Search results

Understanding the requirements of clause 8.4 of the ISO 9001:2015

8.4.1 is about:

What processes (subcontracting), what products and services are relevant to the operation of your organization and are acquired from an external provider? Relevant in the sense: They help to make a difference; or avoid flaws that the customer recognizes and negatively values. In other words, you do not need to apply the requirements of the standard to everything you buy.

So 8.4.1 is about qualifying a potential supplier, is about selecting a supplier to satisfy a particular need:

And periodically evaluate supplier performance based on delivery results.

About 8.4.2 it better specifies the part of the control mentioned above: what to control during delivery, how to evaluate, who does what, what specifications, what records are used.

8.4.3 is about the information that goes on orders or contracts: The description of the product, service or process (1) Methods, processes or equipment to be used or to be followed in the provision of services (2) Relevant quality control criteria (3) In cases where there is a requirement of competence, mention it (c) It can sometimes make sense to describe means of contact, contact persons, authorities (d) It may make sense to define quality control rules during the provision of the service (e). It is to clarify that the company can go to the supplier's premises to carry out an audit or a quality control (f)

The following material will provide you more information:

• Purchasing in QMS – The Process & the Information Needed to Make it Work - https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/
• ISO 9001 document template: Procedure for Purchasing and Evaluation of Suppliers - https://advisera.com/9001academy/documentation/procedure-purchasing-evaluation-suppliers/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Policy statement

A policy statement is a short version of a policy, often used for general public display. Some policies, like the Information Security Policy, have several pages, and for easiness of understanding of the general public, a one-page version is developed, covering the main aspects an organization wants to highlight. A policy statement needs to have a disclaimer informing that it is not the full version of the policy, where you can find the full version, and that this version does not deviate from the content from the full version.  

We do not recommend the use of a policy statement as an ISMS policy document because there is a risk of a one-page document do not fulfill standard's requirements  

This article will provide you a further explanation about the Information Security Policy:

• What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/  

These materials will also help you regarding the Information Security Policy:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 - Context of Organization

ISO 27001 clause 4.3 (Determining the scope of the information security management system) requires an organization to consider the following when defining the ISMS scope:

• relevant internal and external issues to the organization’s purpose and which can impact, or be impacted, by the ISMS intended results
• requirements of interested parties
• interfaces and dependencies between activities that are and are not considered for the ISMS scope

For considering something you need to understand that thing, but the standard does not define when this information needs to be gathered and understood, but as soon as it is available, the faster you will be able to define an ISMS scope that is relevant and integrated to organizations operations.

These articles will provide you a further explanation about scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

These materials will also help you regarding scope definition:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 9001 Project task implementation

According to ISO 9000:2015, a project is a unique set of coordinated and controlled activities developed to achieve an objective conforming to specific requirements. A project task is a name given to each of those coordinated and controlled activities. If a project is what needs to be done, by whom, and until when a project task is each of the “what”.

You can find more information below:

• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• How to budget an ISO 9001 implementation project - https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project?utm_source=script-for-iso-9001-lead-implementer-course&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-downloads-9001
• Free webinar on-demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Monitoring project objectives

First of all, let me state that management system objectives are of paramount importance. Just remember the management system definition, something like. A system to establish a policy (a general orientation), translate that into objectives, and work, and change to meet those objectives.

So, clause 6.2.1 is about establishing management system objectives. Something to stretch your management system performance. You want your management system performance in the future will be better than today. What happens is that performance is not an accident, does not happen by chance, performance is the output of the present system. If you want a different performance in the future, you need to have a different organization, a different management system in the future

Clause 6.2.2 is about planning what needs to be done to change the organization in order to meet those objectives. That is, what needs to be done to create the organization of the future.

An action plan is about what needs to be done, when and by whom and can include things like: Improve current practices; Introduce new practices; Invest in infrastructure; Train people; How to measure progress and results; …

After 6.2.1 and 6.2.2 you have a plan to meet your management system objectives. The problem is that there is uncertainty. The plan may be incomplete or wrong, the plan may not be implemented in some way, or the world may change during the journey into the future, making the plan obsolete in some way.

So, after defining what to do we need to include some sort of monitoring and control to check if context assumptions are still valid, a kind of situational awareness, and to check if activities included in the plan were implemented, and also to check if already implemented activities are contributing to a convergence in performance to the desired results.

During the journey for the future what can happen?

You can see the free preview of our ISO 14001 document template: Environmental Objectives and Plans for Achieving Them - https://advisera.com/14001academy/documentation/environmental-objectives-targets-and-programs/ as an example about how to monitor project objectives.

For example, considering ISO 14001:2015, check clause 6.2.2 e). What indicators can you use to measure progress during the journey and the success at the end? When will be appropriate to check progress against those indicators? Then, include checking the progress of the implementation of activities.

You can find more information below:

• How to Use Good Environmental Objectives - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-use-good-environmental-objectives/
• Examples of ISO 14001 objectives based on the different company sizes - https://advisera.com/14001academy/blog/2019/10/22/iso-14001-objectives-examples-for-different-company-sizes/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Question about training

Please note that the Security Awareness training is a series of videos that cover various topics related to security aimed at non-information security personnel. They are not intended to prepare people for information security activities. 

If your intent is to apply for ISO 27001 information security-related jobs, you should consider these courses:

• ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ if you want to work on auditing your own organization
• ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/ if you want to work on auditing for a certification body
• ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/ if you want to work on implementing ISO 2700 on organizations

As for when start looking for a job after the course, you can do that immediately after the course, but without previous experience, you need to apply for roles like junior or trainee.

These articles will provide you a further explanation about ISO 27001 personnel certifications:

• ISO 27001 Internal Auditor training – Is it good for my career?  https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/  
• What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
• Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

Example of risk and its correspondence residual risk

Considering approach asset-threat-vulnerability, an example of risk can be, as assets, any power dependable equipment (e.g., servers, desktops, routers, etc.), a threat as power failure, and vulnerability as lack of power generator. For this scenario, you may have as a likelihood of occurrence a value of 2 (in a scale of o to 2), and an impact also of 2 (in a scale of o to 2), with a total risk of 4 (sum of likelihood and impact).

 In case you decide to use as a control to mitigate the risk of the use of a power generator, the likelihood of occurrence may decrease to 0, keeping the impact value 2, and your residual risk would be 2.

These materials will provide you a further explanation about risk assessment and treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

These materials will also help you regarding risk assessment and treatment:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Processes, Actives, Procedures, Process , Functions

ISO 27001 does not prescribe which level of details must be considered for documentation. Regarding this issue it only has a note that documents can vary from organization to organization, considering:
- the size of the organization
- type of activities, processes, products, and services
- the complexity of processes and their interactions
- the competence of persons.

Considering that, you should detail the information considering the needs and competence of the people that will use it. In the toolkit you bought you can see the level of details in each template

These articles will provide you further explanation about developing documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

These materials will also help you regarding documentation elaboration:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Implementation duration for ISMS/BCMS

1 - according to your calculator (- Duration of ISO 27001 / ISO 22301 Implementation) we would need 8 months for ISMS or BCMS implementation. How long do you estimate if we implemented both at the same time? 

ISO 27001 and ISO 22301 share many requirements, so a good estimation is to consider from 10% to 20% more time to implement both standards at the same time (this additional will cover the requirements specific to the second standard).

For more information, see:

• ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

2 - Would you recommend implementing ISMS first and then BCMS, or both at the same time in order to use as many synergies as possible?

The order of implementation will depend on your needs. If your priority is information protection, then you should go first for an ISMS. On the other hand, if your priority is to ensure processes and service delivery under disruptive conditions, then you should go first for a BCMS. It is important to note that if you use as a basis for these systems the standards ISO 27001 (for information security) and ISO 22301(for business continuity), you can implement parts of these systems simultaneously because the have many requirements in common (e.g., control of documents, internal audit, management review, etc.). 

These materials will provide further information:

• What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
• How to implement integrated management system https://advisera.com/articles/how-to-implement-integrated-management-systems/

3 - I ask the same questions regarding ISO 27017 and 27018. Should these be implemented at the same time, or is it better to follow them up according to ISO 27001?

First is important to note that unless you have specific requirements demanding the implementation of cloud security controls, you do not need to implement ISO 27017 nor ISO 27018. They only provide additional recommendations and guidelines to the implementation of controls of ISO 27001 Annex A (Annex A controls are sufficient to cover general cloud security requirements).

Considering that, in case you need to implement controls from ISO 27017 and ISO 27018, it is better to implement them while implementing controls from ISO 27001 Annex A.

These articles will provide you further explanation about ISO 27017 and ISO 27018:

• ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
• ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

Scope definition

Hello Rhand Leal

Thank you for your reply.