Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Supporting documentation for training

    As training material about ISO 27001, we suggest you the following material:

    These materials will also help you:

  • Lab exchanging anonymized samples for studies

    What you are referring to relates to the requirement of ISO 17025 clause 7.7 to ensure the validity of results. Internal quality control can include, for example, the laboratory or quality manager submitting control samples as unknown test samples. This is listed as clause 7.7.1 g, retesting of retained items. Simply ensure the samples are processed as routine samples and monitor the results against expected results. When it comes to exchanging samples externally for quality control purposes, ensure best practices are followed and the approach to statistical evaluation and performance criteria are agreed to in advance. This is listed as clause 7.7.2b,  participation in interlaboratory comparisons other than proficiency testing. In both cases, clause 7.7.3 states the requirement to analyze data and if the results are not within the pre-defined criteria, the laboratory must take corrective action.

    For more information see the response to another question at https://community.advisera.com/topic/clause-7-7-7-7-1/ and the Advisera Toolkit  Quality Assurance Procedure at https://advisera.com/17025academy/documentation/quality-assurance-procedure/

  • ISO 9001 and Gap Analysis and Internal Audit

    A) Stage 1 audit is mostly about the design of the management system. Is the system well designed? Does the system considers all the requirements in the management standard? Is the management system ready for a stage 2 audit? Nonconformities may be raised.

    Stage 2 audit is mostly about implementation. This stage usually follows a few weeks after the Stage 1 audit. The auditor will check whether your management system has really materialized in your company, or if it is only there on paper. He will check this through observation and interviewing your employees, but mainly by checking your records. So, you need to make sure you are really complying with everything you have written in your policy and procedures. If there are no major nonconformities, the certification body will issue the certificate to your company.

    You already know, from stage 1, that the system is designed according to the standard; however, now you want to know if the system is implemented, if documents are followed and mandatory records kept.

    Checklist for stage 1 is different from checklist for stage 2 because the audit purpose is different.

    B) Gap analysis and internal audit both activities play crucial roles in driving organizational improvement and ensuring the successful implementation of a management system. A gap analysis is primarily concerned with identifying gaps between an organization's current practices and the requirements of a management system, whereas an internal audit evaluates the adequacy and effectiveness of the implemented system (main difference), including compliance with standards and regulations. The checklist used in a gap analysis can be generic and have a column to report what exists already and the gaps. The checklist used with internal audits has a column to report what is actually being found and observed.

    C) When you’re planning an audit you should try to minimize the disruption brought by the audit team while carrying out the audit. You don’t want to audit a role in the morning and after lunch of the first day and in the morning of the second day. So, consider this constraint while scheduling your audit plan. I prefer identifying departments in the audit plan because is something that everybody in the organization is aware about. Not everybody knows about processes and even less about the clauses of the standard. Remember, the audit plan is a communication tool. About the matrices, I like to write them while I prepare the checklist to be aware of the kind of questions I should ask.

    You can find more information in the following documents:

    • Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/blog/2016/05/17/use-gap-analysis-iso-9001-implementation/
    • Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/

    • Processo de adequação à ISO 27001

      Em termos gerais, depois de obter suporte para seu projeto (por meio da aprovação do plano de projeto do SGSI) e da aprovação do Procedimento para Controle de Documentos e Registros, você deve considerar estas etapas:

      • definir a estrutura básica do SGSI (por exemplo, escopo, objetivos, estrutura organizacional), por meio da compreensão do contexto organizacional e dos requisitos das partes interessadas
      • desenvolvimento de avaliação de risco e metodologia de tratamento
      • realizar uma avaliação de risco e definir o plano de tratamento de risco
      • implementação de controles (por exemplo, documentação de políticas e procedimentos, aquisições, etc.)
      • treinamento e conscientização de pessoas
      • controla a operação
      • monitoramento e medição de desempenho
      • realizar uma auditoria interna
      • realizar a revisão crítica da gestão
      • abordar não-conformidades, ações corretivas e oportunidades de melhoria.

      Para ver como são os documentos em conformidade com a ISO 27001, sugiro que você dê uma olhada na demonstração gratuita de nosso kit de documentação ISO 27001 neste link: https://advisera.com/27001academy/pt-br/kit-de-ferramentas-da-documentacao-da-iso-27001/

      Este artigo fornecerá uma explicação adicional sobre a implementação do ISMS:

      Esses materiais também irão ajudá-lo com relação à implementação da ISO 27001:

    • ISO 27001 compliance process

      In general terms, after gaining support for your project (through approval of the ISMS project plan) and approval of the Document and Records Control Procedure, you should consider these steps:

      • define the basic structure of the ISMS (eg scope, objectives, organizational structure), by understanding the
      • organizational context and stakeholder requirements
      • development of risk assessment and treatment methodology
      • perform a risk assessment and define the risk treatment plan
      • implementation of controls (eg, documentation of policies and procedures, procurement, etc.)
      • people training and awareness
      • controls the operation
      • performance monitoring and measurement
      • perform an internal audit
      • carry out a critical management review
      • address nonconformities, corrective actions, and opportunities for improvement.

      To see what ISO 27001-compliant documents look like, I suggest you take a look at the free demo of our ISO 27001 documentation kit at this link: https://advisera.com/pt-br/kits-de-documentacao/

      This article will provide further explanation of ISMS implementation:

      • ISO 27001 Implementation Checklist https://advisera.com/27001academy/pt-br/knowledgebase/iso-27001-implementation-checklist/

      These materials will also help you with regard to implementing ISO 27001:

    • Questions

      1. We are a rather small start-up company with about 50 employees, manufacturing a product with both hardware and software.

      We do not have a CISO or an IT manager, just myself as the ICT lead to do all IT and Security related tasks.

      What should we put in the documentation instead of CISO?
      Or should we write somewhere that wherever it says CISO that would be the ICT lead acting as the CISO?
      Or alternatively should we only include job titles that we actually have in the company?
      I am not sure how to present this in the documentation and audit.

      Please note that, besides top management, ISO 27001 does not prescribe any specific role to perform information security-related activities, so you can use the job titles that you actually have in your company.

      For further information, see:

      2. One of our team members looking at the risk part of our ISO 27001 plan suggested we combine 06.1_Appendix_1_Risk_Assessment & 06.2_Appendix_2_Risk_Treatment because:
      1) they include a lot of the same columns.
      2) you can use filter instead of copy pasting those risks that need treatment. Copy pasting between tables is error prone.

      Does the standard require these tables to be seperate?
      Can you explain why these are separate in the toolkit?
      Any other comments will be very welcome.

      ISO 27001 does not prescribe risk assessment and risk treatment to be documented as separate documents, but we do not recommend merging the Risk assessment table and Risk treatment table. 

      This is because not all risks from the Risk assessment table need to be treated, and very often for one risk you would need several controls (i.e., several lines for the same risk, each one associated with a different control). Keeping a single table would result in an unnecessarily big and complex table to manage.

      Therefore, it is much easier to have two separate sheets for this purpose.

    • Non-Conformity in RR

      ISO 27001 does not require the impact on confidentiality, integrity, and availability to be assessed as separate values. 

      The Risk Assessment Methodology document generated through Conformio specifies that the risks related to confidentiality, integrity, and availability will be identified by listing the assets, threats, and vulnerabilities, while the same document specifies that the consequences of endangered confidentiality, integrity, and availability will be assessed by assessing the level of impact. The Risk Register implements risk assessment according to those rules. 

      Here is what ISO 27001 says: 

      • ISO 27001 clause 6.1.2 c) 1) requires “apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity, and availability for information within the scope of the information security management system”
      • ISO 27001 clause 6.1.2 d) 1) requires “assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;”

      In other words, the standard does require that risks related to confidentiality, integrity, and availability to be identified, and their consequences to be assessed but this doesn’t mean separate values for these. As a consequence, the majority of companies that go for ISO 27001 certification (I’m referring here not only to Advisera, but also to non-Advisera customers) do not use separate values for confidentiality, integrity, and availability. 

    • Support re. internal audit section of ISO 27001 2022

      There is no need to change the templates’ reference to ISO 27002.

      Please note that ISO 27001 is the main standard for Information Security Management Systems, while ISO 27002 is a supporting standard that can be used to help implement controls from ISO 27001 Annex A. 

      Additionally, in certification audits, the auditor reference is ISO 27001, not ISO 27002.

      For further information, see:

    • ISO 27001:2022 implementation issue

      The definition of the risk acceptance criteria will depend on how you calculate risk value.

      For example, if your method of risk calculation produces values from 2 to 10, then you can decide that an acceptable level of risk is, e.g., 7 – this would mean that only the risks valued at 8, 9, and 10 need treatment.

      Alternatively, you can examine each individual risk and decide which should be treated or not based on your insight and experience, using no pre-defined values.

      For further information, see:
Page 23-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +