risk and decide which should be treated or not based on your insight and experience, using no pre-defined values.

      For further information, see:

    • Use of non accredited calibration service providers

      This will depend on your sector and the use of the equipment. Check first if there are regulations relevant to your clients, or perhaps requirements from your accreditation body for the type of testing and program specific accreditation.

      The ISO 17025 standard does not state as a general requirement you must use an ISO 17025 accredited calibration laboratory and an in each case obtain an accredited calibration certificate. The main requirement is metrological traceability of measurement results, which includes the use of competent laboratories for your calibrations. These can be either ISO 17015 accredited or non-accredited laboratories that provide, for example, traceability to international SI units.  A reason to obtain an ISSO 17025 accredited calibration is to get the measurement uncertainty on the calibration certificate, which may be necessary for your application.  If however, the equipment has a minor impact (low risk) on the validity and uncertainty of the measurement,  then a non-accredited calibration should be suitable. For example, there are large tolerance/specifications on a pass/fail outcome. 
      On the other hand, you should obtain an accredited calibration where equipment is used for critical applications, or used to calibrate or test other equipment.

      For further information have a look at The article What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/ and The ISO 17025 document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure/

    • Privacy Policy Template

      Since your customer did not accept your proposed versions based on 2013 ISO 27001 and the GDPR, and ISO 27001:2022 does not have significant updates on this topic, I suggest you take a look at this template:

      This document is based on guidelines from ISO 27018, a supporting standard to ISO 27001 which covers the protection of privacy in cloud environments.

      For further information, see:

    • Register of Requirements

      By checking that you are compliant with the Computer Misuse Act, you state that you have implemented all the controls defined as necessary to fulfill the Act’s requirements (secure computer material against unauthorized access or modification, and for connected purposes).

      Considering that, you need to identify in the Statement of Applicability which controls are related to the Computer Misuse Act, and ensure they are implemented (these controls may refer to documents, facilities, and/or technologies).

      For example, if controls related to this Act are controls A.5.15 - Access control, and A.7.1 – Physical security perimeters, then you need to ensure that they are implemented (e.g., by implementing an Access Control Policy, and by defining areas with different security levels, related to the sensitivity of the information kept on them).
Page 23-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +